Skip to main content
GOV.UK
Cloud Maturity Model
Alpha
Home
Assessment
Pages in this section
Assessment
Cost & Sustainability
Data
Governance
Operations
People
Security
Technology
Report
Governance
How do you decide who handles the different aspects of cloud security?
We don’t have a standard approach, which leads to gaps and misunderstandings.
Some people know about the shared responsibility model, but it’s not always used.
We use the shared responsibility model.
We plan with the shared responsibility model, review often, and record responsibilities.
Shared responsibility is at the centre of all our cloud decisions. We review often to make sure we have clear roles and get the best value.
I don't know
How do you manage and store build artefacts (files created when building software)?
We don’t, and people often change code on live servers.
We rebuild artefacts in each environment, which can cause problems.
We save artefacts, sometimes with version control, but there’s no focus on making them secure or unchangeable.
We lock down artefact dependencies and check them with digital signatures or hashes.
All build artefacts are unchangeable, signed, and stored for audits. We can recreate any environment if needed.
I don't know
How do you manage and update access policies, and how do you tell people about changes?
We don’t have formal policies. People decide based on what they think is best.
We document our access policies, but updates and communication are irregular.
We review and update policies and tell the right people, but not always in a transparent way.
We review and update policies and tell the right people. Everyone understands the process.
We store policies in version control. Anyone can see or suggest changes. Updates are open and tested like software.
I don't know
How do you manage your cloud environment?
Manually, when needed, with no set process.
Documented manual processes. Test environments may not match live ones.
Some things are scripted, but we still do a lot by hand.
Most things are standardised and automated. We often review and make improvements.
Everything is automated using code and we get alerts if anything changes unexpectedly.
I don't know
How do you apply and enforce policies?
We don’t.
We have policies, but don’t check whether people follow them.
We use processes to apply policies, but not much technology.
We use processes and some technology to apply policies.
We have robust processes and technology to ensure that policies are always followed.
I don't know
How do you use version control and branch strategies?
There is very little use of version control.
We have our own way of managing branches, not standard methods.
We use a recognised strategy (like GitFlow or GitHubFlow), with changes to better suit us.
We follow a recognised strategy suited to complex projects (such as GitFlow).
We follow a recognised strategy suited to continuous delivery and simplified collaboration (such as GitHubFlow).
I don't know
How do you provision cloud services?
Manually, with no automation.
We use some scripts, but there are no standards or consistency.
We use automation for some services, but not everything.
Most teams use automation to set up cloud services.
All cloud services are set up by CI/CD pipelines.
I don't know
Reset Section
Save and continue