to add a new content
Resource
Cyber Security: Identity and access management

Step 6 from the 10 steps to Cyber Security covers how to control who and what can access your systems and data via identity and access management (IAM)

Access to data, systems and services need to be protected. Understanding who or what needs access, and under what conditions, is just as important as knowing who needs to be kept out. You must choose appropriate methods to establish and prove the identity of users, devices, or systems, with enough confidence to make access control decisions. A good approach to identity and access management will make it hard for attackers to pretend they are legitimate, whilst keeping it as simple as possible for legitimate users to access what they need. 

Published 11/05/2021
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Cyber Security: Data security

Step 7 from the 10 steps to Cyber Security covers the need to protect data where it is vulnerable.

Data needs to be protected from unauthorised access, modification, or deletion. This involves ensuring data is protected in transit, at rest, and at end of life (that is, effectively sanitising or destroying storage media after use). In many cases data will be outside your direct control, so it important to consider the protections that you can apply as well as the assurances you may need from third parties. With the rise in increasingly tailored ransomware attacks preventing organisations from accessing their systems and data stored on them, other relevant security measures should include maintaining up-to-date, isolated, offline backup copies of all important data

Published 11/05/2021
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Cyber Security: Logging and monitoring

Step 8 from the 10 steps to Cyber Security covers how to design your systems to be able to detect and investigate incidents.

Collecting logs is essential to understand how your systems are being used and is the foundation of security (or protective) monitoring. In the event of a concern or potential security incident, good logging practices will allow you to retrospectively look at what has happened and understand the impact of the incident. Security monitoring takes this further and involves the active analysis of logging information to look for signs of known attacks or unusual system behaviour, enabling organisations to detect events that could be deemed as a security incident, and respond accordingly in order to minimise the impact.

Published 11/05/2021
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
BS 10008 Evidential Weight and Legal Admissibility of Electronic Information

This document outlines best practice for the implementation and operation of electronic information management systems, including the storage and transfer of information. It is designed to help you verify and authenticate all your information to avoid the legal pitfalls of information storage. BS 10008 outlines best practice for transferring electronic information between systems and migrating paper records to digital files. It also gives guidelines for managing the availability and accessibility of any records that could be required as legal evidence.

Published 01/01/2020
Authoring body: British Standards Institute (BSI)
Standards
Resource
ISO 15489:2016 Data Records Management

ISO 15489 provides a framework for implementing records management systems - the lifecycle of records from creation through to disposal. Police forces can use this to inform internal records management systems such as the use of Share Point or use as an assessment when considering suppliers of systems, this could include case management.

This document was reviewed by the National Standards Assurance Board in July 2021 and still deemed current and of value to policing

[Added September 2021]

Published 01/04/2016
Authoring body: International Standards Organisation (ISO)
Standards
Resource
Publishing Accessible Documentation

There is a need under the Equality Act 2010 to ensure documents are readily available to users who have additional accessibility needs. This document explains how to publish accessible documents to meet the needs of all users under the accessibility regulations.

It covers:

  • Writing accessible documents
  • Making non-HTML documents accessible
  • Creating a PDF/A for archiving purposes
    • To save a PDF/A in Word, click Save As, change Save as type to PDF, click Options and tick 'PDF/A compliant'

The authors and National Standards Assurance Board accept that there is still a place for PDF documents, especially for archival purposes, but to ensure they are accessible in the future, they should be stored as PDF/A not the normal PDF format.

[Added September 2021]

Published 01/07/2021
Authoring body: Government Digital Services (GDS) & Central Digital and Data Office (CDDO)
Guidance
Resource
Minimum standards schedule for the Retention and Disposal of Police Records (2020 v4)

The NPCC Guidance on The Minimum Standards for the Retention and Disposal of Police records has been produced by the NPCC Records Management Working Group to assist police forces in their statutory responsibility to comply with the Data Protection legislation (GDPR EU 2016/679 and Data Protection Act 2018), The Code of Practice on the Management of Police Information (2005) and other legislative requirements.

It contains

  • The responisibilities for records retention and disposal
  • Risks
  • Benefits of a retention schedule
  • Management of Police Information (MoPI)
  • Maintenance
  • Records Retention Tables for:
    • Assets & products
    • Crime and Case files
    • Detecting
    • Finance
    • Information
    • Organisation, Programmes & Projects
    • People
    • Preventing
    • Property
    • Prosecution

[Added September 2021] 

Published 13/11/2020
Authoring body: National Police Chiefs Council (NPCC)
Standards
Resource
ISO 17025:2017 General requirements for the competence of testing and calibration laboratories

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. BSI provide the documentation and appropriate licensing.

This standard is used to confirm or recognize the competence, impartiality and consistent operation of laboratories. It applies to all organizations performing tests and/or calibrations, including first, second and third-party laboratories.

