Search - National Standard Microsite

Step 1 from the 10 steps to Cyber Security covers the approach to risk management.

Taking risks is a natural part of doing business. Risk management informs decisions so that the right balance of threats and opportunities can be achieved to best deliver your business objectives. Risk management in the cyber security domain helps ensure that the technology, systems and information in your organisation are protected in the most appropriate way, and that resources are focussed on the things that matter most to your business. A good risk management approach will be embedded throughout your organisation and complement the way you manage other business risks.

Step 10 from the 10 steps to Cyber Security covers how and why it is sensible to collaborate with your suppliers and partners

Most organisations rely upon suppliers to deliver products, systems, and services. An attack on your suppliers can be just as damaging to you as one that directly targets your own organisation. Supply chains are often large and complex, and effectively securing the supply chain can be hard because vulnerabilities can be inherent, introduced or exploited at any point within it. The first step is to understand your supply chain, including commodity suppliers such cloud service providers and those suppliers you hold a bespoke contract with. Exercising influence where you can, and encouraging continuous improvement, will help improve security across your supply chain.

Step 2 from the 10 steps to Cyber Security covers the engagement and training of members from your organisation.

People should be at the heart of any cyber security strategy. Good security takes into account the way people work in practice, and doesn't get in the way of people getting their jobs done. People can also be one of your most effective resources in preventing incidents (or detecting when one has occurred), provided they are properly engaged and there is a positive cyber security culture which encourages them to speak up. Supporting your staff to obtain the skills and knowledge required to work securely is often done through the means of awareness or training. This not only helps protect your organisation, but also demonstrates that you value your staff, and recognise their importance to the business.

Step 6 from the 10 steps to Cyber Security covers how to control who and what can access your systems and data via identity and access management (IAM)

Access to data, systems and services need to be protected. Understanding who or what needs access, and under what conditions, is just as important as knowing who needs to be kept out. You must choose appropriate methods to establish and prove the identity of users, devices, or systems, with enough confidence to make access control decisions. A good approach to identity and access management will make it hard for attackers to pretend they are legitimate, whilst keeping it as simple as possible for legitimate users to access what they need. 

Step 7 from the 10 steps to Cyber Security covers the need to protect data where it is vulnerable.

Data needs to be protected from unauthorised access, modification, or deletion. This involves ensuring data is protected in transit, at rest, and at end of life (that is, effectively sanitising or destroying storage media after use). In many cases data will be outside your direct control, so it important to consider the protections that you can apply as well as the assurances you may need from third parties. With the rise in increasingly tailored ransomware attacks preventing organisations from accessing their systems and data stored on them, other relevant security measures should include maintaining up-to-date, isolated, offline backup copies of all important data

Step 8 from the 10 steps to Cyber Security covers how to design your systems to be able to detect and investigate incidents.

Collecting logs is essential to understand how your systems are being used and is the foundation of security (or protective) monitoring. In the event of a concern or potential security incident, good logging practices will allow you to retrospectively look at what has happened and understand the impact of the incident. Security monitoring takes this further and involves the active analysis of logging information to look for signs of known attacks or unusual system behaviour, enabling organisations to detect events that could be deemed as a security incident, and respond accordingly in order to minimise the impact.

This document outlines best practice for the implementation and operation of electronic information management systems, including the storage and transfer of information. It is designed to help you verify and authenticate all your information to avoid the legal pitfalls of information storage. BS 10008 outlines best practice for transferring electronic information between systems and migrating paper records to digital files. It also gives guidelines for managing the availability and accessibility of any records that could be required as legal evidence.

ISO 15489 provides a framework for implementing records management systems - the lifecycle of records from creation through to disposal. Police forces can use this to inform internal records management systems such as the use of Share Point or use as an assessment when considering suppliers of systems, this could include case management.

This document was reviewed by the National Standards Assurance Board in July 2021 and still deemed current and of value to policing

[Added September 2021]

There is a need under the Equality Act 2010 to ensure documents are readily available to users who have additional accessibility needs. This document explains how to publish accessible documents to meet the needs of all users under the accessibility regulations.

It covers:

• Writing accessible documents
• Making non-HTML documents accessible
• Creating a PDF/A for archiving purposes
  • To save a PDF/A in Word, click Save As, change Save as type to PDF, click Options and tick 'PDF/A compliant'

The authors and National Standards Assurance Board accept that there is still a place for PDF documents, especially for archival purposes, but to ensure they are accessible in the future, they should be stored as PDF/A not the normal PDF format.

[Added September 2021]

The NPCC Guidance on The Minimum Standards for the Retention and Disposal of Police records has been produced by the NPCC Records Management Working Group to assist police forces in their statutory responsibility to comply with the Data Protection legislation (GDPR EU 2016/679 and Data Protection Act 2018), The Code of Practice on the Management of Police Information (2005) and other legislative requirements.

It contains

• The responisibilities for records retention and disposal
• Risks
• Benefits of a retention schedule
• Management of Police Information (MoPI)
• Maintenance
• Records Retention Tables for:
  • Assets & products
  • Crime and Case files
  • Detecting
  • Finance
  • Information
  • Organisation, Programmes & Projects
  • People
  • Preventing
  • Property
  • Prosecution

[Added September 2021]