This article provides additional information on how you can meet the requirement for the CAF control – B4.a Secure by Design.
Security Built Into System Design
- Network and information systems should be designed with security built in from the outset.
- Security architecture decisions should consider how threats could impact essential services, following the principles defined in the organisation’s Application and Network Security Policy.
- Structured Security Design Principles should be applied whenever systems are planned or modified.
Security Zones and Network Boundaries
-
The environment should be partitioned into security zones, ensuring systems that support essential functions operate in tightly controlled, highly trusted segments.
-
Clear network boundaries should be defined and managed to minimise attack surface.
-
Data flows between components should remain simple, predictable and easy to monitor.
Designing for Recoverability
-
Systems supporting essential functions should be designed for recoverability to allow critical services to be restored quickly.
-
Where external or client-supplied inputs are processed, safeguards such as:
-
validation
-
transformation
-
sanitisation
should be implemented to mitigate content-based attacks.
-
Automated Technologies
- If automated decision-making technologies are used, appropriate restrictions should be applied to prevent unintended actions that could compromise the security or resilience of essential systems.
Maintaining a Secure Architecture
- A secure-by-design approach helps ensure that no single vulnerability or architectural weakness can materially impact the services delivered.