to add a new content
Resource
Cyber Security Architectural Principles

This document provides all National Policing and its partners with a clear set of security architectural principles, which are the foundation to build, design and implement secure solutions.

Published 01/05/2023
Authoring body: PDS
Principles
Resource
Data Protection

On the 25th May 2018 the Data Protection Act 2018 was implemented by the UK as the General Data Protection Regulation also known as GDPR. It controls how personal information is captured and used by organisations and the government.

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’ and must ensure that the information they obtain is for a lawful purpose, used fairly and must be transparent about its intended purpose of usage and used explicitly for that purpose only.

Data should also not be kept for more than is necessary, and whilst it is kept, should be kept up to date and handled and secured in a way that does not compromise its protection from unauthorised processing, loss of theft of data.  

It is important to note that there is stronger legal protection for more sensitive information such as race, health, sex life, orientation, ethnic background. There are separate safeguards for personal data relating to criminal convictions and offences.

Under the Data Protection Act 2018, an individual has the right to find out what information the government and other organisations holds about them and this ideally should be provided to the individual within 1 month.  

To make a complaint about the misuse of personal information or lack of security it should be made to the organisation, following their response the complaint can also be made to the Information Commissioner’s Office.

ICO
casework@ico.org.uk
Telephone: 0303 123 1113

Published 01/01/2018
Authoring body: Information Commissioner's Office (ICO)
Principles
Resource
Equality Act 2010: Guidance (2015)

The Equality Act 2010 replaced previous anti-discrimination laws with a single Act. It protected people from discrimination, age discrimination and public sector Equality Duty, sets out the different ways in which the maltreatment of an individual can be unlawful.

The Equality Act 2010 provides a basic framework of protection against direct and indirect discrimination, harassment and victimisation in services and public functions, work, education, associations and transport, protection against indirect discrimination to disability, allowing claims for direct gender pay discrimination where there is no actual comparator and much more.

Before the Act came into force there were several pieces of legislation to cover discrimination, including:

  • Sex Discrimination Act 1975

  • Race Relations Act 1976

  • Disability Discrimination Act 1995

Complaints made about unlawful treatment, that happened after the 1st October 2010, the Equality Act will apply. However if was before this date, then the legislation that was in force at the time will apply.

The Equality Act 2010 includes provisions that ban age discrimination against adults in the provision of services and public functions. It also includes the public sector Equality Duty public bodies have to consider all individuals when carrying out their day-to-day work – in shaping policy, in delivering services and in relation to their own employees.

Published 01/01/2015
Authoring body: Government Equalities Office
Policy
Resource
Regulation of Investigatory Powers Act 2000 (RIPA)

The regulation of Investigatory Powers Act 2000 relates to the interception, acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed.

There are three main ways of surveillance and covert human intelligence

  1. direct surveillance

  2. intrusive surveillance

  3. use of covert human intelligence sources

Non-intrusive covert surveillance can be undertaken for a specific investigation, operation or purpose. Its result is to obtain private information about a person (whether or not one specifically identified for the purposes of the investigation or operation)

Intrusive surveillance is carried out either in a residential premises or private vehicle; and involves the presence of an individual on the premises or in the vehicle or is carried out by means of a surveillance device.

Human intelligence source is inducing, asking or assisting a person to obtain information by means of the conduct of such a source. This is achieved by establishing a personal or other relationship with a person for the covert purpose and covertly discloses information obtained by the use of such a relationship, or as a consequence of the existence of such a relationship.

Published 01/01/2000
Authoring body: Her Majesty’s Stationery Office (HMSO)
Principles
Resource
Criminal Procedure & Investigations Act 1996 Code of Practice

The Criminal Procedure and Investigations Code of Practice applies in respect of criminal investigations conducted by police. A criminal investigation can be defined an investigation conducted by police officers with a view to it being ascertained whether a person should be charged with an offence, or whether a person charged with an offence is guilty of it. 

This document sets out the manner in which police officers are to record, retain and reveal to the prosecutor material obtained in a criminal investigation.

The roles and responsibilities within a criminal investigation can vary. The functions of the investigator, the officer in charge of an investigation and the disclosure officer are separate. The amount of persons attached to this case to fulfil the above roles will depend on the complexity of the case and the administrative arrangements within each police force. Commonly, where there are more than one person undertaking the roles, close consultation between them is essential to the effective performance of the duties imposed by this code. 


