Skip to main content

New Service This is a new service – your feedback (opens in a new tab) will help us to improve it.

10. Security is everyone’s responsibility

Last updated: 18 June 2025
Relates to (tags): Security, Ways of working

All members of the team, not just technical people, should collaborate to consider the security of the application or service they are delivering. Everyone should understand how their own behaviours affect the security of Ofqual. Understand the value of the asset you are engineering, and your threat context, and implement security to mitigate specific risks or threats. Work with security teams to make decisions so that controls are being implemented for appropriate reasons and enable both usable and secure services.

Rationale

Engaging with wider security communities, and integrating security thinking throughout the software delivery lifecycle, shortens feedback loops in teams. This allows for more efficient redress when concerns are identified. Teams that are collectively conscious of security, and embed security people when necessary, are more effective at implementing appropriate threat reduction measures.

An understanding of the security aspects of team and personal behaviours - beyond core engineering activities - deepens Ofqual’s defence against the wide range of attacks threat actors are prepared to use.

We build and operate systems in our own threat landscape, with particular vectors to consider, including motivated, well-funded and well-organised threat actors. These vectors require effective defences. Security features require effort to implement and maintain. Overly restrictive security controls incur unnecessary cost and can drive unintended and unwanted behaviour.

Security controls that are designed to mitigate understood risks are easier to test and measure for their effectiveness. It is important to implement security features that deliver valuable counters to threats, are balanced with user needs and facilitate the ongoing operation and iteration of our services.

Applications and Implications

  • Use threat modelling techniques to understand the landscape and actors. This will help to identify threats and risks against your architecture holistically, including shared capabilities or services
  • Test security features with users to minimise potential negative impacts on user experience
  • Consider the cost vs benefit of proposed controls
  • Implement and contribute to the security standards by collaborating with security teams
  • Use and implement Multi-Factor Authentication (MFA) wherever proportionate
  • Put your security ‘hat’ on - think like an attacker to assess security
  • Seek out continuous professional development and attend relevant training on security
  • Keep the whole team involved in discussions on security - all disciplines can have a positive impact on how security is embedded in your services
  • Practice sensible personal operational security to mitigate against attacks on Ofqual personnel, for example social engineering attacks
  • Collaborate with Ofqual cyber security team members, and other delivery teams, to understand available security capabilities and share things that might be reused

Content version permalink (GitHub) (opens in a new tab)