Search - National Standard Microsite

There are occasions that require the use of firearms by Authorised Firearms Officers (AFOs) in conflict situations. This response is a well-established and necessary approach to managing conflict. Commanders and AFOs are trained to analyse and determine appropriate courses of action in the course of armed deployments.

Police officers have a positive duty to protect the public from harm – a duty of care to all involved must be the overriding consideration. Police decision-making and response is vital in such situations and thus the National Decision model (NDM) is used to assist with the decision-making process.

The Authorised Professional Practice for Armed Policing covers guidance on the appropriate use of firearms within the police force. It also acts as a basis for training police officers in matters relating to the operational use of firearms.

The also provides guidance on structural command, tactical options and operational challenges with the deployment of Authorised Firearms Officers (AFOs).

Undercover policing is a covert tactic used by the Police to obtain evidence and intelligence. It is also used to detect crime and disorder and help maintain public safety.

Undercover policing is a lawful and ethical tactic and when applied rightly can be very effective tool. In order to ensure it is kept this way, Authorised Professional Practice (APP) has been developed and used by Law Enforcement Agencies (LEAs) across the United Kingdom.

There is an undercover accreditation process that has been developed to provide an assessment of whether the management and governance of undercover units are effective in supporting safe, ethical and lawful undercover operations.

Undercover operatives (UCOs) are deployed as covert human intelligence sources (CHIS) in authorised investigations. There are three different types of UCOs, Undercover foundation(UCFs), Undercover advanced operatives (UCAs) AND Undercover online operatives (UCOLs). All must go through vigorous training and go through a robust selection process.

Police have a duty to respond to every incident reported in an appropriate way and in a timely manner. A critical incident (CI) is defined as:

any incident where the effectiveness of the police response is likely to have a significant impact on the confidence of the victim, their family and/or the community. An incident can be escalated to a CI when the police fail to meet the expectation of a victim/family and/or the community in responding to an incident.

Therefore critical incident management (CIM) is key within the police force. Different types of incidents can become critical, high profile, serious or homicide related. If the police do not respond in a timely manner to serious incidents it can result in loss of confidence by the public.

There are 3 stages to CIM:

1. Preparing for critical incidents – considering current management structures to ensure staff are trained effectively and resources are available

2. Managing critical incidents – identifying critical incidents early on and notified to the most appropriate person.

3. Restoring public confidence – restoring broken confidence amongst the public by community engagement, resolution and public inquiry.

Decision-making in the Police service can be very complex. Police officers most often have to make decisions in very difficult circumstances and situations and may not have all the necessary or complete information to hand. It is also very important to note that the role that police officers play and the environment where they have to make decisions can be very complicated. Police officers and police staff are sometimes required to make decisions in circumstances where those involved deliberately mislead or try to mislead them. As a result it may not always lead to the best outcome.

Therefore to create a framework that could allow officers to base their decisions on, and allow for examination of each decision and allow for some form of standardisation in decision making the National Decision Model (NDM) was created.

At the heart of the NDM, the Code of Ethics highlighted is essential for all decision making. This gives confidence for police officers to use the NDM and reduces risk. Decision makers will be supported by their organisation where it can be shown that their decision was assessed by the NDM and the circumstances at the time, even when harm has resulted as part of the decision making process.

Civil emergencies require a professional and structured response to all emergencies, this includes Police, fire and ambulance services and must meet the Civil Contingencies Act 2004. These services must have interoperable arrangements to allow for well-coordinated responses to major or complex incidents, as this would affect life.

This document helps to cover contingency planning and responses to civil emergences from the Police service.

Some major incidents may result in loss of life. Disaster victim identification (DVI) is the process of being able to identify a deceased in multiple fatality incidents. This involves combining antemortem and post-mortem examinations to make a positive identification using scientific means. This takes place at the same time an investigation is being undertaken.  DVI is an internationally accepter terms is and its principles are subject to international agreement through INTERPOL.

The Command and Control (C&C) solution is the incident management and deployment solution for police officers responding to incidents reports by the public. Command and control is the authority and capability of an organisation to direct the actions of its personnel and the use of its equipment.

Incidents are usually graded based on severity of the incident and officers have Service Level Agreements (SLA’s) target in responding to incidents especially serious/critical incidents. SLA’s may differ from police force. C&C can also be used for a wide range of scenarios ranging from policing local community events, to responding to a major criminal investigation such as a terrorist attack, arson attack requiring several officers to respond to more sensitive investigations such as a rape incident requiring more specialised officers.

There are times where certain incidents or operations where the police response requires a different approach and it may be necessary to establish a dedicated command structure such as bronze, silver and gold.

The success of any major incident coordination requires an organised, professional and methodical approach. The Major Room Incident (MIR) is critical to this coordination as this is where all information is gathered and analysed for response coordination.

