to add a new content
Resource
Setup Government Email Services Securely

All public services sending emails out on behalf of government organisations must follow all protocols, processes and guidelines to ensure that they secure their email service. This includes:

  • the service providing users with mailbox access

  • internal relays and gateways

  • email filtering services

  • third party services that send email on your behalf, like transactional email services

Key configurations are needed to ensure you email services run smoothly:

  • Transport Layer Security (TLS)

  • DomainKeys Identified Mail (DKIM)

  • Domain-based Message Authentication, Reporting & Conformance (DMARC)

  • Public Domain Name System (DNS)

  • Ability to make administrative changes

 

If there are any changes made to your email security, ensure that you communicate such changes to all staff in your organisation.

Published 01/01/2020
Authoring body: Government Digital Services (GDS)
Guidance
Resource
Securing Government Email

This guidance applies to all email domains that public sector organisations run on the internet. It also helps ensures that public sector organisations exchanges email securely with other public sector organisations. Protecting emails in transit makes it difficult for domains to be spoofed.

All public sector emails must be kept secure by:

Encryption and authentication only work if both the sender and the recipient use them.

The Government Digital Service recommends protecting email by:

  • forcing TLS when sending to .gov.uk

  • forcing TLS when sending to any other domains that supports it if the local risk profile requires it

  • using extra encryption services if needs be

Published 01/01/2019
Authoring body: Government Digital Service (GDS)
Guidance
Resource
DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) verifies an email’s domain and ensures it has not been tampered with in transit. The receiving email service can then filter or reject email that fails the DKIM check. In order for DKIM to verify an emails domain it uses public key encryption to check email by creating a hash using the content of each outbound email. The sending service then encrypts the hash with its private key and adds it to the email header. This is the DKIM signature.

The receiving email service looks up the public key in the sender’s DKIM DNS (DOMAIN NAME SYSTEM) record then uses the public key to decrypt the DKIM signature on the email. It also generates a hash of the email in the same way the sending email service did. If the hash matches the decrypted DKIM signature then the email passes the DKIM check. This means the email came from where it says it came from and has not changed in transit.

Published 01/01/2016
Authoring body: Government Digital Service (GDS)
Guidance
Resource
Criminal Justice System: Data Standards Forum Guidance

An agreed and designed common data standards are used by the Criminal Justice System, ICT suppliers to support ICT communications between systems used by Criminal Justice Organisations (CJO) to support CJS operations. They are also used with open data standards as defined in the government’s Open Standards Principles. These common standards are also used to support data analytics, bidding for CJS contracts etc.

The selection of the CJS data standards is made by the CJS Data Standards Forum. This is a technical forum which has representatives from the principal CJOs.

There is a Data Standard Catalogue used to support the exchange of criminal justice information between different CJOs.

There are three different types of data standard reflected in the catalogued:

  • formatting standards

  • organisational structure standards

  • reference data standard

The Data Standard catalogue is constantly reviewed by the Data Standards Forum to ensure a set of standards is produced that is as small as possible while still being fit for purpose. 

 

Published 17/12/2020
Authoring body: Ministry of Justice (MOJ)
Guidance
Resource
End User Device (EUD) Security Principles (Version 1.0)

The End User Device (EUD) Security Principles sets out 12 core guidance principles that underpin the safety and security of using devices that serve the purpose of working remotely. The twelve principles are as follows: 

1. Data-in-transit Protection: Data should be protected as it transits from the EUD to any services the EUD uses. 

2. Data-at-rest Protection: Data stored on the device should be satisfactorily encrypted when the device is in its “rest” state. 

3. Authentication:

- User to device: the user is only granted access to the device after successfully authenticating to the device.

- User to service: The user is only able to access enterprise services after successfully authenticating to the service, via their device.

- Device to service: Only devices which can authenticate to the enterprise are granted access.

4. Secure Boot: An unauthorised entity should not be able to modify the boot process of a device, and any attempt to do so should be detected.

5. Platform Integrity and Application Sandboxing: The device can continue to operate securely despite potential compromise of an application or component within the platform, 

6. Application allow Listing: The enterprise can define which applications are able to execute on the device, and these policies are robustly enforced on the device.

7. Malicious code detection and prevention: The device can detect, isolate and defeat malicious code which is present on the device.

8. Security policy enforcement: Security policies set by your organisation are robustly implemented across the platform.

9. External interface protection: The device is able to constrain the set of ports (physical and logical) and services exposed to untrusted networks and devices. 

10. Device Update Policy: You are able to issue security updates and can remotely validate the patch level of your entire device estate.

11. Event Collection for Enterprise Analysis: The device reports security-critical events to your audit and monitoring service. 

12. Incident Response: Your organisation has a plan in place to respond to and understand the impact of security incidents.

All of these principles must be considered when securing and deploying devices.

