to add a new content
Government Network Policy Changes

The Public Services Network (PSN) provides technical policies regarding the operation of its network. This provides a high-level guidance for the way in which government networks, as a whole should be managed.

The policies aim to create a simple mechanism for managing network services in government. The objectives of the policies are to:

  • operate the PSN as a single OFFICIAL network enabling services to be consumed from both the Assured and Protected networks.

  • enable the use of cloud email services that meet specific security standards for government email.

  • bring PSN and other government Domain Name System (DNS) services into line with best practice.  

Email feedback to 

Published 13/03/2017
Authoring body: Government Digital Services (GDS)
Application Development

This guidance gives practical advice on the secure development, procurement and deployment of generic applications.

There are three types of common security issues:

  1. Secure data handling

  2. Application hardening

  3. Third party applications

This guidance is written main for risk assessors and application developers on how to minimise the loss of data from applications running on all devices handling sensitive data. Sensitive information should not be stored on devices when it's not required. If it must be stored on a device, a native data storage protection APIs (Application Programming Interface) available on the platform must be utilised. You must also ensure that the applications allows administrators to delete sensitive data from devices if they are compromised or lost and encrypt sensitive information when stored, protected by an authentication mechanism.

You must also securely implement cryptographic functions and store sensitive information securely, and hide it from the user until they have been authenticated and ensure that sessions timeout periodically and require the user or application to repeat the authentication process and where possible manage user accounts centrally.

Published 01/01/2018
Authoring body: National Cyber Security Centre (NCSC)
End user device (EUD) Security Guidance Windows 10 1809

This guidance covers the deployment of a range of end user device platforms for the secure configuration of Windows 10 1809. Risk owners and administrators should agree a configuration which balances business requirements, usability and security.

  • Protective Monitoring Solution: All data should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic. This also allows the devices, and data on them, to be protected.

  • Applications should be authorised by an administrator and deployed via a trusted mechanism.

  • Most users should have accounts with no administrative privileges.  Administrator accounts should have a unique strong password per device.

Testing was performed on a Windows Hardware Certified device, running Windows 10 Enterprise. This guidance is not applicable to Windows devices managed via an MDM or Windows To Go. 

This guidance is not applicable to Windows devices managed via an MDM or Windows To Go. 

Risk owners and administrators should agree a configuration, which balances business requirements, usability and security.

Published 01/01/2020
Authoring body: National Cyber Security Centre (NCSC)
Multi Agency Incident Transfer Standard

The exchange of incident information between key organisations such as the Police Force, Highways England, Ambulance Service, Fire service is critical to saving lives and keeping members of the public safe.

The exchange of key information between organisations using command and control systems that manage incidents and deployments are used through formatted messages using extensible markup Language (XML).

This technical document aims to describe the implementation guidelines for exchanging information between multiple command and control systems between different organisations (Multi Agency Incident Transfer (MAIT), describe communications and data management issues that need to be considered, whilst providing suitable implementation guidance as well as describing interfaces available and their XML’s.

Published 01/03/2016
Authoring body: British Association of Public-Safety Communications Officials (British APCO)
Surveillance Camera Code of Practice

The purpose of the code will be to ensure that individuals and wider communities have confidence that surveillance cameras are deployed to protect and support them, rather than spy on them. 
Surveillance cameras when used appropriately can be a great tool used for public safety, protection of property and people and serve as security.

The Surveillance cameras Code of Practice was issued under Section 30 of the 2012 Act to provide guidance appropriate and effective use of surveillance camera systems by relevant authorities. It is welcomed and encouraged for other operators to use the code but it is not mandatory.

This is a significant step in achieving the ongoing process of delivering the government’s commitment to the ‘further regulation of CCTV’, which is a gradual process. As the understanding and application of the code grows and matures overtime, the government may consider expanding its members of the code to other relevant bodies that they deem fit they will benefit from the code of practice. This is clearly seen by the government as a way of improving the standards of camera security operators.

This document was reviewed by the National Standards Assurance Board in February 2021 and although related documentation, such as the Surveillance Camera Commissioners 'Facing the Camera' code of practice exists, it did not replace this existing document, which still offers value.