Who is this standard for?

  • Laboratories where testing and/or calibration is part of inspection or product certification
  • Laboratory customers
  • Testing organizations
  • Regulatory authorities
  • Accreditation bodies
  • Organizations and schemes using peer assessment

Why should you use this standard?

It specifies general requirements for the competence, impartiality and consistent operation of laboratories. It looks at all of the requirements that testing and calibration laboratories and testing organizations have to meet to prove that they operate a quality system; are technically competent; and can generate technically valid results. It applies to all organizations performing laboratory activities, regardless of the number of personnel.  

What’s changed since the last update?

This standard had not been revised since 2005. This technical revision cancels and supersedes the previous edition and has made three main changes:

  1. A definition of “laboratory” has been added
  2. Risk-based thinking has been applied, enabling some prescriptive requirements to be replaced by performance-based requirements 
  3. There is greater flexibility in the requirements for processes, procedures, documented information and organizational responsibilities
Published 01/01/2017
Authoring body: International Standards Organisation (ISO)
Standards
Resource
Frontline Digital Mobility - Connection Types

This guidance will explore the main connection types used by frontline officers and staff, whilst making recommendations about security and appropriate use. This guideline focuses on assisting forces to maximise their use of public 3G/4G (LTE) data networks prior to the delivery and adoption of the Emergency Service Network Data Services. This guideline does not cover voice services delivered over any of these networks.

Published 01/02/2020
Authoring body: Digital Policing Portfolio (DPP)
Guidance
Resource
Frontline Digital Mobility - Peripheral Keyboards

There are many types of keyboards available in the market place with many variances in terms of specification, features and of course price. This guidance explores these variances and makes recommendations (see section 4. Recommendations, page 2) to help forces make informed selections so as to accelerate their mobility maturity.

Published 01/02/2020
Authoring body: Digital Policing Portfolio (DPP)
Guidance
Resource
Frontline Digital Mobility - Portable Hotspots

Portable hotspots are a tried and tested peripheral. Advances continue to make them faster, better and smaller. There are many types of portable hotspots available in the market place with many variances in terms of specification, features and of course price. This guideline explores these variances and makes recommendations (see section 4. Recommendations, page 3) to help forces make informed selections to accelerate their mobility maturity.

Published 01/02/2020
Authoring body: Digital Policing Portfolio (DPP)
Guidance
Resource
Frontline Digital Mobility - Portable Power Banks

Portable power banks are a tried and tested peripheral. Advances continue to be made to make them faster, better and smaller. Yet there are many types of power banks available in the market place with many variances in terms of specification, features and of course price. This guideline explores these variances and makes recommendations (see section 4. Recommendations, page 3) to help forces make informed selections so as to accelerate their mobility maturity.

Published 01/02/2020
Authoring body: Digital Policing Portfolio (DPP)
Guidance
Resource
Frontline Digital Mobility - Laptop shells

A laptop shell is simply a laptop with no internal computing power, this is provided by connecting a smartphone to the laptop, which is then 'driven' by the keyboard, mouse and screen of the laptop 'shell'.

This guideline looks at the variances in terms of specification, features and price between the laptop shells currently available for pre-order. It explores the capabilities that a connected premium smartphone must have, such as DisplayPort and an appropriate “desktop mode”. Finally recommendations are made for forces who wish to be early adopters of this still immature technology (see section 4. Recommendations, page 4).

Published 01/02/2020
Authoring body: Digital Policing Portfolio (DPP)
Guidance
Resource
NPCC Digital Imaging and Multimedia Procedure (Version 3)

This document covers digital multimedia, inclusive of picture, video and audio in the proper capture and handling of digital data for police applications. This represents best practice to benefit the Police Service and Criminal Justice System (CJS).

Following the process set out within this document helps enhance the integrity of proper evidential gathering processes whilst reducing the risk of malicious manipulation. 

 

Published 01/01/2020
Authoring body: National Police Chiefs Council (NPCC)
Guidance
Resource
National Standard for Incident Recording

This document contains the National Incident Category List (NICL) and the principles, guidance and definitions for the National Standard for Incident Recording (NSIR). NSIR was introduced to replace the wide variety of incident recording (and non-recording) that differed from force to force so that common understanding and recording practices would result in effective data provision and use. NSIR now supports effective recording of over 80% of calls 
for service, ranging from messages to major incidents. 


The NPIA conducted a full review of NSIR in 2009 on behalf of ACPO. This review recommended that NSIR was rationalised and simplified. The NPIA, working closely with the Home Office and Her Majesty’s Inspectorate of Constabulary (HMIC), have moved the focus of NSIR from incident recording to risk 
assessment at the front end of service delivery. This aims to support improved identification and management of risks, threats to safety, vulnerability and repeat victims, particularly in relation to anti-social behaviour (ASB). 