Major investigation and public protection has many strands and arms. It consists of:

Major Crime:

• Child abuse

• Child sexual exploitation

• Domestic abuse

• Female genital mutilation

• Firearms licensing

• Forced marriage and honour-based violence

• Gangs and youth violence

• Gun crime

• Hate crime

• Homicide

• Kidnap and extortion

• Knife crime

• Missing persons

• Modern slavery

• Prostitution

• Rape and sexual offences

• Stalking or harassment

• Vulnerable adults

• Operation Hydrant

Public protection:

• Mental health

• Managing sexual offenders

It also has major elements of mental health. The Mental health Authorised Professional Practice (APP) has provided guidance on Police response to members of the public who are experiencing mental ill health, have learning disabilities and mental and emotional vulnerable individuals. The guidance applies whether the police are acting in a criminal justice or health care capacity or in both of these roles. 

There are incidents that take place where the police respond to a serious injury/incident or where there is a deceased or where at a later time the victim dies. This APP – describes the post-incident procedures, management, welfare and legal issues stemming from serious incidents.

The guidance outlines provision of accounts by officers and staff, provides responsibilities for key roles, and sets out approaches to organisational learning and debriefing. The information provided is relevant to any investigation, whether carried out by the force’s professional standards department (PSD) or by the relevant independent investigative authority (IIA).

It is the responsibility of each force to determine how the post-incident procedures will be implemented and should therefore create an implementation plan showing how each area, roles and responsibilities will be fulfilled. This should include any training plans needed for individuals carrying out specific roles.

Where serious injury or death has resulted in the discharge of a firearm by a police officer or member of police staff, this guidance will not apply. Please refer to APP Armed Policing.

It is important to note that a serious injury is referred to as a fracture, deep cut, deep laceration or injury causing damage to an internal organ or the impairment of any bodily function.

The Public Services Network (PSN) provides technical policies regarding the operation of its network. This provides a high-level guidance for the way in which government networks, as a whole should be managed.

The policies aim to create a simple mechanism for managing network services in government. The objectives of the policies are to:

• operate the PSN as a single OFFICIAL network enabling services to be consumed from both the Assured and Protected networks.

• enable the use of cloud email services that meet specific security standards for government email.

• bring PSN and other government Domain Name System (DNS) services into line with best practice.  

Email feedback to psnservicedesk@digital.cabinet-office.gov.uk 

This guidance gives practical advice on the secure development, procurement and deployment of generic applications.

There are three types of common security issues:

1. Secure data handling

2. Application hardening

3. Third party applications

This guidance is written main for risk assessors and application developers on how to minimise the loss of data from applications running on all devices handling sensitive data. Sensitive information should not be stored on devices when it's not required. If it must be stored on a device, a native data storage protection APIs (Application Programming Interface) available on the platform must be utilised. You must also ensure that the applications allows administrators to delete sensitive data from devices if they are compromised or lost and encrypt sensitive information when stored, protected by an authentication mechanism.

You must also securely implement cryptographic functions and store sensitive information securely, and hide it from the user until they have been authenticated and ensure that sessions timeout periodically and require the user or application to repeat the authentication process and where possible manage user accounts centrally.

This guidance covers the deployment of a range of end user device platforms for the secure configuration of Windows 10 1809. Risk owners and administrators should agree a configuration which balances business requirements, usability and security.

• Protective Monitoring Solution: All data should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic. This also allows the devices, and data on them, to be protected.

• Applications should be authorised by an administrator and deployed via a trusted mechanism.

• Most users should have accounts with no administrative privileges.  Administrator accounts should have a unique strong password per device.

Testing was performed on a Windows Hardware Certified device, running Windows 10 Enterprise. This guidance is not applicable to Windows devices managed via an MDM or Windows To Go. 

This guidance is not applicable to Windows devices managed via an MDM or Windows To Go. 

Risk owners and administrators should agree a configuration, which balances business requirements, usability and security.

The exchange of incident information between key organisations such as the Police Force, Highways England, Ambulance Service, Fire service is critical to saving lives and keeping members of the public safe.

The exchange of key information between organisations using command and control systems that manage incidents and deployments are used through formatted messages using extensible markup Language (XML).

This technical document aims to describe the implementation guidelines for exchanging information between multiple command and control systems between different organisations (Multi Agency Incident Transfer (MAIT), describe communications and data management issues that need to be considered, whilst providing suitable implementation guidance as well as describing interfaces available and their XML’s.

The purpose of the code will be to ensure that individuals and wider communities have confidence that surveillance cameras are deployed to protect and support them, rather than spy on them. 
Surveillance cameras when used appropriately can be a great tool used for public safety, protection of property and people and serve as security.

The Surveillance cameras Code of Practice was issued under Section 30 of the 2012 Act to provide guidance appropriate and effective use of surveillance camera systems by relevant authorities. It is welcomed and encouraged for other operators to use the code but it is not mandatory.

This is a significant step in achieving the ongoing process of delivering the government’s commitment to the ‘further regulation of CCTV’, which is a gradual process. As the understanding and application of the code grows and matures overtime, the government may consider expanding its members of the code to other relevant bodies that they deem fit they will benefit from the code of practice. This is clearly seen by the government as a way of improving the standards of camera security operators.

