Permalink
Fetching contributors…
Cannot retrieve contributors at this time
39 lines (27 sloc) 2.45 KB
---
title: Understand the risks to your service
last_reviewed_on: 2018-10-18
review_in: 6 months
---
# <%= current_page.data.title %>
When you build, maintain or change your service you must have a clear understanding of any associated risks because they will impact your service design and affect your users.
You should work with the [GDS Information Assurance (IA)][] to design appropriate solutions to your service’s risks. IA may need to obtain risk acceptance from your Senior Information Risk Owner (SIRO), for example if your service needs offshoring approval.
The Service Manual has some recommendations that can reduce risk to your service, for example how to:
* [protect against fraud][] when you design and manage your service
* [secure your information][] if you handle ‘official’ classified data
## Model security threats
[Modelling threats][] can help you gain a clearer understanding of threats against your service. GDS uses [Attack Tree][] development workshops to model threats. Any workshops you run should cover all potential [attack vectors][].
The Cyber Security team can provide guidance and help facilitate an Attack Tree workshop. Contact Cyber Security using the [#security Slack channel][] or by email using [security-team@digital.cabinet-office.gov.uk][].
## Further Reading
The [National Cyber Security Centre (NCSC)][] provides guidance about cybersecurity. The Service Manual has advice about [securing your information][] and [securing your cloud environment][].
[GDS Information Assurance (IA)]: https://sites.google.com/a/digital.cabinet-office.gov.uk/gds/operations/information-assurance
[protect against fraud]: https://www.gov.uk/service-manual/technology/protecting-your-service-against-fraud
[secure your information]: https://www.gov.uk/service-manual/technology/securing-your-information
[Modelling threats]: https://www.owasp.org/index.php/Application_Threat_Modeling
[Attack Tree]: https://en.wikipedia.org/wiki/Attack_tree
[National Cyber Security Centre (NCSC)]: https://www.ncsc.gov.uk/
[security-team@digital.cabinet-office.gov.uk]: mailto:cyber-security@digital.cabinet-office.gov.uk
[#security Slack channel]: https://gds.slack.com/messages/CADAHQY69/#
[securing your information]: https://www.gov.uk/service-manual/technology/securing-your-information
[securing your cloud environment]: https://www.gov.uk/service-manual/technology/securing-your-cloud-environment
[attack vectors]: https://searchsecurity.techtarget.com/definition/attack-vector