Search - National Standard Microsite
National Standards can be classified based on whether they are conceptual, rule based or value based:
- Principles - The defining characteristic of a principle document is that it is conceptual. It describes a target state or end goal without specifying how it will be achieved.
- Guidance/Policies/Standards - The defining characteristic of guidance, policies and standards are that they are rule based. The document specifies the rules to be applied to achieve a particular state.
- Technical Reference Templates - The defining characteristic of a template is that it is value based. It specifies exactly the values that must be used.
National Standards graded 4Pol are standards which meet the below criteria and should be considered first, before any other standard in that category, as they fit the National Policing Digital Strategy allowing forces and suppliers to converge on a single set of standards.
4Pol Criteria:
- Support minimum legal requirements where they exist
- Align with the National Policing Digital Strategy to ensure strategic alignment and design
- Align with the TechUK Justice & Emergency Services Interoperability Charter to deliver better data sharing, exchanging and exploitation
- Direct relevance and applicability to policing
- Represent best practice
- Able to be measured and achieved within the unique landscape of policing
National Standards graded MLR stem directly from legislative requirements, such as the General Data Protection Regulation (GDPR) standards. These are National Standards which represent the minimum requirements to ensure that data and technology in use is operated in a lawfully compliant manner. These should be considered the baseline in applicable categories.
National Standards are divided into broad categories based on their focus. To recognise there is no clear dividing line, some National Standards may possess two categories, but the selected category reflects the primary focus of the National Standard:
- Analytics - Digital systems capable of creating actionable information from structured or unstructured data
- Asset Management - The way in which IT assets are acquired, used and disposed of
- Incident, Crime and Records Management Systems
- Digital systems used to manage policing and corporate records
- Cloud - Remote, off-premises computer system resources which host a range of functions across a potentially wide range of distributed sites
- Data - Information held in a structured or unstructured digital format
- Devices - Physical devices capable of viewing, changing, creating, distributing or storing digital information
- Digital Media - Media stored in an electronic format from any source
- Enterprise Resource Planning - Enterprise resource planning (ERP) is the management of integrated business processes via a software solution
- Forensics - The use of investigative technology and methodology to gather intelligence and admissible evidence
- Intelligence Systems - Digital system used to view, change, create, distribute or store sensitive digital information
- Justice - Systems, technologies and methodologies used within the Criminal Justice System
- Mobility - Software specifically designed to run on a mobile device such as a phone, tablet or watch
- Office Productivity & Collaboration Systems - Software specifically designed to address specific business needs such as communication, collaboration, document creation and content management
- Operational Policing - Specialist operational policing functions
- Security - The technology and methodology used in the protection of digital assets and services
Tags are assigned to National Standards to help users find grouped / related documentation
Technology Code of Practice
The Technology Code of Practice is a set of criteria to help government design, build and buy technology. Technology Code of Practice should be used for all technology projects and programmes and should be aligned to the mandatory code and as much as possible align the organisation’s technology and business strategies to the Technology Code of Practice.
Following the Technology Code of Practice will help introduce or update technology so that it:
-
meets user needs, based on research with your users
-
is easier to share across government
-
is easy to maintain
-
scales for future use
-
is less dependent on single third-party suppliers
-
provides better value for money
-
makes use of open standards
Organisations must consider all points of the Technology Code of Practice as part of the Cabinet Office spend control process as it’s used as a cross-government agreed standard in the spend controls process. Where legacy technology limits your ability to adhere to the standard, you must explain this to the GDS Standards Assurance team.
Secure Sanitisation of Storage Media (Version 1.0)
Data sanitisation is a key aspect to any organisations dealing with data storage media and who want to ensure that unauthorised parties do not gain access to their data.
Data sanitisation has to do with the safe removal, treatments and disposal of sensitive information from storage media devices to guarantee that retrieval and reconstruction of data is not possible or may be very difficult to reproduce as some forms of sanitisation will allow you to re-use the media, while others are destructive in nature and render the media unusable.
There could be many reasons why an organisation may want to sanitise its data:
-
Re-use purposes – new user device allocation, re-purpose or resell device.
-
Repair purposes - return or repair faulty device
-
Disposal purposes – dispose of device
-
Destruction purposes – destroy information held on device or the device itself.
There are risks associated with improper sanitisation as key data may still remain on the device, such as:
-
Sensitive data may end up with the wrong people who can expose the sensitive data
-
Loss of control over information assets
-
Private or personal data could be leaked and used to commit fraud or identity theft.
-
Intellectual property could be used leading to reputational loss
Whilst this may not be entirely a sanitisation issue, it is part of it and one way to combat these risks is using encryption.
End User Device (EUD) Security Guidance
The End User Device (EUD) Security Principles sets out 12 core guidance principles that underpin the safety and security of using devices that serve the purpose of working remotely. The twelve principles are as follows:
-
Data-in-transit Protection
-
Data-at-rest Protection
-
Authentication
-
Secure Boot
-
Platform Integrity and Application Sandboxing
-
Application allow Listing
-
Malicious Code Detection and Prevention
-
Security policy Enforcement
-
External Interface Protection
-
Device Update Policy
-
Event Collection for Enterprise Analysis
-
Incident Response
All of these principles must be considered when securing and deploying devices.
