Search - National Standard Microsite
Artificial Intelligence
This standard brings together a set of control requirements for the use of Artificial Intelligence (AI) in policing. To help the reader in this new area, Artificial Intelligence has been defined, along with a number of its sub-categories. This standard has an additional section targeted at developers and data scientists, to provide more detailed guidance, when developing AI-based solutions.
This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.
Vetting Requirements for policing
This guidance describes the vetting requirements for access to Policing assets including premises, information, and information systems. This document should be read in conjunction with the Statutory Vetting Code of Practice and Authorised Professional Practice on Vetting.
Tik Tok Standard
This standard provides direction on the use of TikTok across policing, in accordance with the latest guidance provided by the Cabinet Office.
Security Management Standard v1.0
This standard describes the requirements to implement and maintain an effective cyber security management system as required by the National Policing Community Security Policy Framework.
Implementation of this standard will help members to ensure that adequate management controls and oversight is in place to mature their cyber resilience.
Security Governance Standard V1.0
This Standard defines the requirements to implement Security Governance as mandated in the National Community Security Policy.
Information Assurance Standard V1.0
This Standard defines the requirements to implement Information Assurance as mandated in the National Community Security Policy.
This document describes the requirements to help implement a consistent and structured information security assurance programme, supported by comprehensive security testing (using a range of attack types), penetration tests, and regular security and risk compliance monitoring.
National Policing Community Security Policy v1.2
National Policing will maintain public trust by securing our data and by applying a consistent, proportional approach to technology risk across policing. The Community Security Policy (CSP) is an integral part of the Community Security Policy Framework and combined with Community Security Principles and the supporting standards, control objectives and other supporting documentation will help policing maintain public trust in its management of information assets. This Policy should be read in conjunction with the National Policing Community Security Policy (CSP) Framework, and Community Security Principles with which this policy is aligned. The audience, scope, objectives, governance and exception process for this policy are defined by the National Policing Community Security Policy Framework, which can be found in Knowledge Hub. For clarity this policy has been approved by the Police Information Assurance Board (PIAB) and applies to all members of the ‘Community of Trust’ as defined by the National Policing Community Security Policy Framework, and any suppliers and partners that have access to, store and/or process Police information, to provide services to Policing. This policy has taken into consideration and is aligned with industry best practice, which includes ISO/IEC 27002:2022, CIS Controls v8 (Center for Information Security), NIST Cyber Security Framework, CSA Cloud Controls Matrix v4 (Cloud Security Alliance) and NCSC 10 Steps to Cyber Security.
National Policing Community Security Principles v1.2
Principles are general rules and guidelines, intended to be enduring and seldom amended, that inform and support and prioritise the way in which National Policing decides which ideas, initiatives and/or opportunities are to be progressed (and warrant investment) and those that are not. These principles are a fundamental part of the National Policing Community Security Policy Framework and provide a foundation upon which a more consistent and structured approach to the design, development, and implementation of information security capabilities can be assembled. The primary focus of these principles is to provide the starting point for, setting the policy, standards and control objectives, which support the Community Security Policy Framework. The audience, scope, objectives, and governance for these principles are defined by the National Policing Community Security Policy Framework, which can be found on Knowledge Hub. For clarity these principles are approved by the Police Information Assurance Board (PIAB) and apply to all members of the ‘Community of Trust’ as defined by the National Policing Community Security Policy Framework, and any suppliers and partners that have access to, store and/or process Police information, to provide services to Policing.
National Policing Community Security Principles v1.0
Principles are general rules and guidelines, intended to be enduring and seldom amended, that inform and support and prioritise the way in which National Policing decides which ideas, initiatives and/or opportunities are to be progressed (and warrant investment) and those that are not. These principles are a fundamental part of the National Policing Community Security Policy Framework and provide a foundation upon which a more consistent and structured approach to the design, development, and implementation of information security capabilities can be assembled. The primary focus of these principles is to provide the starting point for, setting the policy, standards and control objectives, which support the Community Security Policy Framework. The audience, scope, objectives, and governance for these principles are defined by the National Policing Community Security Policy Framework, which can be found on Knowledge Hub. For clarity these principles are approved by the Police Information Assurance Board (PIAB) and apply to all members of the ‘Community of Trust’ as defined by the National Policing Community Security Policy Framework, and any suppliers and partners that have access to, store and/or process Police information, to provide services to Policing.
National Policing Community Security Policy Framework v1.2
This framework defines the holistic approach to information and technology risks by aligning to Government Security standards, guidance from the National Cyber Security Centre (NCSC) and industry best practice. The National Policing Community Security Policy Framework supports a proportionate baseline standard of cyber security for National Policing to deliver its operational and strategic objectives. As the cyber threat landscape facing the UK Police forces continues to evolve, so must the means by which forces maintain their security posture. The purpose of the National Policing Community Security Policy Framework is to provide the structure for information security for National Policing, suppliers, and partners to carry out their services securely.
