https://dvladigital.blog.gov.uk/2013/09/27/view-driving-record-security-matters/

View driving record – security matters

As we have developed the view driving record service our aim has been to meet our user needs in everything we do.  User Insight has been really useful in helping us to understand any privacy concerns our customers may have in using this new electronic service. Whilst the straightforward log in process for the view driving record service has been commended by many users:

The log in processes are easy to use.  It’s good and straight forward and laid out, you can’t go wrong.

We have also received comments along these lines:

Because personal details are involved I would like to see additional security as well.

As a result we have taken this user insight and applied it to our development. As we improve the service with each development sprint, there are additional security measures built in, some seen; some behind the scenes such as audit logging. As part of this process we are actively involved with the GDS Identity Assurance Programme and hope to be one of the early adopters.

It has been highlighted that one of key challenges is to deliver a digital service so good that people choose to use it whilst also ensuring that the citizen’s data is afforded the levels of security which are required under Data Protection laws and government security policies. In addition, it’s also what the citizen expects and has become accustomed to.  However, whilst the threats and vulnerabilities associated with using the internet are widely known and mostly public, the threat landscape is subject to change and new vulnerabilities in terms of software and applications emerge on a daily basis.  To ensure we appropriately addresses these issues, and remain in line with security strategy and legislation, requires close working between the development team, Product Owner, Policy, Technical Architects and security colleagues. The Product Owner and I have certainly learnt a few things about data security and software  including the OWASP Top Ten! It’s the Open Source community’s top ten web application threats before you ask....

The collaboration with our  information assurance team has gone beyond the usual focus on security issues. In this project they participate in the daily stand ups, are involved in the development of the  user stories and have provided insight into the look and feel of the web screens. Through this early and continual engagement we are ensuring that government polices and security standards are applied. Not just to the web screens the end user will see, but also to the 'behind the scenes' infrastructure.  Our aim is not to constrain functionality or usability, but to make sure that sensitive, personal information can only be seen by those who are entitled to do so by law.

If we get this balance right then we will truly ensure we meet our user needs.