Service Owner Responsibilities
Summary
This document sets out the security responsibilities you have as the person ultimately responsible for a bespoke technology or digital service (“the technology owner”) in the Ministry of Justice (MoJ).
The list of items below can look intimidating at first glance. However, depending on the nature of your service or technology, some of these items might be quite small.
Every MoJ Service shall have an identified person responsible for performing each of the activities listed below.
One person may be responsible for multiple items, provided they have the appropriate skills and training to perform each duty satisfactorily. The Product or Service Owner is responsible for ensuring these activities are allocated and carried out.
Whilst these activities might be performed by a supplier or sub-contractor as part of delivering the service, as Product or Service Owner you remain responsible for ensuring that contract(s) require your supplier(s) to perform these activities in accordance with MoJ Security Policies.
The activities do not necessarily need to be performed within your team – for example, you might ‘outsource’ them to another area such as the Justice Digital Security Operations Centre. You remain responsible for ensuring there is a clear understanding of who is doing what in these relationships.
Activities
Security Risk Management
Ensuring that security risks in the service are managed in accordance with wider departmental policies and escalated as necessary to senior management.
This also includes ensuring that there is a security improvement plan to address any risks and vulnerabilities that emerge in the service.
Secure Configuration
Establishing and implementing default secure configurations for all aspects of the service (for example endpoints, platforms, services, and containers) and ensuring these always remain current and in-place.
Asset Management
All IT assets used in the delivery of the service shall be tracked in an asset management solution, which shall be routinely checked for accuracy.
ID and Access Management
Regularly reviewing and ensuring user access and permissions for the service are appropriate and limited to authorised users only (including general user and privileged accounts). Ensuring that robust processes are in place for joiners, movers and leavers (JML) End or change of employment - MoJ Security Guidance.
Security Maintenance
Undertaking regular (automated) activities to ensure the service remains secure – such as regular patching and review.
Development Security
Undertaking regular (automated) activities to ensure the service remains secure – such as regular patching and review.
Threat and Vulnerability Management
Threat and Vulnerability Management - Activities taken to ensure the service remains protected against vulnerabilities, through vulnerability scanning, and remedial actions.
This also includes ensuring that all product teams understand their security dependencies on third parties, and have effective measures in place to deploy mitigations swiftly as required when new threats emerge.
Security Testing
Organising routine and exceptional testing of security controls within the service to ensure they are continuing to function effectively.
Cryptographic and Secrets Management
Where relevant, issuing, managing, and revoking cryptographic credentials via Public Key Infrastructure (PKI). Also, management of shared secrets where required.
Event Detection Activities
Undertaking specific activities to uncover security-relevant events across the service; including operating canary tokens, honeypots, threat hunting, data loss prevention, network monitoring, SaaS security monitoring, and shadow IT detection as applicable.
Event Source Management and Maintenance
Ensuring the service is routinely providing agreed security monitoring events to a security event detection solution.
Incident Management and Response
Developing security incident playbooks, supporting security incident triage; and Data Protection incident investigations, response, and handling to ensure security events cause minimal harm to the organisation, and that evidence is captured for any wider analysis. For more information, refer to the Report a security incident guidance.
Supply Chain Security and Assessment Management
Assessing the suitability of third-party suppliers of the service. Ensuring that the product team understands and undertakes their specific respective security roles and responsibilities with the supplier with respect to the security of the service.
Backup and Recovery
Ensuring all critical information within the service is backed up regularly; the backups are tested regularly, and the service can be completely recovered in the event of a security incident.
Data Protection
Ensuring systems processing personal data are compliant with the Department’s Data Protection policy and relevant Acceptable Use Protocols for secure processing, transfers, and storage of personal data. Any data protection risks in relation to confidentiality, integrity or availability of personal data have remediation plans in place.Data Protection - Ministry of Justice HQ Intranet.
Adherence to Policies
Putting in place explicit processes for governance and compliance of security policies, for example how to monitor, report, and maintain compliance.
Secure Use of the Service
Supporting and educating users on how they access and use your service securely. This is context-dependent and might be as simple as ensuring that in-built user guidance helps explain security concepts in your service. For complicated end-user services, this might require eLearning or other targeted training. If you provide a platform, this might involve specific guidance for other services built on it, to explain their security responsibilities.
More Information
For assistance, please contact your local cyber consultant in the first instance. For queries on policy and guidance email security@justice.gov.uk