Persons other than police officers who are charged with the duty of conducting an investigation as defined in the Act are to have regard to the relevant provisions of the code, and should take these into account in applying their own operating procedures. 


Published 01/01/2015
Authoring body: Ministry of Justice (MoJ)
Standards
Resource
DNA and Fingerprint Provisions

Protection of Freedoms Act 2012: DNA and fingerprint provisions was introduced in October 2013 to cover the retention of DNA and fingerprints where it was ruled in the European Court in the case of S and Marper v UK that the blanket retention of DNA profiles taken from innocent people posed a disproportionate interference with the right to private life.

The protection of Freedoms Act strikes a balance between protecting the freedoms of those who are innocent of any offence whilst ensuring that the police continue to have the capability to protect the public and bring criminals to justice. 

A DNA sample is an individual’s biological material, containing all of their genetic information. The act requires all DNA samples to be destroyed within 6 months of being taken. This allows sufficient time for the sample to be analysed. The only exception to this is if the sample is required for use as evidence in court, in which case it may be retained for the duration of the proceedings.

Fingerprints are usually scanned electronically from the individual in custody and the images stored on IDENT1, the national fingerprint database.

For Scotland, the legal acquisition, retention, weeding and use of DNA and Fingerprint data is outlined in Sections 18 to 19C of the Criminal Procedure (Scotland) Act 1995 - https://www.legislation.gov.uk/ukpga/1995/46/part/II/crossheading/prints-and-samples

Published 01/01/2019
Authoring body: Home Office
Policy
Resource
Website and application accessibility regulations and guidance

Public sector organisations need to think about accessibility at every stage and ensure they meet the Web Content Accessibility Guidelines (WCAG 2.1) design principles. The Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018 are now active and applicable to all public sector organisations, including policing, and this guidance has been created to support organisations meeting the requirements for all new and existing websites or applications.

The guidance is split into several sections:

1. Decide how to check the accessibility problems on your website or mobile app
2. Make a plan to fix any accessibility problems
3. Publish your accessibility statement
4. Make sure new features are accessible

The main theme throughout is that accessibility should be considered on how people with impairments to their sight, hearing, movement, memory or thinking may use the website/app. Regular tests should be carried out from the point code writing even through the public beta stage and at every time a new feature is added.

The best way to meet accessibility requirements is to:

  • think about accessibility requirements from the commencement

  • run accessibility tests regularly throughout development

  • get a formal accessibility audit before you go into public beta

  • make sure the service works with the most common assistive technologies - screen readers or speech recognition software

  • test the service with disabled users and with older users

Legislation link: https://www.legislation.gov.uk/uksi/2018/852/contents/made

Published 01/01/2019
Authoring body: Government Digital Services (GDS)
Guidance
Resource
Cyber System Management Standard v1.0

This standard defines the requirements which, when applied, will assist with the secure management of systems and networks.
This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.
This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.

Published 01/01/2024
Authoring body: PDS
Standards
Resource
Application Management Standard v1.0

This Standard is intended to guide the reader through the process of securely managing business applications both internally developed and externally sourced, regardless of whether locally installed or cloud based. Centred around stocktaking, documenting and actively managing those applications, this standard should enable the visibility of all business utilised applications, ensuring all are appropriately assessed for risk, appropriately licensed and managed in such a way as to not introduce cyber security risk going forward.

Published 01/11/2023
Authoring body: PDS
Standards
Resource
Business Continuity v1.0

This Standard specifies the minimum requirements regarding business continuity. It aims to provide PDS (Police Digital Service) and policing with clear direction to implement a business continuity strategy, enabling operations and services to endure adverse events.

Published 01/11/2023
Authoring body: PDS
Standards
Resource
Vulnerability Management v1.0

This standard supports the policy set out in the National Community Security Policy, providing requirements for those designing, building and running IT services and managing vulnerabilities within PDS & policing systems.

Published 01/11/2023
Authoring body: PDS
Policy
Resource
Information Management v1.0

This Standard defines the requirements to implement Information Management as mandated in the National Community Security Policy. It encompasses the management of policing information within the OFFICAL tier of the Government Security Classification model.

