Merge pull request #895 from alphagov/intro-more-standards-security

Mission statement clarification, standards refs

Dockerfile

@@ -1,16 +1,18 @@
-FROM ruby:2.7.6-buster
+FROM ruby:3.1.3-buster
 
 EXPOSE 4567:4567
 EXPOSE 35729:35729
 
 WORKDIR /usr/src/gems
 
 COPY ./Gemfile /usr/src/gems
+COPY ./Gemfile.lock /usr/src/gems
 
 RUN apt-get update && apt-get install -y nodejs
 
-ENV BUNDLE_FORCE_RUBY_PLATFORM=true
-RUN bundle check || bundle install
+RUN bundle config set force_ruby_platform true
+RUN bundle install
+RUN bundle check
 
 WORKDIR /usr/src/docs
 

README.md

@@ -43,11 +43,23 @@ to update the GDS Way.
 
 To preview or build the website, we need to use the terminal.
 
+You can use the Dockerfile provided:
+
+```
+docker build . -t gds-way
+docker run --rm -p 4567:4567 -p 35729:35729 -v $(pwd):/usr/src/docs -it gds-way
+```
+
+Otherwise, the following steps will get Middleman running locally.
+
 #### Install Ruby and Bundler
 
 Install Ruby with Rubygems, preferably with a [Ruby version manager][rvm],
 and the [Bundler gem][bundler].
 
+A [.ruby-version](./.ruby-version) file is provided for use with [rbenv][].
+If you update it, please update the [Dockerfile](./Dockerfile).
+
 #### Clone the repository
 
 Clone the repository using:
@@ -161,6 +173,7 @@ The documentation is [© Crown copyright][copyright] and available under the ter
 of the [Open Government 3.0][ogl] licence.
 
 [rvm]: https://www.ruby-lang.org/en/documentation/installation/#managers
+[rbenv]: https://github.com/rbenv/rbenv
 [bundler]: https://bundler.io/
 [mit]: LICENCE
 [copyright]: https://www.nationalarchives.gov.uk/information-management/re-using-public-sector-information/uk-government-licensing-framework/crown-copyright/

source/index.html.md.erb

@@ -1,5 +1,4 @@
 ---
-layout: core
 title: The GDS Way
 ---
 
@@ -30,15 +29,13 @@ title: The GDS Way
 </ul>
 <% end %>
 
-<div class="page-banner">
-    <p><strong>The GDS Way and its content is intended for internal use by the GDS and CO CDIO communities.</strong></p>
-</div>
-
 # <%= current_page.data.title %>
 
-The GDS Way documents the specific technology, tools and processes that Government Digital Service (GDS) and Cabinet Office Chief Digital and Information Office (CO CDIO) teams use to build and operate services.
+The GDS Way guides teams to build and operate brilliant, cost-effective digital services.
+
+It documents the specific technology, tools and processes that Government Digital Service (GDS) teams use.
 
-It's not intended as guidance for anyone working outside GDS or the CO CDIO - you'll find that in the [Service Manual](https://www.gov.uk/service-manual).
+It's not intended as guidance for anyone working outside GDS (though some other Cabinet Office teams use it too) - you'll find that in the [Service Manual](https://www.gov.uk/service-manual).
 
 ## About The GDS Way
 
@@ -57,11 +54,12 @@ The GDS Way includes consistent:
 * technology and tools
 * measures
 
-All decisions are made in alignment with [Service Manual](https://www.gov.uk/service-manual) which covers service design more broadly.
+All decisions are made in alignment with [Service Manual](https://www.gov.uk/service-manual), which covers service design more broadly, and the [Technology Code of Practice](https://www.gov.uk/guidance/the-technology-code-of-practice).
 
 Products at GDS in discovery or alpha development phases must follow [agile delivery principles](https://www.gov.uk/service-manual/agile-delivery) and also have the option to follow the standards in this repository.
 
 Products in beta and live phases must follow both the instructions set out in the Service Manual and the standards in this repository.
+They must be [secure by design](https://www.security.gov.uk/guidance/secure-by-design/).
 
 ## How to add new guidance
 

source/layouts/custom.erb

@@ -1,6 +1,6 @@
 <% wrap_layout :layout do %>
   <div class="page-banner">
-    <p><strong>The GDS Way and its content is intended for internal use by the GDS and CO CDIO communities.</strong></p>
+    <p><strong>The GDS Way and its content is intended for internal use by the GDS community.</strong></p>
   </div>
 
   <%= yield %>

source/standards/understanding-risks.html.md.erb

@@ -1,6 +1,6 @@
 ---
 title: Understand the risks to your service
-last_reviewed_on: 2023-11-20
+last_reviewed_on: 2024-05-03
 review_in: 6 months
 ---
 
@@ -11,12 +11,13 @@ When you build, maintain or change your service, you must have a clear understan
 You should work with [GDS Information Security IA] to design appropriate solutions for your service's risks. IA may need to obtain risk acceptance from your Senior Risk Owner (SRO).
 You can also work with the [COD Cyber Security Team] to get advice on the threats applicable to your service, and how to best mitigate them.
 
-
 The Service Manual has some recommendations which can reduce risk to your service, for example, how to:
 
 * [protect against fraud][] when you design and manage your service
 * [secure your information][] if you handle ‘official’ classified data
 
+The government security hub [security.gov.uk][securityhub] provides links to the policies and standards that we have to follow.
+
 ## Model security threats
 
 [Modelling threats][] can help you gain a clearer understanding of threats against your service. GDS uses [Attack Tree][] development workshops to model threats. Any workshops you run should cover all potential [attack vectors][].
@@ -47,3 +48,4 @@ The [National Cyber Security Centre (NCSC)] provides guidance about cyber securi
 [securing your cloud environment]: https://www.gov.uk/service-manual/technology/securing-your-cloud-environment
 [attack vectors]: https://searchsecurity.techtarget.com/definition/attack-vector
 [CDIO Security Pillar]: /standards/cyber-security-overview.html
+[securityhub]: https://www.security.gov.uk/