to add a new content
Resource
Technology Code of Practice

The Technology Code of Practice is a set of criteria to help government design, build and buy technology. Technology Code of Practice should be used for all technology projects and programmes and should be aligned to the mandatory code and as much as possible align the organisation’s technology and business strategies to the Technology Code of Practice.

Following the Technology Code of Practice will help introduce or update technology so that it:

  • meets user needs, based on research with your users

  • is easier to share across government

  • is easy to maintain

  • scales for future use

  • is less dependent on single third-party suppliers

  • provides better value for money

  • makes use of open standards

Organisations must consider all points of the Technology Code of Practice as part of the Cabinet Office spend control process as it’s used as a cross-government agreed standard in the spend controls process. Where legacy technology limits your ability to adhere to the standard, you must explain this to the GDS Standards Assurance team.

 

 

Published 01/01/2019
Authoring body: Government Digital Service (GDS)
Guidance
Resource
Secure Sanitisation of Storage Media (Version 1.0)

Data sanitisation is a key aspect to any organisations dealing with data storage media and who want to ensure that unauthorised parties do not gain access to their data.

Data sanitisation has to do with the safe removal, treatments and disposal of sensitive information from storage media devices to guarantee that retrieval and reconstruction of data is not possible or may be very difficult to reproduce as some forms of sanitisation will allow you to re-use the media, while others are destructive in nature and render the media unusable.

There could be many reasons why an organisation may want to sanitise its data:

  • Re-use purposes – new user device allocation, re-purpose or resell device.

  • Repair purposes - return or repair faulty device

  • Disposal purposes – dispose of device

  • Destruction purposes – destroy information held on device or the device itself.

There are risks associated with improper sanitisation as key data may still remain on the device, such as:

  • Sensitive data may end up with the wrong people who can expose the sensitive data

  • Loss of control over information assets

  • Private or personal data could be leaked and used to commit fraud or identity theft.

  • Intellectual property could be used leading to reputational loss

Whilst this may not be entirely a sanitisation issue, it is part of it and one way to combat these risks is using encryption.

 

 

Published 13/02/2020
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
End User Device (EUD) Security Guidance

The End User Device (EUD) Security Principles sets out 12 core guidance principles that underpin the safety and security of using devices that serve the purpose of working remotely. The twelve principles are as follows:

  1. Data-in-transit Protection

  2. Data-at-rest Protection

  3. Authentication

  4. Secure Boot

  5. Platform Integrity and Application Sandboxing

  6. Application allow Listing

  7. Malicious Code Detection and Prevention

  8. Security policy Enforcement

  9. External Interface Protection

  10. Device Update Policy

  11. Event Collection for Enterprise Analysis

  12. Incident Response

All of these principles must be considered when securing and deploying devices.

 

Published 01/01/2019
Authoring body: National Cyber security Centre (NCSC)
Principles
Resource
Code of practice for the deployment and use of Body Worn Video (BWV) BS 8593:2017

The use of Body worn video (BWV) includes video and microphone both audio and visual recording. The recording can also be stored and exported.

BWV has become extremely in the video surveillance sector and within the Police Force, as officers are able to use BWV and capture key important evidence whilst on operational duty. However have been some issues around privacy, data security technical capabilities.

To ensure that BWV, is used for its intended purpose this standard has been written to provide operational and technical guidance to help strike a balance between safety and the privacy of the individuals being recorded and foster public trust in where and when BWV can be used.

Some of the activities in which BWV can be used are in emergency responses, night-time economy operations/events, security guarding, parking enforcement, door supervision.

Intended readers are Police officers, security companies, entertainment venues, local authorities.

Fees to accessing the standard may apply.

Published 01/01/2017
Authoring body: British Standards Institute (BSI)
Standards
Resource
End user device (EUD) Security Guidance Windows 10 1809

This guidance covers the deployment of a range of end user device platforms for the secure configuration of Windows 10 1809. Risk owners and administrators should agree a configuration which balances business requirements, usability and security.

  • Protective Monitoring Solution: All data should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic. This also allows the devices, and data on them, to be protected.

  • Applications should be authorised by an administrator and deployed via a trusted mechanism.

  • Most users should have accounts with no administrative privileges.  Administrator accounts should have a unique strong password per device.

