|
| 1 | +# Secure Engineering CoP (Community of Practice) |
| 2 | + |
| 3 | +This is part of a broader [quality framework](../README.md) and is one of a set of [communities of practice](../communities-of-practice.md) |
| 4 | + |
| 5 | +## Subject |
| 6 | + |
| 7 | +Secure Engineering practices, tools & approaches within NHS Digital. |
| 8 | + |
| 9 | +## Sponsor |
| 10 | + |
| 11 | +(TBC who) |
| 12 | + |
| 13 | +## Goals |
| 14 | + |
| 15 | +For secure development and operation of systems: |
| 16 | + |
| 17 | +* **Share** knowledge: |
| 18 | + * Provide advice and guidance as requested |
| 19 | + * Facilitate good practice discussions, and curate relevant principles, practices and patterns within the [Software Engineering Quality Framework](../README.md) |
| 20 | + * Curate relevant Training Pathways within the [Software Engineering Quality Framework](../README.md) |
| 21 | + * Curate relevant section(s) within the [Software Engineering Review Tool](../review.md) |
| 22 | + * Provide supplementary learning in relevant areas (e.g. workshops) |
| 23 | + * Discuss, disseminate and feedback on the output of the Cyber Design Authority |
| 24 | +* **Build** knowledge: |
| 25 | + * Organise learning events (e.g. guest speakers) |
| 26 | + * Organise events to practice security (e.g. security jams) |
| 27 | + * Evaluate candidate security tools |
| 28 | + * Form mini-groups to respond to "how do I..." questions from teams - generating examples in the [Software Engineering Quality Framework](../README.md) |
| 29 | + |
| 30 | +Goals to be reviewed after 3 months |
| 31 | + |
| 32 | +## Scope |
| 33 | + |
| 34 | +Areas of interest are specifically: |
| 35 | + |
| 36 | +* Secure development & operations practices |
| 37 | +* Security good practice |
| 38 | +* Automated security-testing tools, for example tools to scan for secrets or other sensitive data |
| 39 | + |
| 40 | +## Coordinator |
| 41 | + |
| 42 | +* Initially: |
| 43 | + * There will be a faciliator group, comprising of a representative from each of the member NHS Digital directorates (DSC, Product Development, Platforms, Security Architecture) |
| 44 | + * The group will self-organise who faciliates individual sessions & activities |
| 45 | +* Once the community is established: |
| 46 | + * This will be a rotating post on a 3-month basis, requiring a commitment of one day per week |
| 47 | + * The coordinator will run a blog to help publicise the activity of the group |
| 48 | + * There will be a deputy coordinator (to cover sessions when the coordinator is away, etc). They will also typically take over as coordinator for the following 3 months. This gives the group continuity. |
| 49 | + |
| 50 | +## Members |
| 51 | + |
| 52 | +* This group will span NHS Digital and include representatives from DSC, SSS, and delivery teams |
| 53 | +* If possible, this group will also include external (to NHS Digital) subject-matter experts |
| 54 | +* Core members should be kept to under 15, to promote interactive sessions |
| 55 | +* Should include a mix of backgrounds including members of the Data Security Centre and team members with no Security qualifications |
| 56 | +* Should include people from a representative spread of teams / directorates |
| 57 | +* Can join as representatives from a specific team, or as "interested parties" |
| 58 | + |
| 59 | +## Format |
| 60 | + |
| 61 | +* The group's official home is (TBC - where) |
| 62 | +* This includes a Backlog |
| 63 | +* Any member can contribute to the backlog. This could be show-and-tells of tools or approaches; queries about how to do something; curation of a principle; talking about an organisation-wide policy; etc. |
| 64 | +* The group meet regularly (TBC - how frequently) to refine the backlog, and talk through items |
| 65 | +* The group will also organise and facilitate other meetings, such as training workshops, hack-days, etc, which will be open to a much wider audience. |
| 66 | +* The group will maintain a discussion channel (TBC - where) open to all of NHS Digital: for advice and guidance, and wider knowledge sharing |
0 commit comments