Published 01/01/2019
Authoring body: National Cyber Security Centre (NCSC)
Principles
Resource
End User Device (EUD) Security Guidance

The End User Device (EUD) Security Principles sets out 12 core guidance principles that underpin the safety and security of using devices that serve the purpose of working remotely. The twelve principles are as follows:

  1. Data-in-transit Protection

  2. Data-at-rest Protection

  3. Authentication

  4. Secure Boot

  5. Platform Integrity and Application Sandboxing

  6. Application allow Listing

  7. Malicious Code Detection and Prevention

  8. Security policy Enforcement

  9. External Interface Protection

  10. Device Update Policy

  11. Event Collection for Enterprise Analysis

  12. Incident Response

All of these principles must be considered when securing and deploying devices.

 

Published 01/01/2019
Authoring body: National Cyber security Centre (NCSC)
Principles
Resource
Auditing Principles - Directive 2006/43/EC of the European Parliament and of the Council

Statutory auditors should adhere to the highest ethical standards and should be subject to professional ethics. This Directive aims at high-level to bring about harmonisation of statutory audit requirements as a result of lack of a harmonised approach to statutory auditing in the Community. This was the reason why the Commission proposed, in its 1998 Communication on the statutory audit in the European Union that a creation of a Committee on Auditing which could develop further action in close cooperation with the accounting profession and Member States be established.

The output/recommendation from the committee setup was a Recommendation was a set of Fundamental auditing Principles. The statutory audit requires adequate knowledge of matters such as company law, fiscal law and social law for Audit qualifications obtained by statutory auditors. In order to protect third parties, all approved auditors and audit firms should be entered in a register which is accessible to the public and which contains basic information concerning statutory auditors and audit firms. 


It is important to note that good audit quality contributes to the orderly functioning of markets by enhancing the integrity and efficiency of financial statements. 


Published 01/01/2006
Authoring body: European Parliament
Principles
Resource
Retrieval of Video Evidence and production of working copies from digital CCTV Systems (Version 2.0)

Digital CCTV installations vary greatly in terms of the recording methods as a result of varying solutions with different capabilities and functionality which are used to capture picture and video evidence with export facilities provided.

This document provides guidance on the retrieval of video from any digital CCTV system in its native file format and the methods for the production of working copies in non-native file formats, where this is necessary to facilitate further processing or replay in court.

The document contains a flowchart to help the user select the most appropriate retrieval method to use for any given CCTV system. Explanatory notes are also provided for each option and guidance

given for assessing the practicality and suitability of each technique to ensure that the right retrieval method is selected to uphold evidential integrity.

The guidance also covers the production of working copies, specifically where this involves a conversion between video formats.

Options have also been presented for final storage of the working copy. Information is given as to the suitability of each conversion technique and storage medium, so that appropriate choices can be made to best minimise the potential degradation in image quality.

A checklist of actions is provided when retrieving data to ensure that all relevant information is captured and evidential integrity is maintained.

Published 01/01/2008
Authoring body: Defence Science and Technology Laboratory
Guidance
Resource
National Intelligence Model

The National Intelligence Model (NIM) is a well-established model within the policing world that was established in 2000 by the National Criminal Intelligence service (NCIS) and adopted by Association of Chief Police Officers (ACPO) to help to mange the use of setting strategic direction, making prioritised resourcing decisions, intelligently allocating resources in the most efficient manner, developing and outlining tactical plans, coordinating activities and managing associated risks.

NIM has three levels which it operates on:

  • Level 1 – Local/Basic Command Unit (BCU)

  • Level 2 – Force and/or regional

  • Level 3 – Serious and organised crime that is usually national or international

NIM doesn’t just only help to serve crime and intelligence decision-making but is expansive in its dynamics and touches on the general policing business and decision-making. It also serves as a standardised approach for gathering, co coordinating and disseminating intelligence, which can be integrated across all forces and law enforcement agencies.

NIM allows for greater consistency of policing across the UK, operational strategies to focus on key priorities, ensures more officers are focused on solving priority problems and targeting the most active offender, achieves greater compliance with human rights legislation, improves direction and briefing of patrols, helps to reduce rates of persistent offenders through targeting the most prolific and helps to improves integration with partner agencies.

Published 01/01/2005
Authoring body: Home Office
Standards
Resource
Code of practice for the deployment and use of Body Worn Video (BWV) BS 8593:2017

The use of Body worn video (BWV) includes video and microphone both audio and visual recording. The recording can also be stored and exported.

BWV has become extremely in the video surveillance sector and within the Police Force, as officers are able to use BWV and capture key important evidence whilst on operational duty. However have been some issues around privacy, data security technical capabilities.

To ensure that BWV, is used for its intended purpose this standard has been written to provide operational and technical guidance to help strike a balance between safety and the privacy of the individuals being recorded and foster public trust in where and when BWV can be used.

Some of the activities in which BWV can be used are in emergency responses, night-time economy operations/events, security guarding, parking enforcement, door supervision.

Intended readers are Police officers, security companies, entertainment venues, local authorities.

Fees to accessing the standard may apply.

Published 01/01/2017
Authoring body: British Standards Institute (BSI)
Standards