Testing was performed on a Windows Hardware Certified device, running Windows 10 Enterprise. This guidance is not applicable to Windows devices managed via an MDM or Windows To Go. 

This guidance is not applicable to Windows devices managed via an MDM or Windows To Go. 

Risk owners and administrators should agree a configuration, which balances business requirements, usability and security.

Published 01/01/2020
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Facing the Camera - Guidance on police use of overt CCTV and facial recognition to locate persons on a watchlist in public

This code of practice issued by the Secretary of State (regulated by the Surveillance Camera Commissioner) under the Protection of Freedoms Act 2012 (PoFA) covers police forces in England & Wales. Chief officers must have regard to this code when using facial recognition algorithms as part of the operation of surveillance camera systems, or the use or processing of images or other information obtained.

The code only applies to the use of facial recognition technology and processing of images from surveillance cameras operated in 'live time' or 'near real time' operational scenarios.

The code includes considerations into:

  • Applicability
  • Biometrics
  • Ethics
  • Human Rights
  • Legal frameworks
  • Police policy documents
  • Governance
  • Evidence handling
  • Public engagement
  • Accountability and certification

Also included as an attachment is the National Surveillance Camera Strategy for context.

Published 01/11/2020
Authoring body: Surveillance Camera Commissioner (SCC)
Principles
Resource
CPA Security Characteristic Software Full Disk Encryption (Version 1.24)

This document has been reviewed by the National Standards Assurance Board in May 2021 and is still deemed relevant with sound principles, despite being dated in some areas. Users should also be aware of the NEP Windows Blueprints.

 

This document describes the features, testing and deployment requirements necessary to meet CPA certification for Software Full Disk Encryption security products. It is intended for vendors, system architects, developers, evaluation and technical staff operating within the security arena.

The purpose of a software disk encryption product is to protect the confidentiality of data. This document aims to describe the requirements for Software Full Disk Encryption products and obtaining Commercial Product Assurance (CPA) certification under the CPA scheme.

A typical use case is the protection of a mobile device such as a laptop in case of accidental loss or theft.

The Security Characteristic is primarily targeted towards a single user for each protected devices only applicable to software disk encryption products that operate on PCs with Extensible Firmware Interface (UEFI) or  Basic Input/Output System (BIOS). Multiple users can also be evaluated.

Intended readers are for developers, system, architects, vendors and technical staff. The disk encryption software will prevent an attacker from accessing the data.

Published 01/01/2016
Authoring body: CESG National Technical Authority for Information Assurance
Standards
Resource
Bluetooth General Guidance (v1.1)

Guidance on the risk-based approach to using Bluetooth enabled technology within the policing environment, including examples. This guide does not cover all use cases and for advice on exemptions for specific use cases, the NPIRMT team should be approached to provide a bespoke risk assessment.

 

 

Published 02/02/2017
Authoring body: National Policing Information Risk Management Team (NPIRMT)
Guidance
Resource
Video surveillance systems for use in security applications BS 62676

This document has been written by subject matter experts, together with many governmental organisations, test houses and equipment manufacturers to defined a common framework for video surveillance transmission in order to achieve interoperability between products. 

The 62676 series is divided into 4 independent parts:
Part 1: System requirements (with 2 sub-parts: General and Performance requirements)
Part 2: Video transmission protocols
Part 3: Analog and digital video interfaces
Part 4: Application guidelines

This standard is intended to assist Video Surveillance System suppliers, users (including law enforcement), integrators and other interested parties achieve a complete and accurate specification of the surveillance system. This standard standard does not specify the type of technology required for a certain observation task.

[Note that this document, despite being authored in 2014, has been reviewed by subject matter experts in April 2021 and deemed to still represent good practice and relevancy]

Published 01/05/2014
Authoring body: British Standards Institute (BSI)
Standards
Resource
Extraction of material from digital devices APP

This document sets out the obligations on the police under the Data Protection Act 2018 and how these interact with other relevant legislation and case law. It provides police officers and staff with a set of principles to inform how they obtain digital devices – most often mobile phones but also laptops and other computers – from victims, witnesses and suspects for the purpose of an investigation and how they then extract the digital material from those devices. It will also help the public understand the responsibilities of the police when gathering evidence, obtaining devices and accessing the material held on them.

Published 01/05/2021
Authoring body: College of Policing (CoP)
Principles