This document was reviewed by the National Standards Assurance Board in February 2021 and although related documentation, such as the Surveillance Camera Commissioners 'Facing the Camera' code of practice exists, it did not replace this existing document, which still offers value.

The National ICT Strategic Principles sets out architectural rules and guidelines in fulfilling its ICT strategies across the force. It helps to define the underlying general rules for the use and deployment of all ICT capabilities across the Police Force.

The document includes the following principles:

   Architectural Business Principles:

• Business Continuity

• Service Orientation

• Compliance with Law

• ICT responsibility

• Responsive Change Management

   Technology:

• Cloud First

• Interoperability

   Data:

• Data is a an Asset

• Data is Accessible

• Information Asset Owner

• Data Security

• Management of Police Information

   Application Principles: 

• Technology Independence

• Single Authentication model

These have been reviewed by the National Standards Assurance Board in March 2021 and still deemed to posses relevant information. PDS confirmed that a new set of principles are in development to replace these.

Please note this is an OFFICIAL-SENSITIVE document, to request access please use the 'Contact Us' tab to raise a general query

The purpose of this document is to inform force/agency Senior Information Risk Owners (SIRO), National Information Asset Owners, National and force/agency Accreditors/Projects/programmes and other interested parties of the National Information Risk Appetite and its implications. This document should be read in conjunction with the BRG on Risk Appetite .

This document helps provide a baseline for defining and managing risk for all National information systems and National Police Infrastructure used within the Police services such as as Police National Database, Police National Computer, ViSOR/MAPS.

The document also helps form part of the national Information Assurance governance for information risk management and focuses on national Information Systems risk management and governance and force/agency risk management and governance.

The National Information Risk Appetite echoes the need for the police service to protect and manage risk with regards to information handling, as information mismanagement can compromise confidentiality and integrity, have an adverse impact on police operations and damage police public image and increase risks to the compliance or legal standing of the police force.

Intended audience readers are for police force SIROs, Information Asset Owners, police force Accreditors, programme and project managers as well as other interested parties in National Information risk management.

ISO 27033-2 gives guidelines to police forces on how to plan, design, implement and document effective network security.

This standard was reviewed by the authoring body in 2018 and still deemed current. This was also further reviewed by the National Standards Assurance Board in May 2021 and still found to be current and of value.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

Over the years, information and communication technology (ICT) has become an integral part of many of the activities which are major elements of the critical infrastructures in all organisations. The proliferation of the Internet and other IT capabilities of systems and applications, has also meant that organisations have become ever more reliant on reliable, safe and secure ICT infrastructures. This reliance means that disruptions to ICT can constitute strategic risks to the reputation of the organisation and its ability to operate.

Failures of ICT services, including the occurrence of security issues such as systems intrusion and malware infections, will impact the continuity of business operations. Thus managing ICT and related continuity and other security aspects form a key part of business continuity requirements. In order for an organisation to achieve ICT Readiness for Business Continuity (IRBC), it needs to put in place a systematic process to prevent, predict and manage ICT disruption and incidents which have the potential to disrupt ICT services. 

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

In todays modern world, most organisations have their information systems connected by networks either within the organisation, between different organisations or between the organisation and the general public. The purpose of this International Standard is to provide detailed guidance on the security aspects of the management, operation and use of information system networks, and their inter-connections. 

This part of ISO/IEC 27033 provides an overview of network security. It defines and describes the concepts associated with, and provides management guidance on, network security. It also defines how to identify and analyse network security risks and then define network security requirements. It also introduces how to achieve good quality technical security architectures, and the risk, design and control aspects associated with typical network scenarios and network technology areas.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

This international standard has been created for establishing, implementing, maintaining and continually improving a service management system (SMS). An SMS supports the management of the service lifecycle, including the planning, design, transition, delivery and improvement of services, which meet agreed requirements and deliver value for customers, users and the organisation delivering the services. Implementation and operation of an SMS provides on-going visibility, control of services and continual improvement, leading to greater effectiveness and efficiency.

This standard can be used by

• Customer seeking services and requiring assurance regarding quality of the service being provided

• Customer requiring consistent approach to the service lifecycle by all its service providers

• an organisation to demonstrate its capability for the planning, design, transition, delivery and improvement of services

• an organisation to monitor, measure and review its SMS and the services

• a provider of training or advice in service management.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

Cloud service providers who process Personally Identifiable Information (PII) under contract to their customers need to operate their services in ways that allow both parties to meet the requirements of applicable legislation and regulations covering the protection of PII.

PII is sometimes referred to as personal data or personal information. A public cloud service provider is a “PII processor” when it processes PII for and according to the instructions of a cloud service customer. 

This standard was created to help the public cloud service provider to comply with applicable obligations when acting as a PII processor, enable the public cloud PII processor to be transparent in relevant matters, assist the cloud service customer and the public cloud PII processor in entering into a contractual agreement and provide cloud service customers with a mechanism for exercising audit and compliance rights and responsibilities.

There are three main requirements an organisation must identify for the protection of PII:

1. Legal, Statutory, Regulatory and Contractual Requirements

2. Risks Assessment

3. Corporate policies