Search - National Standard Microsite
Cyber Network Security Standard v1.0
This standard supports the policy set out in the National Community Security Policy, providing requirements for those designing, building and running network services within PDS & policing systems. This standard details a minimum set of security requirements and controls that must be met to ensure security and segregation of network services. Consideration is given to the following areas network device configuration, physical network management, wireless access, external network connections, firewalls and remote maintenance.
Vulnerability Management v1.0
This standard supports the policy set out in the National Community Security Policy, providing requirements for those designing, building and running IT services and managing vulnerabilities within PDS & policing systems.
Cyber Security: Asset management
Step 3 from the 10 steps to Cyber Security covers asset management, ensuring you know what data and systems you manage, and what business need they support.
Asset management encompasses the way you can establish and maintain the required knowledge of your assets. Over time, systems generally grow organically, and it can be hard to maintain an understanding of all the assets within your environment. Incidents can occur as the result of not fully understanding an environment, whether it is an unpatched service, an exposed cloud storage account or a mis-classified document. Ensuring you know about all of these assets is a fundamental precursor to being able to understand and address the resulting risks. Understanding when your systems will no longer be supported can help you to better plan for upgrades and replacements, to help avoid running vulnerable legacy systems.
Application Development
This guidance gives practical advice on the secure development, procurement and deployment of generic applications.
There are three types of common security issues:
-
Secure data handling
-
Application hardening
-
Third party applications
This guidance is written main for risk assessors and application developers on how to minimise the loss of data from applications running on all devices handling sensitive data. Sensitive information should not be stored on devices when it's not required. If it must be stored on a device, a native data storage protection APIs (Application Programming Interface) available on the platform must be utilised. You must also ensure that the applications allows administrators to delete sensitive data from devices if they are compromised or lost and encrypt sensitive information when stored, protected by an authentication mechanism.
You must also securely implement cryptographic functions and store sensitive information securely, and hide it from the user until they have been authenticated and ensure that sessions timeout periodically and require the user or application to repeat the authentication process and where possible manage user accounts centrally.
ISO/IEC 27001:2013 IT Security techniques — Information Security Management Systems — Requirements
ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
The implementation of an information security management system is a strategic decision for an organisation that is influenced by the organisation’s needs and objectives, security requirements, the organisational processes and thus the International Standard has been setup to establish, implement, maintain and continually improve an information security management system.
The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.
This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. This also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation and is applicable to all organisations, irrespective of size and structure.
Records Management Code of Practice
The Code provides high-level standards for information and records management (in the form of seven principles), as well as other supporting standards, such as personnel and organisational capabilities. It will also drive consistency in the way that forces manage their information and records.
Use the Contact Us tab at the top of the page to request further details.
Cyber Threat and Incident Management v1.0 (aka NCSP Cyber Incident Management Standard)
This Standard specifies the minimum requirements regarding cyber threat and incident processes and actions. It aims to provide PDS (Police Digital Service) and policing with clear direction to manage threat, vulnerabilities and incidents associated with cyber-attacks and cyber incidents.
NCSP Secure By Design
This guideline provides guidance on the principles and application of the System Development Standard (Secure By Design) methodology.
Cyber Technical Security Management Standard v1.0
This Standard specifies the minimum requirements regarding technical security management. It describes the requirements to enable members of the community of trust to build and operate an effective technical security infrastructure, applying security architecture principles and integrating technical security solutions, such as malware protection, intrusion detection and cryptography.
NCSP Physical asset Management standard v1.0
The standard aims to ensure that physical assets are acquired securely, configured properly, maintained regularly, and disposed of safely and securely, while ensuring the confidentiality, integrity, and availability of the information they handle. By adopting this standard, organisations can ensure that they are protecting their assets against potential threats, mitigating risks, and complying with regulatory requirements.
NCSP Information Management v1.0
This Standard defines the requirements to implement Information Management as mandated in the National Community Security Policy. It encompasses the management of policing information within the OFFICAL tier of the Government Security Classification model.
NCSP Cryptography Standard v2.1
This standard sets out the Cryptographic Algorithms to be used within policing. A list of algorithms are provided initially followed by applications and the associated cryptography required for each application. Finally the standard provides some commentary on the emerging cryptography for post quantum computing and lightweight computing.
