Editorial

Scottish Government embracing security by design for ScotAccount

Digital information security officer, Laurie Brown, has detailed how the Scottish Government is adopting a ‘security by design and default’ principle for its digital ID service.

Posted 23 May 2024 by Christine Horton


Digital information security officer, Laurie Brown, has detailed how the Scottish Government is adopting a ‘security by design and default’ principle for its digital ID service, ScotAccount.

Security by design and default requires having in place both proactive security measures to protect information from cyberattack, as well as reactive capabilities to respond to and limit the impact of cyberattacks, he said. To do this, Brown uses guidance from the National Cyber Security Centre (NCSC) on risk management and wrap this with robust security governance and assurance. 

“I created a methodology to support my security by design and default principle several years ago, which ScotAccount robustly follows. This methodology aligns with the recently published UK Government Secure by Design Framework, and ensures effective proactive security measures and reactive capabilities are embedded in the delivery and running of ScotAccount. This helps meet people’s expectations of how they want to interact with government, securely and in a manner which protects their privacy,” said Brown in a blog.

Security governance

Brown also turns to the NCSC for guidance on security governance. He said to ensure ScotAccount security governance has the right people, structures, and risk management processes in place, he recruited a team with security expertise to help deliver the security by design and default principle and methodology. 

He has set up a security and privacy governance board to provide oversight of the security programme. He said he also implemented an agile way of working across the security, user-centred design, and product teams to delegate and support rapid risk-based decision making and change management. 

Security assurance

As ScotAccount reaches the latter stages of its Beta phase, Brown said “the ‘extrinsic assurance’ mechanism as defined in the NCSC model is being given extra focus, through increased efforts around external compliance and certification assessment including the UK Government GovAssure scheme. Independent security assessments have already been completed on ScotAccount’s approaches to authentication quality and verification confidence, with full Medium level compliance in place.”

ScotAccount is also examining whether compliance with the UK Government digital identity and attributes trust framework would help support potential future interoperability with the GOV.UK One Login service.

Think Digital Identity and Cybersecurity for Government is nearly here – register your place here.

Event Logo

If you are interested in this article, why not register to attend our Think Digital Identity and Cybersecurity for Government conference, where digital leaders tackle the most pressing issues facing government today.


Register Now