Published 01/12/2023
Authoring body: PDS
Standards
Resource
Cyber Threat and Incident Management v1.0

This Standard specifies the minimum requirements regarding cyber threat and incident processes and actions. It aims to provide PDS (Police Digital Service) and policing with clear direction to manage threat, vulnerabilities and incidents associated with cyber-attacks and cyber incidents.

Published 01/12/2023
Authoring body: PDS
Standards
Resource
Covenant for Using Artificial Intelligence (AI) in Policing

The rapid growth of Artificial Intelligence (AI) within policing is unsurprising. The speed and accuracy that AI can bring to police processes make it an attractive way to deliver an effective and efficient service. However, the application of AI can be contentious[i]. Transparency and fairness must be at the heart of what we implement, to ensure a proportionate and responsible use that builds public confidence.

This Covenant outlines a set of principles that forces have agreed will define how it uses AI in its business. They were endorsed by all members of the National Police Chiefs’ Council on 28 September 2023. The endorsement means that all developers and users of AI within policing must give due regard to the Covenant’s principles. Whilst the implementation of these principles across policing will be an ongoing and evolving area of work, publication of our principles ensure we are acting with transparency from the outset.

Published 01/09/2023
Authoring body: NPCC
Principles
Resource
Physical asset Management standard

The standard aims to ensure that physical assets are acquired securely, configured properly, maintained regularly, and disposed of safely and securely, while ensuring the confidentiality, integrity, and availability of the information they handle. By adopting this standard, organisations can ensure that they are protecting their assets against potential threats, mitigating risks, and complying with regulatory requirements.

Published 01/02/2024
Authoring body: PDS
Standards
Resource
Cyber Technical Security Management Standard v1.0

This Standard specifies the minimum requirements regarding technical security management. It describes the requirements to enable members of the community of trust to build and operate an effective technical security infrastructure, applying security architecture principles and integrating technical security solutions, such as malware protection, intrusion detection and cryptography.

Published 01/01/2024
Authoring body: PDS
Standards
Resource
Cyber Network Security Standard v1.0

This standard supports the policy set out in the National Community Security Policy, providing requirements for those designing, building and running network services within PDS & policing systems. This standard details a minimum set of security requirements and controls that must be met to ensure security and segregation of network services. Consideration is given to the following areas network device configuration, physical network management, wireless access, external network connections, firewalls and remote maintenance.

Published 01/01/2024
Authoring body: PDS
Standards
Resource
Digital Case File Data Requirements 1.0.0

This document was retired in July 2021

The purpose of this document and standard is to detail the information requirements for the content of the digital case file to be transferred by forces to the Crown Prosecution Service (CPS).

The Digital Case File (DCF) Data requirements document help to define the structured case information and case summary required by the CPS for a first hearing, including that which must be served on to the court, defence and self-represented defendant as Initial Details of the Prosecution Case (IDPC). It also to define the content and data structure of the DCF, as required by the CPS and provided by the police for a case summary listed for a first hearing in the Magistrates Court.

This includes:

  • For all offences listed for a first hearing in the Magistrates Court by way of a charge sheet, summons or requisition.

  • To be used post-charge following either a police charge or cps pre-charge advice decision.

  • To be used for cases containing multiple defendants and offences.

  • For both anticipated guilty and not-guilty pleas.

  • For breach of bail (BoB) hearings.

Published 01/01/2015
Authoring body: Criminal Justice System (CJS)
Standards
Resource
National Digital Case File Standards

The Digital Case File national programme has established standards for how a case file is built and sent to the Crown Prosecution Service through collaboration with suppliers and police forces. 

This programme works with a number of organisations, such as the CPS, law enforcement agencies and suppliers to produce a set of standards, which suppliers can then use to produce compatible solutions, allowing law enforcement agencies to send case files digitally to CPS . This is the national standard required for any technical digital case file solution.

This DCF programme is being implemented in police forces now and the attached documents liable to be updated as it progresses.

The National Standards Assurance Board notes that the branding is CGI on the standards as this is reflective of their work in writing them, but this has been in partnership with policing who own and continue to contribute towards them.

Published 01/04/2021
Authoring body: Police Digital Service (PDS)
Standards
Resource
Police Approved Secure Facilities (PASF) security review checklist (v1.8)

Please note this is an OFFICIAL-SENSITIVE document, to request access please use the 'Contact Us' tab to raise a general query

This checklist covers the range of security measures to be assessed when reviewing how appropriate a premises is for handling police data. This can be used for both police premises but also suppliers premises, where they are handling or hosting data.

