Search - National Standard Microsite

This document describes how HM Government classifies information assets into OFFICAL, OFFICIAL SENSITIVE, SECRET and TOP SECRET to ensure information can be protected but also efficiently shared. This is not a statutory scheme, but operates within the requirements of the Official Secrets Acts (1911 and 1989) and the Freedom of Information Act (2000) and Data Protection legislation.

Please note this is an OFFICIAL-SENSITIVE document, to request access please use the 'Contact Us' tab to raise a general query

National Police information, systems and networks must be safeguarded to ensure the Police Community can meet their statutory and regulatory responsibilities. The Police Community meets these responsibilities through a community of trust and by the implementation of this Community Security Policy (CSP).

This document relates to all National Police information; systems/services and networks, for which Chief Officers or Chief Executives are Joint Data Controllers. Furthermore it extends to all systems whether national or local that connect to access police information. 

This document sets out the obligations on the police under the Data Protection Act 2018 and how these interact with other relevant legislation and case law. It provides police officers and staff with a set of principles to inform how they obtain digital devices – most often mobile phones but also laptops and other computers – from victims, witnesses and suspects for the purpose of an investigation and how they then extract the digital material from those devices. It will also help the public understand the responsibilities of the police when gathering evidence, obtaining devices and accessing the material held on them.

Most cyber attacks are conducted by unskilled individuals and are very basic in nature and cyber security is an important aspect to guard any organisation from cyber attacks. There are five essential technical controls that any organisation can put in place the following:

1. Use a firewall to secure your internet connection

Many organisations will have a dedicated boundary firewall which protects their whole network. This effectively creates a ‘buffer zone’ between your IT network and other, external networks.

2. Choose the most secure settings for your device an software

always check the settings of new software and devices and where possible, make changes which raise your level of security. For important accounts such as banking and IT administration, you should use two-factor authentication

3. Control who has access to your data and services

To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. 

4. Protect yourself from viruses and other malware

Viruses are another well-known form of malware (malicious software). These programs are designed to infect legitimate software, passing unnoticed between machines. A user may open an infected email attachment, browse a malicious website, or use a removable storage drive, such as a USB memory stick, which is carrying malware. You can use anti-malware/virus software to detect and treat them.

5. Keep your devices and software up to date

Manufacturers and developers release regular updates which not only add new features, but also fix any security vulnerabilities that have been discovered. Therefore it is important that manufacturers support the device with regular security updates.

This guidance is designed to help organisations protect themselves in cyberspace and best practises for cyberspace security. It relays the task of defending your networks, systems and information into its essential components.

It is important to note, when dealing cyberspace protection, the organisation knows the kinds of cyber attacks it expects to understand what protection would be needed. 

Note: This high level guidance provides context on the 10 steps. Each step is also individually signposted on the National Standards platform.

Published by the National cyber security centre, this guidance document provides details and context on the following 14 cloud security principles.

1. Data in transit

2. Asset protection and resilience

3. Separation between users

4. Governance framework

5. Operational security

6. Personnel security

7. Secure development

8. Supply chain security

9. Secure user management

10. Identity and authentication

11. External interface protection

12. Secure service administration

13. Audit information for users

14. Secure use of the service

Step 3 from the 10 steps to Cyber Security covers asset management, ensuring you know what data and systems you manage, and what business need they support.

Asset management encompasses the way you can establish and maintain the required knowledge of your assets. Over time, systems generally grow organically, and it can be hard to maintain an understanding of all the assets within your environment. Incidents can occur as the result of not fully understanding an environment, whether it is an unpatched service, an exposed cloud storage account or a mis-classified document. Ensuring you know about all of these assets is a fundamental precursor to being able to understand and address the resulting risks. Understanding when your systems will no longer be supported can help you to better plan for upgrades and replacements, to help avoid running vulnerable legacy systems.

Step 4 from the 10 steps to Cyber Security covers how to design, build and maintain systems securely.

The technology and cyber security landscape is constantly evolving. To address this, organisations need to ensure that good cyber security is baked into their systems and services from the outset, and that those systems and services can be maintained and updated to adapt effectively to emerging threats and risks.

Step 9 from the 10 steps to Cyber Security covers how to plan your response to cyber incidents in advance.

Incidents can have a huge impact on an organisation in terms of cost, productivity and reputation. However, good incident management will reduce the impact when they do happen. Being able to detect and quickly respond to incidents will help to prevent further damage, reducing the financial and operational impact. Managing the incident whilst in the media spotlight will reduce the reputational impact. Finally, applying what you’ve learned in the aftermath of an incident will mean you are better prepared for any future incidents.

Step 5 from the 10 steps to Cyber Security covers how to keep your systems protected throughout their lifecycle.

The majority of cyber security incidents are the result of attackers exploiting publicly disclosed vulnerabilities to gain access to systems and networks. Attackers will, often indiscriminately, seek to exploit vulnerabilities as soon as they have been disclosed. So it is important (and essential for any systems that are exploitable from the internet) to install security updates as soon as possible to protect your organisation. Some vulnerabilities may be harder to fix, and a good vulnerability management process will help you understand which ones are most serious and need addressing first.