Deduplicate threat modelling content

- move most of it onto the 'threat modelling' page - also link to updated intranet page for COD:Cyber
alphagov · Oct 3, 2024 · 1551c8f · 1551c8f
1 parent 735e3a2
commit 1551c8f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 19 deletions.
diff --git a/source/standards/threat-modelling.html.md.erb b/source/standards/threat-modelling.html.md.erb
@@ -16,7 +16,7 @@ pipeline or the integrity of web form submissions.
 
 Threat modelling aims at identifying, prioritising and mitigating threats to a service. 
 
-Threat modelling will help you:
+Attack Tree workshops will help you:
 
 * Understand threats that are unique to your service, helping you to adopt security conscious behaviours during its design, development and operation
 * Focus mitigation efforts on the threats that matter – that is, threats that pose the greatest risk to the normal operation of your service
@@ -27,7 +27,7 @@ The best time to perform threat modelling activities is during the design phase;
 however, it can be done anytime and should become a continuous process in your
 service team.
 
-Within the Cabinet Office, the [Cyber Security Team](https://sites.google.com/cabinetoffice.gov.uk/cybersecurity/our-services/threat-modelling) can support you with threat modelling your service, as well as advising you should you decide to carry it out yourself or through a third party. 
+Within the Cabinet Office, the Cyber Security Team can [support you with threat modelling your service][COD Threat Modelling], as well as advising you should you decide to carry it out yourself or through a third party.
 
 Within the Cabinet Office and GDS, we follow the [Threat Modeling Manifesto][]'s
 four questions:
@@ -84,6 +84,8 @@ Threat analysis aims to finalise the answer to the “What can go wrong?”
 question. We use a scoring methodology to determine if a threat is valid and
 prioritise threats against each other.
 
+You should aim to cover all potential [attack vectors][].
+
 #### 2.1 Scoring
 
 After the discovery stage, you can make a copy of the
@@ -254,7 +256,9 @@ This would contrast with a service like GOV.UK, where the threat is likely to be
 - [Mario Areias - Threat Modelling the Death Star][] YouTube video example
 
 
+[COD Threat Modelling]: https://intranet.cabinetoffice.gov.uk/it-data-and-security/cyber-and-information-security-services/threat-modelling/
 [Why Threat Model?]: https://www.youtube.com/watch?v=YP4mNRXGcks
+[attack vectors]: https://searchsecurity.techtarget.com/definition/attack-vector
 [Threat Modeling Manifesto]: https://www.threatmodelingmanifesto.org/
 [Threat Modelling Scoring template]: https://docs.google.com/spreadsheets/d/1u22W_bUEPESvbMde-Q4syJLTen1OKIcE4ILk7wyaydM/edit#gid=0
 [STRIDE]: #stride

diff --git a/source/standards/understanding-risks.html.md.erb b/source/standards/understanding-risks.html.md.erb
@@ -20,32 +20,18 @@ The government security hub [security.gov.uk][securityhub] provides links to the
 
 ## Model security threats
 
-[Modelling threats][] can help you gain a clearer understanding of threats against your service. GDS uses [Attack Tree][] development workshops to model threats. Any workshops you run should cover all potential [attack vectors][].
-
-The Cabinet Office Cyber Security Team can help you carry out threat modelling, to help you:
-
-* Understand threats that are unique to your service, helping you to adopt security conscious behaviours during its design, development and operation
-* Focus mitigation efforts on the threats that matter – that is, threats that pose the greatest risk to the normal operation of your service
-* Ensure the right security controls are in place to match the threats your service faces
-* Adopt secure by design approach to your service throughout the service's lifecycle
-
-The team can also advise you on how threat model efficiently, should you decide to carry it out yourself or through a third party. 
-
-You will find more information on threat modelling on the [COD Cyber Security Team]'s google site.
+Modelling threats can help you gain a clearer understanding of threats against your service, see [threat modelling][].
 
 ## Further Reading
 
 The [National Cyber Security Centre (NCSC)] provides guidance about cyber security. The Service Manual has advice about [securing your information] and [securing your cloud environment].
 
 [GDS Information Security IA]: https://sites.google.com/a/digital.cabinet-office.gov.uk/gds/directorates-and-groups/cto-and-ciso-office/information-security
-[COD Cyber Security Team]: https://sites.google.com/cabinetoffice.gov.uk/cybersecurity/our-services/threat-modelling
+[COD Cyber Security Team]: https://intranet.cabinetoffice.gov.uk/it-data-and-security/cyber-and-information-security-services/
 [protect against fraud]: https://www.gov.uk/service-manual/technology/protecting-your-service-against-fraud
 [secure your information]: https://www.gov.uk/service-manual/technology/securing-your-information
-[Modelling threats]: /standards/threat-modelling.html#what-39-s-a-threat
-[Attack Tree]: /standards/threat-modelling.html#what-39-s-a-threat
+[Threat modelling]: ./threat-modelling.html
 [National Cyber Security Centre (NCSC)]: https://www.ncsc.gov.uk/
 [securing your information]: https://www.gov.uk/service-manual/technology/securing-your-information
 [securing your cloud environment]: https://www.gov.uk/service-manual/technology/securing-your-cloud-environment
-[attack vectors]: https://searchsecurity.techtarget.com/definition/attack-vector
-[CDIO Security Pillar]: /standards/cyber-security-overview.html
 [securityhub]: https://www.security.gov.uk/