 

Published 01/06/2020
Authoring body: National Police Information Risk Management Team (NPIRMT)
Reference Data / Templates
Resource
National Policing Community Security Policy v1.0

National Policing will maintain public trust by securing our data and by applying a consistent, proportional approach to technology risk across policing. The Community Security Policy (CSP) is an integral part of the Community Security Policy Framework and combined with Community Security Principles and the supporting standards, control objectives and other supporting documentation will help policing maintain public trust in its management of information assets. This Policy should be read in conjunction with the National Policing Community Security Policy (CSP) Framework, and Community Security Principles with which this policy is aligned. The audience, scope, objectives, governance and exception process for this policy are defined by the National Policing Community Security Policy Framework, which can be found in Knowledge Hub. For clarity this policy has been approved by the Police Information Assurance Board (PIAB) and applies to all members of the ‘Community of Trust’ as defined by the National Policing Community Security Policy Framework, and any suppliers and partners that have access to, store and/or process Police information, to provide services to Policing. This policy has taken into consideration and is aligned with industry best practice, which includes ISO/IEC 27002:2022, CIS Controls v8 (Center for Information Security), NIST Cyber Security Framework, CSA Cloud Controls Matrix v4 (Cloud Security Alliance) and NCSC 10 Steps to Cyber Security.

Published 26/10/2022
Authoring body: The Police Digital Service
Policy
Resource
National Policing Community Security Policy Framework v1.0

National Policing will maintain public trust by securing our data and by applying a consistent, proportional approach to technology risk across policing. The National Policing Digital Strategy 2030 is built upon the 2025 Policing Vision to provide the foundations for Policing to deliver the National Digital Strategic objectives. In the future we will exchange more data and information with partners, adopt new connected technologies and move to cloud-based infrastructures. The move to a more open ecosystem cannot be at the expense of information security. This framework defines the holistic approach to information and technology risks by aligning to Government Security standards, guidance from the National Cyber Security Centre (NCSC) and industry best practice. The National Policing Community Security Policy Framework supports a proportionate baseline standard of cyber security for National Policing to deliver its operational and strategic objectives. As the cyber threat landscape facing the UK Police forces continues to evolve, so must the means by which forces maintain their security posture. The purpose of the National Policing Community Security Policy Framework is to provide the structure for information security for National Policing, suppliers, and partners to carry out their services securely. The National Policing Community Security Policy Framework, this document, will be referred to as the ‘Framework’ throughout this document. The scope of the ‘Framework’ applies to both this document and the supporting National Policing Information Security Policy and National Policing Information Security Principles that underpin the framework. Membership of the established ‘Community of Trust’ built under the original Community Security Policy, which is replaced by this framework and its supporting policy and principles, now requires alignment to this framework and its underlying policy and principles.

Published 26/10/2022
Authoring body: The Police Digital Service
Guidance
Resource
System Development Standard

This standard outlines the functions within the Secure By Design (SbD) process, aligned to project stages, to ensure a consistent approach to cyber security is achieved throughout a system’s development. The purpose of this standard is to define an approach to ensure that all products / solutions are assured in a repeatable, structured and consistent way. This will enable security controls to be designed into solutions at an early stage, ensuring the secure delivery of solutions across policing, whilst identifying and managing risk to within risk appetite.
This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.

Published 01/09/2023
Authoring body: Police Digital Service
Standards
Resource
National Policing Community Security Principles V1.3

This document provides all National Policing and its partners with a clear set of information security principles, which are the foundation to all information security activity.

Published 01/10/2023
Authoring body: Police Digital Service
Principles
Resource
National Policing Community Security Policy v1.3

This Policy provides confirmation of management intent, in support of the Community Security Principles. This Policy will define how the principles are to be achieved, at a high level. Detail to support this Policy will be in the form of standards, control objectives and other supporting documentation.

Published 01/10/2023
Authoring body: Police Digital Service
Policy
Resource
National Policing Community Security Policy Framework v1.3

This framework provides all National Policing and its partners with a clear guide of how information security policies and standards work in National Policing, the objectives of the framework, whom the framework and its supporting policy and principles apply to, whom has accountability for information security and risk and how policies will be governed.