This document was reviewed by the National Standard Assurance Board in September 2021 and was found to be the most up to date document available, still supported by the NPCC

Published 01/01/2011
Authoring body: National Police Improvement Agency (NPIA)
Principles
Resource
ALGOCARE - Algorithm assessment tool

ALGO-CARE has been created for policing to use as a decision-making framework for the deployment of algorithmic assessment tools in the policing context. This helps translate key public law and human rights principles into practical considerations and guidance that can be addressed by public sector bodies. Concerns around transparency and accountability cannot be addressed by a one-size-fits-all approach. The factors identified by Algo-care necessitate the careful drafting of procurement contracts with third party software suppliers to require disclosure of algorithmic workings in a way that would facilitate investigation.

ALGO-CARE is endorsed by the NPCC Business Change Council and the NPCC lead for Data Analytics. This was reviewed in September 2021 and found to still be current.

Published 01/09/2018
Authoring body: Oswald Grace Urwin & Barnes
Principles
Resource
Digital Processing Notices (NPCC extraction of digital content from devices guidance)

These Digical Processing Notices (DPN) provide the basis for the minimum recommended level of information to be both captured and provided to victims, witnesses and suspects by police forces. These forms replace those issued in 2019, to better implement the principles set out in the 2020 Bater-James ruling.

  • DPNa - Devices taken from victims/witnesses (capture template and information for victims/witnesses)
  • DPNb - Victim/witness Frequently Asked Questions (Information for victims/witnesses)
  • DPNc - Devices taken from suspects (capture template and information for suspects

The guidance at the end of each section is particularly relevant on how to best implement these requirements into a solution.

Published 25/10/2021
Authoring body: National Police Chiefs Council (NPCC)
Reference Data / Templates
Resource
Joint Crown Prosecution Service (CPS) & Police Principles for Redaction

This document contains the agreed principles for redaction of information from digital (and physical) material by police for legal or security reasons. Material includes statements, documentary exhibits, audio and video recordings, digital material, and other sources of information such as crime reports. 

Effective redaction allows police and CPS to share and serve relevant information whilst complying with the Data Protection Act 2018 (DPA) and the Criminal Procedure and Investigation Act 1996 (CPIA 1996) / CPIA Code of Practice (CPIA Code) whilst protecting and safeguarding personal and sensitive data.

Published 01/08/2021
Authoring body: National Police Chiefs Council (NPCC) / Crown Prosecution Service (CPS)
Principles
Resource
Police Assured Landing Zone (PALZ) Amazon Web Services (AWS) Blueprint

The AWS Police Assured Landing Zone (PALZ), is a set of configuration, code, security model and design decision rationale artefacts created specifically for policing workloads.  The goal is to enable policing organisations to get started using cloud services more quickly, with confidence that they are implementing an assured set of baseline controls, reviewed by National Police Technology Council (NPTC), Police Digital Service (PDS) and National Police Information Risk Management Team (NPIRMT). These control documents are available in the PALZ documentation set. This will allow them to focus their efforts on activities and assurances unique to their workloads.

PALZ provides a landing zone with a multi-account structure aligned with AWS best practice including standardised AWS account and organisational unit (OU) structure, best-practice centralised networking and additional preventative and detective guardrails. It also provides a series of AWS Service Catalogue portfolios and products, which provide a self-service capability that greatly simplifies tasks such as the provisioning of new AWS accounts and the creation of private networks within an AWS account. Finally, PALZ integrates with a number of AWS security services to provide dashboards and alerts which support ongoing compliance monitoring, plus alignment to NEP designs for IAM and NMC.

PALZ has been through the NPTC “Security by Design” process. This process identifies key design decisions which are related to form a series of risks identified with common policing data. NPTC have used an independent third-party assessor to review the design decisions and generate the assurance documentation. This has been reviewed by the Police assuror, National Police Information Risk Management Team (NPIRMT), to approve the security controls and the solution design.

Note: This blueprint is marked OFFICIAL-SENSITIVE, for enquiries on access please contact the National Standards team who can put you in touch with the relevant team

Published 01/06/2021
Authoring body: Amazon / Police Digital Service (PDS)
Reference Data / Templates
Resource
Management of Police Information (MoPI) APP

This Authorised Professional Practice (APP) provides guidance to forces on meeting the requirements of the Management of Police Information (MoPI) Code of Practice in relation to the review, retention and disposal of policing information and records. This APP is supplemented by the Manual of Guidance, which provides a further level of operational data.

Police information refers to all information obtained, recorded or processed for a policing purpose. The Management of Police Information (MoPI) authorised professional practice (APP) provides a framework and guidelines for managing police information, complying with the law and managing risk associated with police information including data retention.