Code of practice for the deployment and use of Body Worn Video (BWV) BS 8593:2017
The use of Body worn video (BWV) includes video and microphone both audio and visual recording. The recording can also be stored and exported.
BWV has become extremely in the video surveillance sector and within the Police Force, as officers are able to use BWV and capture key important evidence whilst on operational duty. However have been some issues around privacy, data security technical capabilities.
To ensure that BWV, is used for its intended purpose this standard has been written to provide operational and technical guidance to help strike a balance between safety and the privacy of the individuals being recorded and foster public trust in where and when BWV can be used.
Some of the activities in which BWV can be used are in emergency responses, night-time economy operations/events, security guarding, parking enforcement, door supervision.
Intended readers are Police officers, security companies, entertainment venues, local authorities.
Fees to accessing the standard may apply.
End user device (EUD) Security Guidance Windows 10 1809
This guidance covers the deployment of a range of end user device platforms for the secure configuration of Windows 10 1809. Risk owners and administrators should agree a configuration which balances business requirements, usability and security.
-
Protective Monitoring Solution: All data should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic. This also allows the devices, and data on them, to be protected.
-
Applications should be authorised by an administrator and deployed via a trusted mechanism.
-
Most users should have accounts with no administrative privileges. Administrator accounts should have a unique strong password per device.
Testing was performed on a Windows Hardware Certified device, running Windows 10 Enterprise. This guidance is not applicable to Windows devices managed via an MDM or Windows To Go.
This guidance is not applicable to Windows devices managed via an MDM or Windows To Go.
Risk owners and administrators should agree a configuration, which balances business requirements, usability and security.
Facing the Camera - Guidance on police use of overt CCTV and facial recognition to locate persons on a watchlist in public
This code of practice issued by the Secretary of State (regulated by the Surveillance Camera Commissioner) under the Protection of Freedoms Act 2012 (PoFA) covers police forces in England & Wales. Chief officers must have regard to this code when using facial recognition algorithms as part of the operation of surveillance camera systems, or the use or processing of images or other information obtained.
The code only applies to the use of facial recognition technology and processing of images from surveillance cameras operated in 'live time' or 'near real time' operational scenarios.
The code includes considerations into:
- Applicability
- Biometrics
- Ethics
- Human Rights
- Legal frameworks
- Police policy documents
- Governance
- Evidence handling
- Public engagement
- Accountability and certification
Also included as an attachment is the National Surveillance Camera Strategy for context.
CPA Security Characteristic Software Full Disk Encryption (Version 1.24)
This document has been reviewed by the National Standards Assurance Board in May 2021 and is still deemed relevant with sound principles, despite being dated in some areas. Users should also be aware of the NEP Windows Blueprints.
This document describes the features, testing and deployment requirements necessary to meet CPA certification for Software Full Disk Encryption security products. It is intended for vendors, system architects, developers, evaluation and technical staff operating within the security arena.
The purpose of a software disk encryption product is to protect the confidentiality of data. This document aims to describe the requirements for Software Full Disk Encryption products and obtaining Commercial Product Assurance (CPA) certification under the CPA scheme.
A typical use case is the protection of a mobile device such as a laptop in case of accidental loss or theft.
The Security Characteristic is primarily targeted towards a single user for each protected devices only applicable to software disk encryption products that operate on PCs with Extensible Firmware Interface (UEFI) or Basic Input/Output System (BIOS). Multiple users can also be evaluated.
Intended readers are for developers, system, architects, vendors and technical staff. The disk encryption software will prevent an attacker from accessing the data.
Bluetooth General Guidance (v1.1)
Guidance on the risk-based approach to using Bluetooth enabled technology within the policing environment, including examples. This guide does not cover all use cases and for advice on exemptions for specific use cases, the NPIRMT team should be approached to provide a bespoke risk assessment.
Video surveillance systems for use in security applications BS 62676
This document has been written by subject matter experts, together with many governmental organisations, test houses and equipment manufacturers to defined a common framework for video surveillance transmission in order to achieve interoperability between products.
The 62676 series is divided into 4 independent parts:
Part 1: System requirements (with 2 sub-parts: General and Performance requirements)
Part 2: Video transmission protocols
Part 3: Analog and digital video interfaces
Part 4: Application guidelines
This standard is intended to assist Video Surveillance System suppliers, users (including law enforcement), integrators and other interested parties achieve a complete and accurate specification of the surveillance system. This standard standard does not specify the type of technology required for a certain observation task.
[Note that this document, despite being authored in 2014, has been reviewed by subject matter experts in April 2021 and deemed to still represent good practice and relevancy]
Extraction of material from digital devices APP
This document sets out the obligations on the police under the Data Protection Act 2018 and how these interact with other relevant legislation and case law. It provides police officers and staff with a set of principles to inform how they obtain digital devices – most often mobile phones but also laptops and other computers – from victims, witnesses and suspects for the purpose of an investigation and how they then extract the digital material from those devices. It will also help the public understand the responsibilities of the police when gathering evidence, obtaining devices and accessing the material held on them.
Showing 1 to 10 of 17 entries.