Published 01/10/2023
Authoring body: Police Digital Service
Policy
Resource
Artificial Intelligence

This standard brings together a set of control requirements for the use of Artificial Intelligence (AI) in policing. To help the reader in this new area, Artificial Intelligence has been defined, along with a number of its sub-categories. This standard has an additional section targeted at developers and data scientists, to provide more detailed guidance, when developing AI-based solutions.
This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.

Published 01/09/2023
Authoring body: Police Digital Service
Standards
Resource
Vetting Requirements for policing

This guidance describes the vetting requirements for access to Policing assets including premises, information, and information systems. This document should be read in conjunction with the Statutory Vetting Code of Practice and Authorised Professional Practice on Vetting.

Published 01/10/2023
Authoring body: Police Digital Service
Guidance
Resource
Tik Tok Standard

This standard provides direction on the use of TikTok across policing, in accordance with the latest guidance provided by the Cabinet Office.

Published 01/08/2023
Authoring body: Police Digital Service
Standards
Resource
Security Management Standard v1.0

This standard describes the requirements to implement and maintain an effective cyber security management system as required by the National Policing Community Security Policy Framework.
Implementation of this standard will help members to ensure that adequate management controls and oversight is in place to mature their cyber resilience.

Published 01/10/2023
Authoring body: Police Digital Service
Principles
Resource
Security Governance Standard V1.0

This Standard defines the requirements to implement Security Governance as mandated in the National Community Security Policy.

Published 01/10/2023
Authoring body: Police Digital Service
Standards
Resource
Information Assurance Standard V1.0

This Standard defines the requirements to implement Information Assurance as mandated in the National Community Security Policy.
This document describes the requirements to help implement a consistent and structured information security assurance programme, supported by comprehensive security testing (using a range of attack types), penetration tests, and regular security and risk compliance monitoring.

Published 01/10/2023
Authoring body: Police Digital Service
Standards
Resource
National Policing Community Security Policy v1.2

National Policing will maintain public trust by securing our data and by applying a consistent, proportional approach to technology risk across policing. The Community Security Policy (CSP) is an integral part of the Community Security Policy Framework and combined with Community Security Principles and the supporting standards, control objectives and other supporting documentation will help policing maintain public trust in its management of information assets. This Policy should be read in conjunction with the National Policing Community Security Policy (CSP) Framework, and Community Security Principles with which this policy is aligned. The audience, scope, objectives, governance and exception process for this policy are defined by the National Policing Community Security Policy Framework, which can be found in Knowledge Hub. For clarity this policy has been approved by the Police Information Assurance Board (PIAB) and applies to all members of the ‘Community of Trust’ as defined by the National Policing Community Security Policy Framework, and any suppliers and partners that have access to, store and/or process Police information, to provide services to Policing. This policy has taken into consideration and is aligned with industry best practice, which includes ISO/IEC 27002:2022, CIS Controls v8 (Center for Information Security), NIST Cyber Security Framework, CSA Cloud Controls Matrix v4 (Cloud Security Alliance) and NCSC 10 Steps to Cyber Security.

Published 09/02/2023
Authoring body:
Policy
Resource
National Policing Community Security Principles v1.2

Principles are general rules and guidelines, intended to be enduring and seldom amended, that inform and support and prioritise the way in which National Policing decides which ideas, initiatives and/or opportunities are to be progressed (and warrant investment) and those that are not. These principles are a fundamental part of the National Policing Community Security Policy Framework and provide a foundation upon which a more consistent and structured approach to the design, development, and implementation of information security capabilities can be assembled. The primary focus of these principles is to provide the starting point for, setting the policy, standards and control objectives, which support the Community Security Policy Framework. The audience, scope, objectives, and governance for these principles are defined by the National Policing Community Security Policy Framework, which can be found on Knowledge Hub. For clarity these principles are approved by the Police Information Assurance Board (PIAB) and apply to all members of the ‘Community of Trust’ as defined by the National Policing Community Security Policy Framework, and any suppliers and partners that have access to, store and/or process Police information, to provide services to Policing.

