3.4.1.1 Choose the right level of security

Choose proportionate security to control and monitor your technology programme. Security should protect your information technology and digital services, and enable users to access the data they need for their work. GovStack offers specific guidance for designing a secure system.

Steps

1. Evaluate the sensitivity of the data you're handling.

2. Based on the evaluation, choose appropriate encryption methods and robust user authentication systems. Use the OWASP Cheat Sheet Series as a guide:

   • Authentication Cheat Sheet: This provides guidance on implementing secure authentication systems, which is a fundamental aspect of security.

   • Session Management Cheat Sheet: This covers the best practices for handling user sessions securely.

   • Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet: CSRF is a common web application vulnerability that your users should be aware of.

   • Cross-Site Scripting (XSS) Prevention Cheat Sheet: XSS is another common vulnerability, and this cheat sheet provides guidance on how to prevent it.

   • Transport Layer Protection Cheat Sheet: This covers how to use SSL/TLS, which is vital for encrypting data in transit.

   • Input Validation Cheat Sheet: Input validation is an essential measure for preventing many types of attacks.

   • SQL Injection Prevention Cheat Sheet: SQL Injection is a common and dangerous vulnerability, and this cheat sheet provides guidance on how to prevent it.

   • HTML5 Security Cheat Sheet: If your users are using HTML5, this cheat sheet covers many of the new security considerations that come with it.

3. Implement the security measures in your system.

4. Test and adjust the security measures to ensure they provide the needed protection without overly impeding usability.