to add a new content
Resource
ISO/IEC 27001:2013 IT Security techniques — Information Security Management Systems — Requirements

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

The implementation of an information security management system is a strategic decision for an organisation that is influenced by the organisation’s needs and objectives, security requirements, the organisational processes and thus the International Standard has been setup to establish, implement, maintain and continually improve an information security management system.

The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. This also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation and is applicable to all organisations, irrespective of size and structure.

Published 01/01/2013
Authoring body: International Organisation for Standardisation (ISO)
Standards
Resource
ISO/IEC 27000:2020 IT Security techniques - Information Security management systems - Overview & Vocabulary

The International Organisation Standardisation (ISO) and the International Electrotechnical Commission (IEC) form the specialised system for worldwide standardisation. National bodies that are apart of the ISO or IEC participate through technical committees in the development of International standards to deal with particular areas of technical activities.

ISO/IEC in light of information technology provides an international standard and overview by for management systems by which a model can be followed in setting up and operating a management system. Information Security Management System (ISMS) is responsible for ensuring continuous development of the international management system standards.

Through the various standards developed, organisations can develop and implement a framework for managing and protecting the security of the information assets and systems including financial information, intellectual property, employee details, customer, client and third parties personal details.

The ISMS Standard includes standards that define requirements for an ISMS, provides direct support and guidance for the overall process to implement and maintain an ISMS standard, address conformity assessment for ISMS and provide terms and definitions for the international standard.

Published 01/01/2020
Authoring body: International Organisation Standardisation (ISO)
Standards
Resource
ISO/IEC 27002:2013 IT Security techniques - Code of Practice for Information Security Controls

This document informs the implementation of controls within an information security management system based on ISO 27001.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

This International Standard is designed for organisations to use as a reference for selecting controls within the process of implementing an Information Security Management System (ISMS) based on ISO/IEC 27001. It can also be used as guidance for implementing commonly accepted information security controls.

All types of organisations including public and private sector, commercial and non-profit organisations collect collect, process, store and transmit information in many forms including electronic, physical and verbal and therefore the value of information goes beyond the written words, numbers and images. Knowledge can also be intangible such as concepts, ideas, knowledge, brands, reputation – these are all forms of intangible information. As a result vital information can be very valuable to an organisation’s and as such deserves and require protection against various hazards.

Therefore it is essential that an organisation identify its security requirements by 1. Assessing risk 2. Observing all statutory, regulatory and contractual requirements that an organisation has to satisfy 3. Setting principles, objectives and business requirements for information handling, processing, storing, communicating and archiving that an organisation has developed to support its operations.

Published 01/01/2013
Authoring body: International Organisation for Standardisation (ISO)
Standards
Resource
Security Policy Framework for HMG Organisations

This Framework describes the Cabinet Secretary and Official Committee on Security expectations of how HMG organisations and third parties handling HMG information and other assets will apply protective security to ensure HMG can function effectively, efficiently and securely.

The Security Policy Framework should be applied across Her Majesty’s Government and assets that are held by third parties in the wider public sector and by our commercial partners and personal responsibility and accountability should be undertaken to uphold the policy as attitudes and behaviours are key for exercising good security.

It is important to note that proper management, risk management, good governance and judgment and discretion remain the most form of effective security protection. 

Published 01/01/2018
Authoring body: Government Digital Service (GDS)
Policy
Resource
Facing the Camera - Guidance on police use of overt CCTV and facial recognition to locate persons on a watchlist in public

This code of practice issued by the Secretary of State (regulated by the Surveillance Camera Commissioner) under the Protection of Freedoms Act 2012 (PoFA) covers police forces in England & Wales. Chief officers must have regard to this code when using facial recognition algorithms as part of the operation of surveillance camera systems, or the use or processing of images or other information obtained.

The code only applies to the use of facial recognition technology and processing of images from surveillance cameras operated in 'live time' or 'near real time' operational scenarios.

The code includes considerations into:

  • Applicability
  • Biometrics
  • Ethics
  • Human Rights
  • Legal frameworks
  • Police policy documents
  • Governance
  • Evidence handling
  • Public engagement
  • Accountability and certification

Also included as an attachment is the National Surveillance Camera Strategy for context.

Published 01/11/2020
Authoring body: Surveillance Camera Commissioner (SCC)
Principles
Resource
Create and iterate an SPF record for email authentication

This document provides guidance on how to create and iterate a Sender Policy Framework record, which is a system of email authentication.

SPF works by providing domain owners a way to publish a list of the IP addresses which should be trusted for a given domain. A receiving email service can then check that a sending email service has an IP address which appears in the sender's published list.