Published 09/02/2023
Authoring body: Police Digital Service
Principles
Resource
National Policing Community Security Principles v1.0

Principles are general rules and guidelines, intended to be enduring and seldom amended, that inform and support and prioritise the way in which National Policing decides which ideas, initiatives and/or opportunities are to be progressed (and warrant investment) and those that are not. These principles are a fundamental part of the National Policing Community Security Policy Framework and provide a foundation upon which a more consistent and structured approach to the design, development, and implementation of information security capabilities can be assembled. The primary focus of these principles is to provide the starting point for, setting the policy, standards and control objectives, which support the Community Security Policy Framework. The audience, scope, objectives, and governance for these principles are defined by the National Policing Community Security Policy Framework, which can be found on Knowledge Hub. For clarity these principles are approved by the Police Information Assurance Board (PIAB) and apply to all members of the ‘Community of Trust’ as defined by the National Policing Community Security Policy Framework, and any suppliers and partners that have access to, store and/or process Police information, to provide services to Policing.

Published 26/10/2022
Authoring body: The Police Digital Service
Principles
Resource
National Policing Community Security Policy Framework v1.2

This framework defines the holistic approach to information and technology risks by aligning to Government Security standards, guidance from the National Cyber Security Centre (NCSC) and industry best practice. The National Policing Community Security Policy Framework supports a proportionate baseline standard of cyber security for National Policing to deliver its operational and strategic objectives. As the cyber threat landscape facing the UK Police forces continues to evolve, so must the means by which forces maintain their security posture. The purpose of the National Policing Community Security Policy Framework is to provide the structure for information security for National Policing, suppliers, and partners to carry out their services securely.

Published 09/02/2023
Authoring body: Police Digital Service
Policy
Resource
Robotic Process Automation Cyber Security Guidance

This guidance describes best practice cyber risk management controls for using Robotic Process Automation (RPA) 
for the purpose of automating manual administrative overheads for National Policing Forces and 
applications. This document only provides guidelines to automating manual processes and is not intended for machine 
learning (ML) or artificial intelligence (AI) derived solutions. Please refer to separate guidelines and standards 
for Digital Process Automation (DPA), AI and ML related activities.

Published 01/07/2023
Authoring body: The Police Digital Service
Guidance
Resource
Safe deployment of TikTok

This guidance provides an overview of approaches to deploy TikTok safely

Published 01/06/2023
Authoring body: The Police Digital Service
Guidance
Resource
National Police Information Security Risk Management Risk Balance Case Template

The National Policing Information Security Risk Management Framework provides the foundations of risk management across policing in line with the Police Cyber Assurance Framework (PCAF). 

This template must be completed in conjunction with the National Security Risk Management Framework and Guidance.

The Risk Decision Document should be a single document that outlines any national risk, and the recommended measures for mitigating it. The template is organised into sections, each containing specific guidance points on content to be included.

Published 01/05/2023
Authoring body: The Police Digital Service
Reference Data / Templates
Resource
National Police Information Security Risk Management Guidance

The National Policing Information Security Risk Management Framework provides the foundations of risk management across policing in line with the Police Cyber Assurance Framework (PCAF). This guidance supports the risk management framework by detailing the actions required to firstly assess a risk, and then to manage it via the national risk register. This guide must be read in conjunction with the National Security Risk Management Framework.

Published 01/05/2023
Authoring body: The Police Digital Service
Standards
Resource
National Police Information Security Risk Management Framework

This framework is to ensure that all security risks are identified, assessed, and managed in accordance with best practice in order to facilitate improved governance. It is mandatory for all information systems that hold Police information or which deliver an operational service to policing to undergo a risk assessment, as stipulated in the National Policing Community Security Policy. The Security Risk Management Framework mutually supports the Police Cyber Assurance Framework (PCAF). The framework supports the requirements of the National Community Security Policy (NCSP.)

Published 01/05/2023
Authoring body: The Police Digital Service
Guidance
Resource
POLE Data Standards Catalogue v1.0

The intended purpose of this standard is to promote interoperability and improve the data quality of systems by converging on a common set of POLE data definitions used within Policing. POLE data definitions describe how People, Objects, Locations and Events (POLE) should be formatted. 

There are 44 POLE entities described in this standard including:

  • 20 person entities
  • 13 object entities
  • 5 location entities
  • 6 event entities

The standard defines the attributes (field size, format, type) used to create the entities and contains and “entity x attribute map”. It also contains validation rules for these attributes.