This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing
NCSP Application Management Standard v1.0
This Standard is intended to guide the reader through the process of securely managing business applications both internally developed and externally sourced, regardless of whether locally installed or cloud based. Centred around stocktaking, documenting and actively managing those applications, this standard should enable the visibility of all business utilised applications, ensuring all are appropriately assessed for risk, appropriately licensed and managed in such a way as to not introduce cyber security risk going forward.
National Policing Community Security Policy Framework v1.3
This framework provides all National Policing and its partners with a clear guide of how information security policies and standards work in National Policing, the objectives of the framework, whom the framework and its supporting policy and principles apply to, whom has accountability for information security and risk and how policies will be governed.
NCSP Management of High Risk Applications standard v1.1
This standard outlines the minimum requirements and controls that must be met to ensure the secure management of applications identified as high risk.
Safe deployment of TikTok
This guidance provides an overview of approaches to deploy TikTok safely
NCSP Robotic process automation guideline
This guideline describes best practice risk management controls for using Robotic Process Automation (RPA) for the purpose of automating manual administrative overheads for National Policing Forces and applications
Robotic Process Automation Cyber Security Guidance
This guidance describes best practice cyber risk management controls for using Robotic Process Automation (RPA)
for the purpose of automating manual administrative overheads for National Policing Forces and
applications. This document only provides guidelines to automating manual processes and is not intended for machine
learning (ML) or artificial intelligence (AI) derived solutions. Please refer to separate guidelines and standards
for Digital Process Automation (DPA), AI and ML related activities.
NCSP MS Power platform guideline v1.0
This guidance is to assist members of the UK policing community of trust in the design, setup and use of Microsoft’s Power Platform service, incorporating Power Apps, Power Automate, and Power Pages.
NCSP Vetting requirements for policing guideline v1.3
This guidance describes the requirements for access to policing assets including premises, information, and information systems. This document should be read in conjunction with the Statutory Vetting Code of Practice and Authorised Professional Practice on Vetting
Vetting Requirements for policing
This guidance describes the vetting requirements for access to Policing assets including premises, information, and information systems. This document should be read in conjunction with the Statutory Vetting Code of Practice and Authorised Professional Practice on Vetting.
NCSP Security Management standard v1.1
This standard describes the requirements to implement and maintain an effective cyber security management system as required by the National Policing Community Security Policy Framework.
Implementation of this standard will help members to ensure that adequate management controls and oversight is in place to mature their cyber resilience
Security Management Standard v1.0
This standard describes the requirements to implement and maintain an effective cyber security management system as required by the National Policing Community Security Policy Framework.
Implementation of this standard will help members to ensure that adequate management controls and oversight is in place to mature their cyber resilience.
NCSP Security Governance standard v1.1
This Standard defines the requirements to implement Security Governance as mandated in the National Community Security Policy
Security Governance Standard V1.0
This Standard defines the requirements to implement Security Governance as mandated in the National Community Security Policy.
NCSP Safe Deployment of High Risk Applications Guideline v1.1
This guideline outlines approaches to follow for any use of high risk applications to reduce risk.
Tik Tok Standard
This standard provides direction on the use of TikTok across policing, in accordance with the latest guidance provided by the Cabinet Office.
NCSP Information Security Assurance standard v1.1
This standard defines the requirements to implement Information Security Assurance as mandated in the National Community Security Policy.
This document describes the requirements to help implement a consistent and structured information security assurance programme, supported by comprehensive security testing (using a range of attack types), penetration tests, and regular security and risk compliance monitoring.
Information Assurance Standard V1.0
This Standard defines the requirements to implement Information Assurance as mandated in the National Community Security Policy.
This document describes the requirements to help implement a consistent and structured information security assurance programme, supported by comprehensive security testing (using a range of attack types), penetration tests, and regular security and risk compliance monitoring.
NCSP Cyber Business Continuity standard v1.2
This standard specifies the minimum requirements regarding cyber business continuity, (Crisis Management & Disaster Recovery). It aims to provide policing with clear direction to implement a cyber business continuity strategy, enabling operations and services to endure adverse events.