  • Policing information is information held for a policing purpose. The MoPI Code of Practice definition of ‘policing purpose’ is:
    • protecting life and property
    • preserving order
    • preventing the commission of offences
    • bringing offenders to justice
    • any duty or responsibility of the police arising from common or statute law
  • Corporate information includes other organisational information, such as HR or finance records, minutes of meetings, policies and procedures.

There is further information on compliance with the Freedom of Information Act.

It should also be noted that the retention periods for biometric data are governed by the Protection of Freedoms Act 2012 and sit outside this APP.

Published 06/05/2020
Authoring body: College of Policing (CoP)
Guidance
Resource
ACPO Good Practice Guide for Digital Evidence (Version 5)

This ACPO guide contains a set of golden principles for management of digital evidence and guidance on each stage in the evidence lifecycle: Plan, Capture, Analyse and Present. This guide represents good practice across a broad digital forensic landscape for policing.

Although dated, this guide has been reviewed in March 2021 by the National Standards Assurance Board and deemed current and relevant.

Published 01/03/2012
Authoring body: Association of Chief Police Officers (ACPO)
Guidance
Resource
National Policing Digital Strategy 2020-2030

The National Policing Digital Strategy sets out a new digital ambition for UK policing. It presents a set of tangible digital priorities and outlines the key data and technology building blocks required to deliver them. 

The strategy contains 5 priorities:

  1. Seamless citizen experience
  2. Addressing harm
  3. Enabling officers & staff through digital
  4. Embedding a whole public system approach
  5. Empower the private sector
Published 01/01/2020
Authoring body: Police Digital Service (PDS)
Principles
Resource
Automatic Number Plate Recognition Regulation 109 Supplier Specification (Version 2.2)

This document's aim is to clearly define to suppliers of in-car ANPR software the minimum requirements to meet Regulation 109 (as amended by the Vehicle Special Order - VSO) whilst at the same time maintaining operational effectiveness and officer safety. Going forwards in this document this version of software will be referred to as ‘Regulation 109 compliant’.


This covers any ANPR system with a screen viewable by the driver, for example bespoke in-car system, tablet device, mobile phone, this will be referred to as an in-car system.
 

Published 01/10/2021
Authoring body: Home Office
Standards
Resource
National ANPR Standards for Policing and Law Enforcement

These standards articulate the requirements with which the police and other Law Enforcement Agencies (LEA) must comply to access the National ANPR Capability (NAC). This document includes a description of the legal basis for ANPR as well as the applicability of these standards. The standards comprise three main sections: Data Standards, Infrastructure Standards and Data Access and Management Standards.

Published 01/11/2020
Authoring body: Home Office
Standards
Resource
National standards for compliance and audit of law enforcement ANPR

This document contains information on the auditing of ANPR systems, including audits of data standards, infrastructure, data access and management, and local systems.

Published 01/09/2020
Authoring body: Home Office
Standards
Resource
National ANPR Technical Standards

This document prescribes the technical specifications for data within the National ANPR Service (NAS). The information within this document is intended to support compliance and consistency in the operation and management of NAS by the police and other law enforcement organisations.

Published 01/05/2021
Authoring body: Home Office
Standards
Resource
Digital Asset Management System (DAMS) Standards

DAMS has been identified as a critical capability for the management and use of digital material within policing. This infographic describes the DAMS lifecycle, providing a high level explanation of the design, development and implementation stages of delivering a DAMS system. The supporting documents referred to in this document are currently going through a review and refresh. 

Use the Contact Us tab at the top of the page to request further details.

Published
Authoring body: College of Policing
Standards
Resource
Archiving of records in the public interest APP

This APP provides context for forces using the Information and Records Management Code of Practice to enable them to develop nationally consistent approach to identifying the proper regime of management and archiving for information records.

This guidance helps forces with the identification of records for long-term archiving and advises on how those records should be managed throughout their lifecycle, again securing consistency of approach.

Compliance with the Code and APP should help to increase the public’s confidence in how their information is handled.

Use the Contact Us tab at the top of the page to request further details.

 

Published
Authoring body: College of Policing (CoP)
Guidance
Resource
Records Management Code of Practice

The Code provides high-level standards for information and records management (in the form of seven principles), as well as other supporting standards, such as personnel and organisational capabilities. It will also drive consistency in the way that forces manage their information and records.

 

Use the Contact Us tab at the top of the page to request further details.

Published
Authoring body: College of Policing (CoP)
Standards
Resource
Live Facial Recognition APP

Guidance for the overt deployment of live facial recognition technology to locate persons on a Watchlist. This is currently in draft format and is to be circulated to external stakeholders for consultation prior to submission to National Standards Assurance Board for publication on the platform.

Use the Contact Us tab at the top of the page to request further details.

Published
Authoring body: College of Policing (CoP)
Guidance