Cabinet Office Homepage

Cabinet Office website
|

Main navigation

In section navigation

Security Policy No.4

This is the fourth of seven Security Policies within the HMG Security Policy Framework (SPF); outlining the mandatory security requirements and management arrangements to which all Departments and Agencies (defined as including all bodies directly responsible to them) must adhere. This policy deals with:

Information Security and Assurance

Information security policy

MANDATORY REQUIREMENT 31

Departments and Agencies must have, as a component of their overarching security policy, an information security policy setting out how they, and their delivery partners (including offshore and nearshore (EU/EEA based) Managed Service Providers), comply with the minimum requirements set out in this policy and the wider framework.

Managing information risk

Information is a key asset to Government and its correct handling is vital to the delivery of public services and to the integrity of HMG. In striking the right balance between sharing and protecting data, Departments and Agencies must manage business impacts and risks associated with Confidentiality, Integrity and Availability (C, I & A) of all information. Information Assurance (IA) is the confidence that information systems will protect the information they carry and will function as they need to, when they need to, under the control of legitimate users. The IA functions that support the protection of Government Information and Communications Technology (ICT) Systems are risk management, accreditation, standards and compliance. The importance of IA to public service delivery has been demonstrated by the publication of a National IA Strategy; this policy supports this strategy. The International Standard for Information Security Management Systems (ISO/IEC 27001) is acknowledged as good practice and this policy is aligned to that standard.

MANDATORY REQUIREMENT 32

Departments and Agencies must conduct an annual technical risk assessment (using HMG IA Standard No.1) for all HMG ICT Projects and Programmes, and when there is a significant change in a risk component (Threat, Vulnerability, Impact etc.) to existing HMG ICT Systems in operation. The assessment and the risk management decisions made must be recorded in the Risk Management and Accreditation Documentation Set (RMADS), using HMG IA Standard No.2 – Risk Management and Accreditation of Information Systems.

When handling personal data there is a further requirement to conduct a risk assessment every quarter, please refer to HMG IA Standard No.6 – Protecting Personal Data and Managing Information Risk.

Business impact

In assessing the level of impact likely to result from any compromise of information assets, Departments and Agencies must use ‘Business Impact Levels’, also known simply as Impact Levels (ILs). ILs provide a six-point scale which allows Departments and Agencies to make a balanced assessment of the countermeasures to meet risk management requirements for Confidentiality, Integrity and Availability. In addition, organisations must review where large amounts of data are aggregated, accumulated, or associated with other data, to determine whether a higher Impact Level, and therefore greater protection and specific handling, is required.

MANDATORY REQUIREMENT 33

Departments and Agencies must, in conjunction with the Protective Marking System, use Business Impact Levels (ILs) to assess and identify the impacts to the business through the loss of Confidentiality, Integrity and/or Availability of data and ICT systems should risks be realised. Aggregation of data must also be considered as a factor in determining ILs.

Personal data

HMG must handle, protect and share large amounts of personal data to maximise public service delivery. Departments and Agencies must comply with the data protection principles set out in the Data Protection Act to ensure a high level of confidence that personal data is handled correctly. There are specific requirements relating to handling personal data as defined in HMG IA Standard No.6 – Protecting Personal Data and Managing Information Risk – see Mandatory Requirement 14.

Roles and responsibilities

Accounting Officers (e.g. Head of Department/Permanent Secretary) have overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. This responsibility must be supported by a Senior Information Risk Owner (SIRO) and the day-to-day duties may be delegated to the Departmental Security Officer (DSO), IT Security Officer (ITSO) or Information Asset Owners (IAOs).

MANDATORY REQUIREMENT 34

Information risk must be specifically addressed in the departmental annual Statement on Internal Control (SIC), which is signed off by the Accounting Officer.

MANDATORY REQUIREMENT 35

Departments and Agencies must have:

  1. A designated Senior Information Risk Owner (SIRO); a Board level individual responsible for managing departmental information risks, including maintaining and reviewing an information risk register (The SIRO role may be combined with other security or information management board level roles).
  2. A designated Information Technology Security Officer (ITSO); responsible for the security of information in electronic form.
  3. A designated Communications Security Officer (ComSO) if cryptographic material is handled.
  4. Information Asset Owners; senior named individuals responsible for each identified information asset.

It is advised that the ITSO reports to the DSO on information security matters. Where this is not the case, there should be clear mechanisms to ensure that IT security is considered as part of the overall approach to protective security. Smaller Departments and Agencies may wish to combine ComSO and ITSO roles, while larger ones may consider appointing Deputies and or creating other specific IT/Communications security posts. It is also sufficient for Agencies to consider parent Departmental roles as their designated SIRO/ITSO/IAO/ComSO.

Accreditation and audit

Formal accreditation and audit processes provide important assurances that necessary standards are being met. As well as overall compliance arrangements for protective security (set out in Security Policy No.1: Governance, Risk Management and Compliance), there are specific and mandatory Information Assurance accreditation requirements.

MANDATORY REQUIREMENT 36

ICT systems that process protectively marked Government data must be accredited using HMG IA Standard No. 2 – Risk Management and Accreditation of Information Systems, and the accreditation status must be reviewed at least annually to judge whether material changes have occurred which could alter the original accreditation decision.

