Security Practice¶
Security at CDS is not a separate workstream. It is embedded in how every engagement is delivered — present from the first conversation, built into every sprint, and maintained after go-live.
This page describes the security practices that apply across all CDS engagements. The Cloudflare page covers Cloudflare-specific security implementation. The Architecture page covers the architectural principles that inform security decisions.
What we mean by secure by design¶
Secure by design means security decisions are made at the start, not retrofitted at the end. In practice:
- Threat modelling happens before architecture is finalised, not after
- Security requirements are defined alongside functional requirements
- Secure defaults are applied from the first deployment — CSP headers, proper authentication, secrets management
- Dependencies are kept current throughout delivery; dependency updates are not deferred
- Security validation is continuous, built into the CI/CD pipeline, not a gate at the end
- Edge protection is designed as part of the platform, not added afterwards
Security decisions made late in a project are expensive to fix and easy to get wrong. The cost of getting it right from the start is lower than the cost of remediation.
Non-negotiables on every engagement¶
Regardless of stack, client, or pillar, these apply across all CDS delivery:
- Secrets managed through proper vaulting — never in code or configuration files
- Access controlled through least-privilege principles
- Automated security checks in the CI/CD pipeline
- Data classification informing how and where information is stored and transmitted
- WCAG 2.2 AA accessibility compliance on all public-facing services
For public sector clients, we align with the NCSC Cloud Security Principles and design systems that support the shared responsibility model for cloud services.
Certifications¶
CDS holds the following certifications. These are verified on a renewal cycle — confirm current status with the commercial team before citing in a bid or client document.
| Certification | Scope |
|---|---|
| ISO 27001 | Information security management |
| ISO 9001 | Quality management |
| ISO 20000:2018 | IT service management |
| ISO 22301 | Business continuity and resilience |
| Cyber Essentials Plus | Enhanced (independently verified) |
Personnel security¶
All CDS staff hold BPSS clearance as a minimum. SC-cleared team members are available for engagements requiring enhanced clearance. NPPV and DV clearance is available where the client requires it — confirm availability with the resourcing team before committing in a bid.
Working with public sector security standards¶
For public sector engagements, the key frameworks are:
NCSC Cloud Security Principles — fourteen principles covering data protection, identity and authentication, supply chain security, and operational security. Our cloud architecture assessments are structured against these principles.
NCSC Zero Trust Architecture principles — the reference framework for Zero Trust design decisions. See the Cloudflare page for how we implement Zero Trust in practice.
Cyber Assessment Framework (CAF) — relevant to clients operating as critical national infrastructure or under NIS regulations. CDS's security practice is aligned with CAF guidance where applicable.
Government Service Standard — several points in the standard have direct security implications. See the Government Service Standard page.