to add a new content
Resource
Data Protection

On the 25th May 2018 the Data Protection Act 2018 was implemented by the UK as the General Data Protection Regulation also known as GDPR. It controls how personal information is captured and used by organisations and the government.

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’ and must ensure that the information they obtain is for a lawful purpose, used fairly and must be transparent about its intended purpose of usage and used explicitly for that purpose only.

Data should also not be kept for more than is necessary, and whilst it is kept, should be kept up to date and handled and secured in a way that does not compromise its protection from unauthorised processing, loss of theft of data.  

It is important to note that there is stronger legal protection for more sensitive information such as race, health, sex life, orientation, ethnic background. There are separate safeguards for personal data relating to criminal convictions and offences.

Under the Data Protection Act 2018, an individual has the right to find out what information the government and other organisations holds about them and this ideally should be provided to the individual within 1 month.  

To make a complaint about the misuse of personal information or lack of security it should be made to the organisation, following their response the complaint can also be made to the Information Commissioner’s Office.

ICO
casework@ico.org.uk
Telephone: 0303 123 1113

Published 01/01/2018
Authoring body: Information Commissioner's Office (ICO)
Principles
Resource
Surveillance Camera Code of Practice

The purpose of the code will be to ensure that individuals and wider communities have confidence that surveillance cameras are deployed to protect and support them, rather than spy on them. 
Surveillance cameras when used appropriately can be a great tool used for public safety, protection of property and people and serve as security.

The Surveillance cameras Code of Practice was issued under Section 30 of the 2012 Act to provide guidance appropriate and effective use of surveillance camera systems by relevant authorities. It is welcomed and encouraged for other operators to use the code but it is not mandatory.

This is a significant step in achieving the ongoing process of delivering the government’s commitment to the ‘further regulation of CCTV’, which is a gradual process. As the understanding and application of the code grows and matures overtime, the government may consider expanding its members of the code to other relevant bodies that they deem fit they will benefit from the code of practice. This is clearly seen by the government as a way of improving the standards of camera security operators.

This document was reviewed by the National Standards Assurance Board in February 2021 and although related documentation, such as the Surveillance Camera Commissioners 'Facing the Camera' code of practice exists, it did not replace this existing document, which still offers value.

Published 01/06/2013
Authoring body: Home Office
Policy
Resource
10 Steps to Cyber Security

This guidance is designed to help organisations protect themselves in cyberspace and best practises for cyberspace security. It relays the task of defending your networks, systems and information into its essential components.

It is important to note, when dealing cyberspace protection, the organisation knows the kinds of cyber attacks it expects to understand what protection would be needed.

Published 01/01/2018
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Government Network Policy Changes

The Public Services Network (PSN) provides technical policies regarding the operation of its network. This provides a high-level guidance for the way in which government networks, as a whole should be managed.

The policies aim to create a simple mechanism for managing network services in government. The objectives of the policies are to:

  • operate the PSN as a single OFFICIAL network enabling services to be consumed from both the Assured and Protected networks.

  • enable the use of cloud email services that meet specific security standards for government email.

  • bring PSN and other government Domain Name System (DNS) services into line with best practice.  

Email feedback to psnservicedesk@digital.cabinet-office.gov.uk 

Published 13/03/2017
Authoring body: Government Digital Services (GDS)
Policy
Resource
ISO/IEC 27003:2017 Preview

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

This document provides guidance on the requirements for an information security management system (ISMS) as specified in ISO/IEC 27001 and provides recommendations (‘should’), possibilities (‘can’) and permissions (‘may’) in relation to them. It is not the intention of this document to provide general guidance on all aspects of information security.

Clauses 4 to 10 of this document mirror the structure of ISO/IEC 27001:2013.

This document does not add any new requirements for an ISMS and its related terms and definitions. Organisations should refer to ISO/IEC 27001 and ISO/IEC 27000 for requirements and definitions. Organisations implementing an ISMS are under no obligation to observe the guidance in this document.

An ISMS emphasises the importance of the following phases:

  • understanding the organisation’s needs and the necessity for establishing information security policy and information security objectives;

  • assessing the organisation's risks related to information security;

  • implementing and operating information security processes, controls and other measures to treat risks;

  • monitoring and reviewing the performance and effectiveness of the ISMS; and

  • practising continual improvement.

Published 01/01/2017
Authoring body: International Organisation for Standardisation (ISO)
Standards
Resource
Cloud Security Guidance

Published by the National cyber security centre, this guidance document provides details and context on the following 14 cloud security principles.