Robotic Process Automation Cyber Security Guidance
This guidance describes best practice cyber risk management controls for using Robotic Process Automation (RPA)
for the purpose of automating manual administrative overheads for National Policing Forces and
applications. This document only provides guidelines to automating manual processes and is not intended for machine
learning (ML) or artificial intelligence (AI) derived solutions. Please refer to separate guidelines and standards
for Digital Process Automation (DPA), AI and ML related activities.
Safe deployment of TikTok
This guidance provides an overview of approaches to deploy TikTok safely
National Police Information Security Risk Management Risk Balance Case Template
The National Policing Information Security Risk Management Framework provides the foundations of risk management across policing in line with the Police Cyber Assurance Framework (PCAF).
This template must be completed in conjunction with the National Security Risk Management Framework and Guidance.
The Risk Decision Document should be a single document that outlines any national risk, and the recommended measures for mitigating it. The template is organised into sections, each containing specific guidance points on content to be included.
National Police Information Security Risk Management Guidance
The National Policing Information Security Risk Management Framework provides the foundations of risk management across policing in line with the Police Cyber Assurance Framework (PCAF). This guidance supports the risk management framework by detailing the actions required to firstly assess a risk, and then to manage it via the national risk register. This guide must be read in conjunction with the National Security Risk Management Framework.
National Police Information Security Risk Management Framework
This framework is to ensure that all security risks are identified, assessed, and managed in accordance with best practice in order to facilitate improved governance. It is mandatory for all information systems that hold Police information or which deliver an operational service to policing to undergo a risk assessment, as stipulated in the National Policing Community Security Policy. The Security Risk Management Framework mutually supports the Police Cyber Assurance Framework (PCAF). The framework supports the requirements of the National Community Security Policy (NCSP.)
POLE Data Standards Catalogue v1.0
The intended purpose of this standard is to promote interoperability and improve the data quality of systems by converging on a common set of POLE data definitions used within Policing. POLE data definitions describe how People, Objects, Locations and Events (POLE) should be formatted.
There are 44 POLE entities described in this standard including:
- 20 person entities
- 13 object entities
- 5 location entities
- 6 event entities
The standard defines the attributes (field size, format, type) used to create the entities and contains and “entity x attribute map”. It also contains validation rules for these attributes.
This standard is owned by the National Police Chiefs Council (NPCC) and should be regarded as the default data standard for all POLE entities.
Along with the standard, the POLE data model (POLE v1.1.accdb) and data dictionary (POLE data standards - Data dictionary v1.1.xlsx) are also attached below.
IDENTITY AND ACCESS MANAGEMENT STANDARD
This standard defines the requirements which, when applied, will define identity and access management
standards to national policing IT systems. Areas considered include account management, access control
mechanism, privilege access, account provisioning, account review, access suspension and termination,
guest accounts, third party access and audit requirements.
This standard adheres to the National Policing Community Security Policy Framework and is a suitable
reference for community members, notably those who build and implement IT systems on behalf of
national policing.
This standard also relates to other PDS standards such as passwords, system access, PAM, vetting, which
the audience should also consider
Bluetooth Guidance V1.0
This guidance provides policing and law enforcement organisations with relevant information regarding risks associated with deploying Bluetooth technology within the workplace, and to enhance the risk-based decisions required in the use of such technology. This guidance adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.
Cryptography Standard v 1.0
The purpose of this standard is to establish a set of cryptographic algorithms and protocols for use in specific applications for the transmission and storage of Police Data up to the classification of OFFICIAL. The requirements are the minimum acceptable levels of encryption and are aligned to the NIST and NCSC frameworks and are applicable to cloud environment, on premises environments and the data networks that interconnect them.
Third Party Assurance for Policing (TPAP)
This Standard is to ensure that all third party suppliers are examined to fully understand their overall security posture and how that may impact upon Policing, ensure they fully understand the responsibilities they have in looking after policing data, that elements such as the importance of vetting and the cyber security of their systems is understood and they are aware of the requirements when handling and communicating that data.
OVERSEAS IT ACCESS GUIDELINES
This guidance describes best practice risk management controls for accessing Policing ICT resources whilst abroad. It also describes the circumstances when forces can make a local decision or when referral to NSIRO is required when use abroad is required.
System Access Standard
This standard defines the requirements which, when applied, will prevent unauthorised access to national policing IT systems. Areas considered include account management, access control mechanisms e.g. biometrics and customer access.
This standard adheres to the National Policing Community Security Policy Framework and is a suitable reference for community members, notably those who build and implement IT systems on behalf of national policing.
This standard also relates to other PDS standards passwords and IAM, which the audience should also consider.
Password Standard v1 approved by NCPSB JAN 23
This standard supports the National Community System Policy System Access requirements with respect to defining requirements for the use and selection of a password / passphrase-based method of authentication. It should be read in conjunction with the System Access standard. Passwords represent only one method of authentication (something that you know) and should be combined with other methods such as something you have (token) or something you are (biometric). It is not always possible especially with legacy applications or services to utilise multi-factor authentication, and this is where this standard can help to ensure that risks are effectively managed. A strong passphrase / password will help to ensure lawful business access to applications, mobile devices, systems and networks when combined with an agreed access control policy and supported by an Identity and Access Management (IAM) system. Undertaking a business impact assessment (BIA) is important to determine specific information security requirements to support proportionate risk management. This Standard is aligned with the NCSC’s password guidance.
