Security responsibilities

Your responsibilities

You’ll need to:

• make sure you follow data protection legislation  

• maintain your part of the platform – carrying out updates and security patches  

• conduct security and privacy assessments  

• use the right security controls for your service as well as the ones we set up for you  

• secure how people connect to your workloads  

• log, monitor and prepare for security incidents  

• fix any security issues you find, such as vulnerability remediation or system patching  

• collaborate with the Security Operations Centre to work out if they need to support you  

• do annual penetration tests on every workload or anytime you make significant changes   

• update people’s access rights as they join, move jobs or leave teams  

• back up your workloads  

• make sure your own third party suppliers meet your security standards  

• follow legislative requirements and best practice, such as NCSC cloud security principles   

• remove personal information from log files you send to the cloud platform. For example, for archiving or sending onto the Security Operations Centre  

• define and manage user permissions for programmatic access (if you're integrating non-human service accounts)  

• rotate keys every 60 days (if you're integrating non-human service accounts)

Our responsibilities

The cloud platform team will:

• conduct security assessments for the platform  

• set up some baseline security controls  

• do security monitoring and alerting for the platform  

• facilitate access to the Security Operations Centre to share log files  

• give you a centralised identity provider for the platform