1. Data in transit

2. Asset protection and resilience

3. Separation between users

4. Governance framework

5. Operational security

6. Personnel security

7. Secure development

8. Supply chain security

9. Secure user management

10. Identity and authentication

11. External interface protection

12. Secure service administration

13. Audit information for users

14. Secure use of the service

 

Published 17/11/2018
Authoring body: National Cyber Security Centre (NCSC)
Guidance
Resource
Code of practice for the deployment and use of Body Worn Video (BWV) BS 8593:2017

The use of Body worn video (BWV) includes video and microphone both audio and visual recording. The recording can also be stored and exported.

BWV has become extremely in the video surveillance sector and within the Police Force, as officers are able to use BWV and capture key important evidence whilst on operational duty. However have been some issues around privacy, data security technical capabilities.

To ensure that BWV, is used for its intended purpose this standard has been written to provide operational and technical guidance to help strike a balance between safety and the privacy of the individuals being recorded and foster public trust in where and when BWV can be used.

Some of the activities in which BWV can be used are in emergency responses, night-time economy operations/events, security guarding, parking enforcement, door supervision.

Intended readers are Police officers, security companies, entertainment venues, local authorities.

Fees to accessing the standard may apply.

Published 01/01/2017
Authoring body: British Standards Institute (BSI)
Standards
Resource
End User Device (EUD) Security Principles (Version 1.0)

The End User Device (EUD) Security Principles sets out 12 core guidance principles that underpin the safety and security of using devices that serve the purpose of working remotely. The twelve principles are as follows: 

1. Data-in-transit Protection: Data should be protected as it transits from the EUD to any services the EUD uses. 

2. Data-at-rest Protection: Data stored on the device should be satisfactorily encrypted when the device is in its “rest” state. 

3. Authentication:

- User to device: the user is only granted access to the device after successfully authenticating to the device.

- User to service: The user is only able to access enterprise services after successfully authenticating to the service, via their device.

- Device to service: Only devices which can authenticate to the enterprise are granted access.

4. Secure Boot: An unauthorised entity should not be able to modify the boot process of a device, and any attempt to do so should be detected.

5. Platform Integrity and Application Sandboxing: The device can continue to operate securely despite potential compromise of an application or component within the platform, 

6. Application allow Listing: The enterprise can define which applications are able to execute on the device, and these policies are robustly enforced on the device.

7. Malicious code detection and prevention: The device can detect, isolate and defeat malicious code which is present on the device.

8. Security policy enforcement: Security policies set by your organisation are robustly implemented across the platform.

9. External interface protection: The device is able to constrain the set of ports (physical and logical) and services exposed to untrusted networks and devices. 

10. Device Update Policy: You are able to issue security updates and can remotely validate the patch level of your entire device estate.

11. Event Collection for Enterprise Analysis: The device reports security-critical events to your audit and monitoring service. 

12. Incident Response: Your organisation has a plan in place to respond to and understand the impact of security incidents.

All of these principles must be considered when securing and deploying devices.

Published 01/01/2019
Authoring body: National Cyber Security Centre (NCSC)
Principles
Resource
Cyber security essential advice

Most cyber attacks are conducted by unskilled individuals and are very basic in nature and cyber security is an important aspect to guard any organisation from cyber attacks. There are five essential technical controls that any organisation can put in place the following:

  1. Use a firewall to secure your internet connection

Many organisations will have a dedicated boundary firewall which protects their whole network. This effectively creates a ‘buffer zone’ between your IT network and other, external networks.

  1. Choose the most secure settings for your device an software

always check the settings of new software and devices and where possible, make changes which raise your level of security. For important accounts such as banking and IT administration, you should use two-factor authentication

  1. Control who has access to your data and services

To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. 

  1. Protect yourself from viruses and other malware

Viruses are another well-known form of malware (malicious software). These programs are designed to infect legitimate software, passing unnoticed between machines. A user may open an infected email attachment, browse a malicious website, or use a removable storage drive, such as a USB memory stick, which is carrying malware. You can use anti-malware/virus software to detect and treat them.

  1. Keep your devices and software up to date

Manufacturers and developers release regular updates which not only add new features, but also fix any security vulnerabilities that have been discovered. Therefore it is important that manufacturers support the device with regular security updates.

Published 01/01/2021
Authoring body: National Cyber Security Centre (NCSC)
Principles
Resource
DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) verifies an email’s domain and ensures it has not been tampered with in transit. The receiving email service can then filter or reject email that fails the DKIM check. In order for DKIM to verify an emails domain it uses public key encryption to check email by creating a hash using the content of each outbound email. The sending service then encrypts the hash with its private key and adds it to the email header. This is the DKIM signature.

The receiving email service looks up the public key in the sender’s DKIM DNS (DOMAIN NAME SYSTEM) record then uses the public key to decrypt the DKIM signature on the email. It also generates a hash of the email in the same way the sending email service did. If the hash matches the decrypted DKIM signature then the email passes the DKIM check. This means the email came from where it says it came from and has not changed in transit.

Published 01/01/2016
Authoring body: Government Digital Service (GDS)
Guidance