Summary of engineering standards’ requirements

SEGAS-00001 Writing a standard

Last updated: 4 August 2023

• A standard MUST have an ID
• A standard MUST have a Title
• A standard MUST have a Description
• A standard MUST have one or more Requirements
• A standard MUST have Tags
• A standard MUST show when it was Last Updated

SEGAS-00002 Writing a principle

Last updated: 4 August 2023

• A principle MUST have a title
• A principle MUST have a description
• A principle MUST have a rationale
• A principle MUST state expected applications and implications
• A principle MUST have tags
• A principle MUST show when it was last updated

SEGAS-00003 Minimal documentation set for a product

Last updated: 14 March 2024

• Product documentation MUST include a description of the product and what it is for
• Product documentation MUST include key architectural views
• Product documentation MUST include a decision log
• Product documentation MUST include runbooks for expected tasks
• Product documentation MUST include information about observability
• Product documentation MUST include build, release and deployment processes

SEGAS-00004 Open source licensing

Last updated: 24 May 2023

• Open source repositories MUST contain a licence file
• Open source repositories MUST have a licence that adheres to the Open Source Definition
• Open source repositories MUST state who owns the copyright

SEGAS-00005 Infrastructure as code

Last updated: 3 August 2023

• Infrastructure definitions MUST be stored as code
• Infrastructure definitions MUST be validated
• Secrets MUST NOT be stored in infrastructure definitions
• Source management best practices MUST be followed for infrastructure definitions

SEGAS-00006 Managing secrets

Last updated: 8 August 2023

• Secrets MUST be generated in accordance with the Home Office Password Policy
• You MUST only store secrets in an approved secret management system
• You MUST proactively manage access to secrets
• You MUST implement secret scanning
• You MUST ensure that secrets are not exported into monitoring systems
• You MUST document how secrets are managed
• You MUST monitor the usage of secrets to identify suspicious behaviour
• You MUST have a response plan ready to enact if you have an incident

SEGAS-00007 Managing the security of software dependencies

Last updated: 8 September 2023

• You MUST assess the security of external components before introducing them into software designs
• You MUST maintain a discoverable dependency tree for your systems
• You MUST proactively identify vulnerabilities in dependencies with scanning and other tools
• You MUST regularly update, replace and remove dependencies

SEGAS-00008 Accessibility

Last updated: 8 September 2023

• Products MUST be developed to meet the Home Office Accessibility Standard

SEGAS-00009 Signing code commits

Last updated: 8 September 2023

• All code commits MUST be cryptographically signed by the author of that commit
• All Source code repositories MUST require all commits be signed

SEGAS-00010 Encrypting data at rest and in transit

Last updated: 8 September 2023

• Data at rest MUST be encrypted
• Data in transit MUST be encrypted
• Cryptographic keys MUST be protected

SEGAS-00011 Infrastructure utilisation monitoring

Last updated: 20 September 2023

• Infrastructure MUST be observable relative to defined service level expectations
• CPU utilisation MUST be observable
• Memory utilisation MUST be observable
• Disk utilisation MUST be observable
• Network utilisation MUST be observable
• Historical infrastructure monitoring metrics MUST be retained for analysis

SEGAS-00012 Low code workflow naming

Last updated: 15 November 2023

• Naming conventions MUST be consistent
• Acronyms or uncommon abbreviations MUST be defined in a central or project glossary
• Workflow, action step and scope block names MUST be descriptive and convey the purpose or objective
• Workflow, action step and scope block names MUST begin with a verb to describe the function, followed by the subject of the verb
• Words in a workflow name MUST be separated by a space where possible
• Scope blocks that are used for error handling MUST be prefixed with the word ‘Try’ or ‘Catch’

SEGAS-00013 Developer Testing

Last updated: 5 January 2024

• You MUST test early and often
• You MUST automate tests
• You MUST make tests repeatable
• You MUST have a way of measuring the effectiveness of testing
• Tests MUST have a purpose and explicit result
• You MUST think about the edge cases

SEGAS-00014 Service reliability

Last updated: 26 April 2024

• Service reliability MUST be observable relative to defined service level expectations
• Service MUST be tolerant to expected and unexpected failure of a data centre
• Service MUST be tolerant to expected and unexpected failure of physical or virtualised hardware as well as network
• Service MUST be tolerant to expected and unexpected failure of upstream services such as databases
• Service MUST be sized appropriately for normal operations and MUST be able to automatically scale as appropriate based on metrics
• Service MUST be able to handle requests to protect the overall service
• Service MUST be able to tolerate expected load
• Service MUST be able to tolerate expected stress
• Service MUST be soak tested