Published 01/06/2013
Authoring body: Home Office
National ICT Strategic / Architectural Principles

The National ICT Strategic Principles sets out architectural rules and guidelines in fulfilling its ICT strategies across the force. It helps to define the underlying general rules for the use and deployment of all ICT capabilities across the Police Force.

The document includes the following principles:

   Architectural Business Principles:

  • Business Continuity

  • Service Orientation

  • Compliance with Law

  • ICT responsibility

  • Responsive Change Management


  • Cloud First

  • Interoperability


  • Data is a an Asset

  • Data is Accessible

  • Information Asset Owner

  • Data Security

  • Management of Police Information

   Application Principles: 

  • Technology Independence

  • Single Authentication model


These have been reviewed by the National Standards Assurance Board in March 2021 and still deemed to posses relevant information. PDS confirmed that a new set of principles are in development to replace these.

Published 14/07/2017
Authoring body: National Police Technology Council (NPTC)
National Police Information Risk Appetite Statement (Version 2.2)

Please note this is an OFFICIAL-SENSITIVE document, to request access please use the 'Contact Us' tab to raise a general query

The purpose of this document is to inform force/agency Senior Information Risk Owners (SIRO), National Information Asset Owners, National and force/agency Accreditors/Projects/programmes and other interested parties of the National Information Risk Appetite and its implications. This document should be read in conjunction with the BRG on Risk Appetite .

This document helps provide a baseline for defining and managing risk for all National information systems and National Police Infrastructure used within the Police services such as as Police National Database, Police National Computer, ViSOR/MAPS.

The document also helps form part of the national Information Assurance governance for information risk management and focuses on national Information Systems risk management and governance and force/agency risk management and governance.

The National Information Risk Appetite echoes the need for the police service to protect and manage risk with regards to information handling, as information mismanagement can compromise confidentiality and integrity, have an adverse impact on police operations and damage police public image and increase risks to the compliance or legal standing of the police force.

Intended audience readers are for police force SIROs, Information Asset Owners, police force Accreditors, programme and project managers as well as other interested parties in National Information risk management.


Published 01/01/2012
Authoring body: National Police Information Risk Management Team (NPIRMT)
Police Approved Secure Facilities (PASF) security review checklist (v1.8)

Please note this is an OFFICIAL-SENSITIVE document, to request access please use the 'Contact Us' tab to raise a general query

This checklist covers the range of security measures to be assessed when reviewing how appropriate a premises is for handling police data. This can be used for both police premises but also suppliers premises, where they are handling or hosting data.


Published 01/06/2020
Authoring body: National Police Information Risk Management Team (NPIRMT)
Reference Data / Templates
ISO/IEC 27033-2:2012 IT Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security

ISO 27033-2 gives guidelines to police forces on how to plan, design, implement and document effective network security.

This standard was reviewed by the authoring body in 2018 and still deemed current. This was also further reviewed by the National Standards Assurance Board in May 2021 and still found to be current and of value.

Published 01/08/2012
Authoring body: International Standards Organisation (ISO)
ISO/IEC 27031:2011 IT Security Techniques — Guidelines for Information and Communication Technology Readiness for Business Continuity

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

Over the years, information and communication technology (ICT) has become an integral part of many of the activities which are major elements of the critical infrastructures in all organisations. The proliferation of the Internet and other IT capabilities of systems and applications, has also meant that organisations have become ever more reliant on reliable, safe and secure ICT infrastructures. This reliance means that disruptions to ICT can constitute strategic risks to the reputation of the organisation and its ability to operate.

Failures of ICT services, including the occurrence of security issues such as systems intrusion and malware infections, will impact the continuity of business operations. Thus managing ICT and related continuity and other security aspects form a key part of business continuity requirements. In order for an organisation to achieve ICT Readiness for Business Continuity (IRBC), it needs to put in place a systematic process to prevent, predict and manage ICT disruption and incidents which have the potential to disrupt ICT services. 

Published 01/01/2011
Authoring body: International Organisation for Standardisation (ISO)