MANDATORY REQUIREMENT 37

Departments and Agencies must have the ability to regularly audit information assets and ICT systems. This must include:

  1. Regular compliance checks carried out by the Accreditor, ITSO etc. (documented in the RMADS audit of the ICT system against configuration records).
  2. A forensic readiness policy that will maximise the ability to preserve and analyse data generated by an ICT system, that may be required for legal and management purposes.

MANDATORY REQUIREMENT 38

All ICT systems must have suitable identification and authentication controls to manage the risk of unauthorised access, enable auditing and the correct management of user accounts.

Codes of connection and technical controls

MANDATORY REQUIREMENT 39

Departments and Agencies must follow the requirements of any codes of connection, multilateral or bilateral international agreements and community or shared services security policies to which they are signatories (for example Government Secure Intranet (GSI)).

Codes of connection should cover the following technical policies:

  1. Patching policy, covering all ICT systems including Operating System and applications, to reduce the risk from known vulnerabilities.
  2. Policy to manage risks posed by all forms of malicious software (‘malware’), including viruses, spyware and phishing etc.
  3. Boundary security devices – (e.g. firewalls) must be installed on all systems with a connection to untrusted networks, such as the Internet.
  4. Content checking/blocking policy.
  5. Lockdown policy to restrict unnecessary services and ensure that no user has more privileges (access and functionality) than required.

Where these are not covered by codes of connection, or Departments are not signatories, separate policies covering these areas must be established.

Cryptography

MANDATORY REQUIREMENT 40

Departments and Agencies must comply with HMG IA Standard No.4 – Communications Security and Cryptography (parts 1-3) for the protection of protectively marked material. Paying particular attention to the circumstances when encryption is required, the requirement to only use CESG approved solutions, the control mechanisms for cryptographic items, and the requirement for specified levels of personnel security clearance for individuals handling cryptographic items.

Eavesdropping and Electro-Magnetic Countermeasures

MANDATORY REQUIREMENT 41

Departments and Agencies must follow specific Government procedures to manage the risk posed by eavesdropping and electro-magnetic emanations.

Remote working/mobile media

Home or remote working will introduce new vulnerabilities associated with off-site and portable ICT devices and media (e.g. laptops, PDAs, mobile phones, memory sticks, external drives, MP3s etc). Departmental standards and guidelines must be used for connecting to public (insecure) ICT systems such as the internet. Departments and Agencies should also, when handling personal data, avoid where possible the use of mobile media.

MANDATORY REQUIREMENT 42

Departments and Agencies must have a policy on remote working (e.g. home or mobile) that complies with the requirements in this framework.

Procurement

MANDATORY REQUIREMENT 43

Departments and Agencies must ensure that security requirements are specified in ICT contracts and all new ICT contracts handling personal data must adhere to the Office of Government Commerce (OGC) ICT model terms and conditions.

Reporting incidents

MANDATORY REQUIREMENT 44

Departments and Agencies must have clear policies and processes for reporting, managing and resolving ICT security incidents. All security incidents must be reported to:

  1. Appropriate departmental security authorities.
  2. HMG incident management bodies: GovCERT for network incidents and CINRAS for communications security (involving cryptographic items).
  3. The Information Commissioners Office and the Cabinet Office Central Sponsor for Information Assurance for significant actual or possible losses of personal data.

Secure disposal

MANDATORY REQUIREMENT 45

Departments and Agencies must ensure that all media used for storing or processing protectively marked or otherwise sensitive information must be disposed of or sanitised in accordance with HMG IA Standard No. 5 – Secure Sanitisation of Protectively Marked Material or Sensitive Information.

Personnel and physical security

Personnel and physical security are integral elements in mitigating information risk. Whilst the standards outlined in Security Policy No. 3 - Personnel security and Security Policy No. 5 - Physical security deal with these, it should be noted that ICT and cryptographic posts (e.g. ITSO, Crypto-custodians, system administrators) must be specifically evaluated to assess the level of security clearances required. Moreover, the physical security of ICT hardware and infrastructures must be specifically addressed.

MANDATORY REQUIREMENT 46

Departments and Agencies must ensure that ICT users with higher levels of privilege and/or potentially wide access (e.g. system administrators, architects, programmers etc.), or those with responsibility for ICT security, must be subject to evaluation for National Security clearances appropriate to the protective marking of the information processed.

MANDATORY REQUIREMENT 47

Departments and Agencies must ensure that all locations where information and system assets (including cryptographic items) are kept must have an appropriate level of physical security as set out in this framework.

Education, training and awareness

MANDATORY REQUIREMENT 48

Departments and Agencies must ensure that all users of ICT systems are familiar with the security operating procedures governing their use, receive appropriate security training, and are aware of local processes for reporting issues of security concern. They must further ensure that staff who manage and maintain the secure configuration of ICT systems, and those with access to information assets, are appropriately trained, are aware of incident reporting, and the minimum standards relating to the handling of protectively marked data.

Business Continuity and Disaster Recovery Planning

MANDATORY REQUIREMENT 49

Departments and Agencies must ensure that all locations where information and system assets (including cryptographic items) are kept must have appropriate Business Continuity and Disaster Recovery Plans.

These plans should form part of overall Business Continuity plans – see Security Policy No. 7 and Mandatory Requirement 70 for details.

In section navigation