Security clearance on government projects: Our experts share their experience
Over the years, we’ve worked on several high-security projects in government and the public sector.
These environments demand a high level of confidentiality and discretion and sometimes pose complex security clearance challenges.
Security clearance and why it’s important
Our staff go through rigorous vetting procedures known as ‘security clearance’, which allows them to work on projects that involve sensitive or national security information. This comes in many different levels, including security checks (SC), enhanced security check (eSC) and developed vetting (DV).
“We know what needs to be done to make it easier for the client”
Before we start, we understand the security classification of the projects and adapt our approach accordingly.
Through our experience, we’ve developed processes and approaches that keep us, our clients and their information secure — without compromising on the quality and whilst still ensuring we achieve successful outcomes.
Below, our experts share some of this best practice to give you an idea of how we approach sensitive projects.
Adapt to the client’s ways of working
When you’re working on a project that requires security clearance, you’re almost working as an employee of that organisation — you adapt to their ways of working and the tools that they provide. For example, certain projects require us to not store things outside the customer’s systems, including in Zaizi domains. We’ll ask for an email address with the client and we might use their storage platforms. This can sometimes extend to physical devices. Instead of Zaizi laptops, we’ll use the client’s devices to access certain things. We know what needs to be done to make it easier for the client and ensure we adhere to their security standards.
– Business analyst, Zaizi
Practice ‘secure by design’
Those with malicious intent who want to break into a big organisation may look for the weakest link, so as a digital supplier we have to be vigilant. That’s why it’s important to design security into your products and services.
To protect our clients and our client security, we follow the International Organization for Standardization (ISO), the gold standard for making sure your organisation follows a defined set of practices and processes. It’s a framework based on a risk strategy – you identify risks, which helps you understand the threats that come with those risks, and learn how to mitigate against them.
It helps you build processes to deal with change – which could be change requests to products or services – or to deal with incidents, such as breaches or errors.
– Information security officer, Zaizi
Take care as you transcribe
There is a lot to take into account when you’re doing user research on high-security projects. One thing to be concerned about is leakage — it’s very easy for people to let important things slip during audio recordings. Numbers, for instance, can often be very politically sensitive.
That’s one reason that I often transcribe by hand. It’s a lot harder to sanitise a recording, you’d have to go through it and bleep out all the bad bits. Transcribe by hand and then you can clear it yourself. As you go back and review, you can make a judgement call on the things that you already know you need to remove.
– Service designer, Zaizi
Be flexible with your tools
These days we work remotely, which means that we use a lot of online collaboration tools. There are certain tools that we won’t use because of where the data is hosted or where the tools are developed, and we can’t trust them to be secure. Ultra secure UK government entities have criteria and guidance on which tools are appropriate. So it’s important to always be on top of the latest guidance to ensure we use the appropriate tools.
– Business analyst, Zaizi
Make sure all confidential research is watertight
We handle research data in a way that is secure and ethical. This means storing our research notes and any recorded audio or video in client-approved applications that fit with their security policies. We also anonymise research data where possible, removing personal identifiers such as participants’ names.
At the start of each research session, we reassure our participants that views expressed are kept confidential and handled appropriately. This helps them be open with us and express their honest feedback about how things are working. It also enables them to be critical of their employer and the current status quo, without fearing negative consequences.
– User researcher, Zaizi
Share learning – but confidentially
When you’re working on projects that require security clearance, it can be harder to share things that we learned internally. At Zaizi we run lunchtime sessions to showcase work we’ve been doing with a client — talking about our outputs, ways of working, highlighting the skill sets we used.
These sessions are useful — there’s a lot of knowledge at Zaizi and sometimes you want to hear things from outside the team. Are there things that we have missed? Are there certain skill sets we could have made use of – for instance, someone might say: “Did you have a UX person on board?”
Understandably, it’s tougher to organise these sessions for high-security projects, but we have special sessions for staff with security clearance so we can still discuss our work in the abstract and get wider feedback.
– Business analyst, Zaizi
Keep your conversations private
When you’re working on security-cleared projects, you need to be very aware of your surroundings – who can see your screen, who can hear the conversations you’re having – because you may be discussing sensitive information. Before Covid, this mostly meant you were careful not to discuss confidential information on the rare occasion you needed to take an urgent call in a public space, such as on the train.
But during Covid, we’ve all been remote working, and this adds some challenges. You might be working in your home where you have a partner or housemates, so you need to be careful what you talk about. You can’t leave sensitive information lying around. There are certain techniques to help you keep information confidential.
On a call I always use headphones, so I’m not projecting the output to a room. If I’m working outside of an office environment I’ll use a privacy screen to hide what is on my laptop. A lot of it is using your common sense and being aware of your surroundings.
– Delivery manager, Zaizi
Be prepared to work without your equipment
In cases where the project is very sensitive, we work in “clean rooms”. These are sealed spaces in which personal or company equipment isn’t allowed. So we can’t use our personal phones, or Zaizi phones or laptops, and all equipment is supplied by the client. In some cases, it’s best to resort to pen and paper.
Service designer, Zaizi
Work with the client to keep data secure
We are driven by client requirements concerning data, and we ensure our clients’ data and information security are being met, if not exceeded. We have a lot of experience building solutions that gather data and ingest it into a client’s existing secure infrastructure.
To do this, we work with a combination of service providers and cloud providers, and leverage clients’ existing secure infrastructures. For example, some clients may already have secure data centres. If we’re developing a service for a client, we’d use their secure platforms rather than create something from scratch.
– Cloud engineer, Zaizi
Flag sensitive emails
As we work with the UK government, we adhere to its security classification scheme. This means that if we’re sending sensitive information to someone else in the department, we apply the correct security classification to make sure the recipient knows the material is sensitive.
All internal government communications are ranked official. But there is a security classification that is ‘official sensitive’ – it’s a handling instruction you add into the subject of an email. There are different kinds of these instructions you can use to let the receiver know what you’re sending is sensitive, and what about it is sensitive.
Delivery manager, Zaizi
For more information, read our blog on how we embed security from the start on all our projects for Digital Transformation Weekly.
Related content
-
Bringing an SME perspective to government’s Code of Practice for Software Vendors
-
How to design thoughtful and secure cross domain workflows
-
What is a cross domain workflow and why does it matter?
-
Artificial intelligence: threats and opportunities in national security