If the IP address appears in the list of acceptable IPs, the receiving email service will forward the email to the recipient's inbox. If the receiving email service cannot confirm the IP address is valid, then it marks the email in accordance with the DMARC policy you have implemented on the domain the email is being sent from.

Published 02/07/2021
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Criminal Justice System Exchange Data Standards Catalogue (Version 6)

The CJS Data Standards Catalogue is a collection of data standards used by Criminal Justice Organisations in England & Wales to support interoperability between their different ICT systems.

If you are a member of a Criminal Justice Organisation and work in the area of data standards then you too can help to shape that change. If you have any questions then please raise them with the Forum representative for your organisation by visiting https://www.gov.uk/guidance/criminal-justice-system-data-standards-forum-guidance

Published 01/01/2020
Authoring body: Criminal Justice System (CJS) Exchange Product Board
Reference Data / Templates
Resource
IDENT1

This document should be used in reference to the appropriate legislation, such as the Protection of Freedoms Act 2012: DNA & Fingerprint Provisions

IDENT1 is the UK’s nationals automated fingerprint system that provides biometric series for the police force and law enforcement agencies covering England, Scotland and Wales.

IDENT1 was introduced in 2004 and replaced the National Automated Fingerprint Identification System (NAFIS) of England and Wales, as well as the electronic fingerprint identification system used by the Scottish police forces. It was developed by Northrop Grumman with the use of advanced biometric identification technology.

IDENT1 enables the forces to search and compare fingerprints and crime scene marks in a single database, providing a unified collection of finger and palm prints.

The datasets that consist in within IDENT1 are the following:

  • Colour Type

  • Fingerprint Bureau Code Type

  • Fingerprint Owners sex Type

  • Fingerprint Status Type

  • Force Code Type

  • Force Station Coe Type

  • IDENT Offence Code Type

  • Jurisdiction Type

By using efficient algorithms and technology, IDENT1 is able to deliver a high degree of search accuracy and performance for the fingerprint officers (FPOs) and police officers by taking advantage of Biometric fusion technology.

Published 01/01/2019
Authoring body: Home Office
Reference Data / Templates
Resource
Resource Description Frameworks (RDF) for web development

The standards referred to by W3C are community generated standards, last reviewed by the National Standards Assurance Board in May 2021.

The World Wide Web Consortium (W3C) is an international community where Member organisations and the public work together to develop Web standards. It’s aim is to lead the World Wide Web to its full potential by developing protocols and guidelines that ensure the long-term growth of the Web. 

The social value of the Web is that it enables human communication, commerce, and opportunities to share knowledge. One of W3C's primary goals is to make these benefits available to all people, whatever their hardware, software, network infrastructure, native language, culture, geographical location, or physical or mental ability. Some people view the Web as a giant repository of linked data while others as a giant set of services that exchange messages.

W3C's vision for the Web involves participation, sharing knowledge, and thereby building trust on a global scale.

The Web has transformed the way we communicate with each other. In doing so, it has also modified the nature of our social relationships. People now "meet on the Web" and carry out commercial and personal relationships, in some cases without ever meeting in person. W3C recognises that trust is a social phenomenon, but technology design can foster trust and confidence. As more activity moves on-line, it will become even more important to support complex interactions among parties around the globe.

Published 01/01/2020
Authoring body: W3C
Guidance
Resource
CPA Security Characteristic Software Full Disk Encryption (Version 1.24)

This document has been reviewed by the National Standards Assurance Board in May 2021 and is still deemed relevant with sound principles, despite being dated in some areas. Users should also be aware of the NEP Windows Blueprints.

 

This document describes the features, testing and deployment requirements necessary to meet CPA certification for Software Full Disk Encryption security products. It is intended for vendors, system architects, developers, evaluation and technical staff operating within the security arena.

The purpose of a software disk encryption product is to protect the confidentiality of data. This document aims to describe the requirements for Software Full Disk Encryption products and obtaining Commercial Product Assurance (CPA) certification under the CPA scheme.

A typical use case is the protection of a mobile device such as a laptop in case of accidental loss or theft.

The Security Characteristic is primarily targeted towards a single user for each protected devices only applicable to software disk encryption products that operate on PCs with Extensible Firmware Interface (UEFI) or  Basic Input/Output System (BIOS). Multiple users can also be evaluated.

Intended readers are for developers, system, architects, vendors and technical staff. The disk encryption software will prevent an attacker from accessing the data.

Published 01/01/2016
Authoring body: CESG National Technical Authority for Information Assurance
Standards