Digital Evidence Storage v3.0
This is intended as a high-level overview of the requirements for digital evidence storage in a multimedia context. Ratings follow the MoSCoW system of Must, Should, Could and Won’t. The requirements are split into two sections, File Handling and Functionality. Systems must be compliant with the principles in the DSTL NPCC Digital Imaging and Multimedia Procedure v3.0 and Recovery and Acquisition of Video Evidence v3.0 and adhere to the Forensic Science Regulator Act 2021 and Statutory Code.
NPCC framework for use of video evidence v3.0
This document is relevant to all police non-specialist front-line staff and forensic unitsi who utilise video evidence and to bring clarity around activities relating to recovery, acquisition, viewing and processing of CCTV. It outlines those activities that must be undertaken by Police Forces and accredited laboratories in line with the Forensic Science Regulator Act 2021 and Statutory Code. The following charts stipulate what level of training is required and whether force procedures must be in place to carry out Forensic Science Activities (FSAs) and mitigate the risks highlighted by the risk matrix where activities may be excluded from accreditation. This document has been created to support the recommendations of the NPCC CCTV Working Group and Specialist Capability Network and supersedes the now defunct Annex A and B CCTV Scope for Accreditation document, which was previously circulated by the NPCC as a supplement to the first Forensic Regulators FSR-C-119 Code of Practice and Conduct, now replaced by the Statutory Code and FSA Digital Forensics - Video Analysis, and FSA Basic Recovery and Acquisition of Images.
Police National Database (PND) Interface Business and Technical Guidance for Data Providers v3.5.0
This document provides:
• High level PND requirements
• Overview of Data requirements
• PND Message Schema design
• Data transmission mechanisms
• Data Scope
• Overview of software resources available including Data Test Suite.
Note this document is graded OFFICIAL-SENSITIVE, access can be requested by the 'Contact Us' tab at the top of the page.
UK Gov Cookie Cutter Data Science Project Template
This is a data science cookiecutter template for analytical, Python-, or Python and R-based projects within Her Majesty's Government, and wider public sector including policing, where it has been trialled and used as a standardised template for effectively sharing data science work and includes security features using pre-commit hooks to preserve sensitive information.
It also provides an Agile, centralised, and lightweight analytical quality assurance (AQA) process. Pull or merge request templates are used to nudge users to complete this process. This helps meet HM Government best practice on producing quality analysis, as defined in the Aqua Book.
The original developer in GDS has provided a blog post explaining the reasons for creation and provided a live demonstration from March 2021 on version 0.5.3.
The National Standards Assurance Board reviewed this in January 2022 and found it being owned and actively developed by the Office for National Statistics, Best Practice and Impact team.
Open Source Software - Exploring the Risk (Good Practice Guide 38)
This guidance seeks to assist a range of IA professionals in exploring the risks associated with the use of Open Source Software (OSS) products. It does so by prompting a number of ‘whole lifecycle’ issues and questions which potential users should ask themselves when making software choices, not just of OSS, but also of proprietary products. This is because there are no ‘right’ or ‘wrong’ answers when it comes to the security of OSS versus that of proprietary (typically closed source code) products. There are good and bad examples of each in this respect and no one type is inherently more, or less, secure than the other.
This guidance supports the Government ICT StrategyI objective of creating a level playing field for open source software solutions. It does not evaluate, recommend or otherwise offer judgement on the following:
Specific OSS products;
Savings in running costs that an organisation may realise by the adoption of OSS over proprietary products;
The legal risks that may arise, for example from issues concerning copyright, intellectual property, or infringement of licences
This guidance was reviewed by the National Standards Assurance Board in January 2021 and was deemed to still provide relevant information
Retention, Storage and Destruction of Materials and Records relating to Forensic Examination
The purpose of this document is to provide guidance on the retention, storage and destruction of forensic materials and their associated records retained by physical and digital Forensic Units.
Biometric Standards and Exchange Requirements for Home Office Partners and their Suppliers v3.04
The purpose of this document is to provide details of the biometric interchange and image standards that must be adhered to by Partner1 organisations and their Suppliers that need to communicate with the back end biometric matching systems governed by the Home Office Biometrics (HOB) programme. (Note that the current HOB systems covered in this document are the HOB Biometric Services Gateway (BSG), Home Office “Immigration and Asylum Biometric System” (IABS) and national police fingerprint system, “IDENT1”.)
The document is divided into five parts as follows:
1) The Home Office biometric exchange format – “HONE-1”
2) Biometric recording and image standards, mandatory
3) Biometric recording and image standards, conditional
4) Biographic data, general
5) Appendices