This standard is owned by the National Police Chiefs Council (NPCC) and should be regarded as the default data standard for all POLE entities.

Along with the standard, the POLE data model (POLE v1.1.accdb) and data dictionary (POLE data standards - Data dictionary v1.1.xlsx) are also attached below. 

 

Published 25/08/2022
Authoring body: Police Digital Service (PDS)
Standards
Resource
IDENTITY AND ACCESS MANAGEMENT STANDARD

This standard defines the requirements which, when applied, will define identity and access management 
standards to national policing IT systems. Areas considered include account management, access control 
mechanism, privilege access, account provisioning, account review, access suspension and termination, 
guest accounts, third party access and audit requirements. 
This standard adheres to the National Policing Community Security Policy Framework and is a suitable 
reference for community members, notably those who build and implement IT systems on behalf of 
national policing.
This standard also relates to other PDS standards such as passwords, system access, PAM, vetting, which 
the audience should also consider

Published 01/05/2023
Authoring body: Police Digital Service (PDS)
Standards
Resource
Bluetooth Guidance V1.0

This guidance provides policing and law enforcement organisations with relevant information regarding risks associated with deploying Bluetooth technology within the workplace, and to enhance the risk-based decisions required in the use of such technology. This guidance adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.

Published 01/04/2023
Authoring body: The Police Digital Service (PDS)
Guidance
Resource
Cryptography Standard v 1.0

The purpose of this standard is to establish a set of cryptographic algorithms and protocols for use in specific applications for the transmission and storage of Police Data up to the classification of OFFICIAL. The requirements are the minimum acceptable levels of encryption and are aligned to the NIST and NCSC frameworks and are applicable to cloud environment, on premises environments and the data networks that interconnect them.

Published 25/05/2023
Authoring body: The Police Digital Service (PDS)
Standards
Resource
Third Party Assurance for Policing (TPAP)

This Standard is to ensure that all third party suppliers are examined to fully understand their overall security posture and how that may impact upon Policing, ensure they fully understand the responsibilities they have in looking after policing data, that elements such as the importance of vetting and the cyber security of their systems is understood and they are aware of the requirements when handling and communicating that data.

Published 25/05/2023
Authoring body: The Police Digital Service (PDS)
Standards
Resource
OVERSEAS IT ACCESS GUIDELINES

This guidance describes best practice risk management controls for accessing Policing ICT resources whilst abroad. It also describes the circumstances when forces can make a local decision or when referral to NSIRO is required when use abroad is required.

Published 02/04/2023
Authoring body: Police Digital Service
Guidance
Resource
System Access Standard

This standard defines the requirements which, when applied, will prevent unauthorised access to national policing IT systems. Areas considered include account management, access control mechanisms e.g. biometrics and customer access.

This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.

This standard also relates to other PDS standards passwords and IAM, which the audience should also consider.

Published 02/04/2023
Authoring body: Police Digital Service
Standards
Resource
Password Standard v1 approved by NCPSB JAN 23

This standard supports the National Community System Policy System Access requirements with respect to defining requirements for the use and selection of a password / passphrase-based method of authentication. It should be read in conjunction with the System Access standard. Passwords represent only one method of authentication (something that you know) and should be combined with other methods such as something you have (token) or something you are (biometric). It is not always possible especially with legacy applications or services to utilise multi-factor authentication, and this is where this standard can help to ensure that risks are effectively managed. A strong passphrase / password will help to ensure lawful business access to applications, mobile devices, systems and networks when combined with an agreed access control policy and supported by an Identity and Access Management (IAM) system. Undertaking a business impact assessment (BIA) is important to determine specific information security requirements to support proportionate risk management. This Standard is aligned with the NCSC’s password guidance.

Published 26/01/2023
Authoring body: Police Digital Service
Standards
Resource
Digital Evidence Storage v3.0

This is intended as a high-level overview of the requirements for digital evidence storage in a multimedia context. Ratings follow the MoSCoW system of Must, Should, Could and Won’t. The requirements are split into two sections, File Handling and Functionality. Systems must be compliant with the principles in the DSTL NPCC Digital Imaging and Multimedia Procedure v3.0 and Recovery and Acquisition of Video Evidence v3.0 and adhere to the Forensic Science Regulator Act 2021 and Statutory Code.

Published 06/12/2022
Authoring body: NPCC
Standards