Search - National Standard Microsite

National Institute of Standards and Technology (NIST), covers a wide range of topics including Bioscience, Chemistry, Advanced Communications, Cybersecurity, Energy, Materials, Nanotechnology, Neutron research, Physics, Health, Infrastructure, Public Safety, Standards, Transportation and many more.

NIST also cover a wide range of publications, laboratories and programs, Research projects, Services and Resources Software, Data, Computer Security Resource Center, and News and Events.

Under Cybersecurity, there is a framework developed to help organisations to better understand and improve their management of cybersecurity risk.

The Cybersecurity framework consists of standards, guidance, and best practices.

It stages of the framework:

1. Identify

2. Protect

3. Detect

4. Respond

5. Recover

The cyber security framework help organisations prioritise, become flexible and cost-effective in promoting and dealing with protection and resilience of critical infrastructure and other parts critical to the national security and economy.

For further information and/or questions about the Cybersecurity Framework please contact:  cyberframework@nist.gov

The Technology Code of Practice is a set of criteria to help government design, build and buy technology. Technology Code of Practice should be used for all technology projects and programmes and should be aligned to the mandatory code and as much as possible align the organisation’s technology and business strategies to the Technology Code of Practice.

Following the Technology Code of Practice will help introduce or update technology so that it:

• meets user needs, based on research with your users

• is easier to share across government

• is easy to maintain

• scales for future use

• is less dependent on single third-party suppliers

• provides better value for money

• makes use of open standards

Organisations must consider all points of the Technology Code of Practice as part of the Cabinet Office spend control process as it’s used as a cross-government agreed standard in the spend controls process. Where legacy technology limits your ability to adhere to the standard, you must explain this to the GDS Standards Assurance team.

Industry Security Notices (ISNs)

 A Industry Security Notice (ISN) is an official document that tells people in industry about important instructions, guidance or other information relating to security.

Information from Ministry of Defence, that provides updates.

• ‘ISN 2014/04 Farnborough International Air Show 2014: exhibition clearances’ has been removed

• ‘ISN 2014/01: Government Security Classification Scheme’ updated April 2014

• ‘ISN 2011/05 Defence & Security Equipment International (DSEi) 2011: exhibition clearances’ has been removed

• ‘ISN 2011/02: incident report’ has been superseded by ‘2011/07: incident reporting’

• ‘ISN 2011/03: Nato personnel security clearances’ has been superseded by ‘2014/03: Procedure for UK contractors to obtain Nato personnel security clearances’

Ensuring that the right candidates are selected for policing roles is essential. Employing the right selection process is essential to make the most efficient use of money, time and resources and can have the following benefits:

• Reduce the probability of selecting individuals who will not perform at their jobs effectively.

• Better value at the national Assessment process

• Minimises disproportionality in outcomes for underrepresented groups

• Maximise candidates potential by supporting, them and ensuring a positive candidate experience.

It is known that not all forces handle their recruitment process in the same way in the early process and therefore causes discrepancies in the way people are recruited in the police force. A sifting solution is being undertaken that aims to help effectively mange candidates. Whilst this is still on-going, this document aims to help police forces consider some key principles for an effective end-to-end recruitment process.

Each area should be considered:

• Recruitment strategy

• Attraction campaign and positive action

• Registration

• Force selection

• National Assessment Process

• Post-assessment process activity

• Appointment

Monitoring of each area and collaborating with other learning providers are critical to the improvement, maximisation and best practise of the selection process.

Data sanitisation is a key aspect to any organisations dealing with data storage media and who want to ensure that unauthorised parties do not gain access to their data.

Data sanitisation has to do with the safe removal, treatments and disposal of sensitive information from storage media devices to guarantee that retrieval and reconstruction of data is not possible or may be very difficult to reproduce as some forms of sanitisation will allow you to re-use the media, while others are destructive in nature and render the media unusable.

There could be many reasons why an organisation may want to sanitise its data:

• Re-use purposes – new user device allocation, re-purpose or resell device.

• Repair purposes - return or repair faulty device

• Disposal purposes – dispose of device

• Destruction purposes – destroy information held on device or the device itself.

There are risks associated with improper sanitisation as key data may still remain on the device, such as:

• Sensitive data may end up with the wrong people who can expose the sensitive data

• Loss of control over information assets

• Private or personal data could be leaked and used to commit fraud or identity theft.

• Intellectual property could be used leading to reputational loss

Whilst this may not be entirely a sanitisation issue, it is part of it and one way to combat these risks is using encryption.

Guidance on how organisations should secure their technology and services to protect UK government information classified as OFFICIAL. 

The vast majority of UK government public services are conducted at the Official classification. Business operations and services include information routinely used that can have damaging consequences if lost or stolen.

Security at Official is achieved through following good commercial practices and understanding security needs and matching these requirements to the latest available technology availabilities. 

Guidance for organisations deploying a range of end user device platforms as part of a remote working solution.

Modern smartphones, laptops and tablets provide users with great flexibility and functionality, and include security technologies to help protect information and as such this security guidance document is general to all end user devices (EUD) and their deployments to help harness its security capabilities without hindering its functioning ability by ensuring device configuration are set up correctly.

This guidance is to help optimise security functions, allow for greater user responsibility to reduce security complexity, maintaining user experience, logging and audit information and enable greater interoperability of IT systems.

Intelligence is information collected and gathered for the purpose of taking action. This process is continuous and critical to effective policing operations that allow for tactical options and prioritisation. Such intelligence can sometimes be classified as confidential or sensitive.

A Code of Practice has been issued by the secretary of state to develop a national intelligence model (NIM), which sets out principles and standards for chief officer and police and crime commissioners to adhere. Ensures the results of the standards are systematic for continuous progress and also helps promote compatibility of procedures and terminology for the (NIM) as well as monitor and evaluate the promulgation of good practice.

The code of the practice came into effect in January 2005.

All public services sending emails out on behalf of government organisations must follow all protocols, processes and guidelines to ensure that they secure their email service. This includes:

• the service providing users with mailbox access

• internal relays and gateways

• email filtering services

• third party services that send email on your behalf, like transactional email services

Key configurations are needed to ensure you email services run smoothly:

• Transport Layer Security (TLS)

• DomainKeys Identified Mail (DKIM)

• Domain-based Message Authentication, Reporting & Conformance (DMARC)

• Public Domain Name System (DNS)

• Ability to make administrative changes

If there are any changes made to your email security, ensure that you communicate such changes to all staff in your organisation.

This guidance applies to all email domains that public sector organisations run on the internet. It also helps ensures that public sector organisations exchanges email securely with other public sector organisations. Protecting emails in transit makes it difficult for domains to be spoofed.

All public sector emails must be kept secure by:

• encrypting and authenticating email in transit by supporting Transport Layer Security (TLS) and Domain-based Message Authentication, Reporting and Conformance (DMARC) as a minimum

• making sure the recipient protects the data you send to them

• making email security invisible to end users as far as practically possible

Encryption and authentication only work if both the sender and the recipient use them.

The Government Digital Service recommends protecting email by:

• forcing TLS when sending to .gov.uk

• forcing TLS when sending to any other domains that supports it if the local risk profile requires it

• using extra encryption services if needs be

DomainKeys Identified Mail (DKIM) verifies an email’s domain and ensures it has not been tampered with in transit. The receiving email service can then filter or reject email that fails the DKIM check. In order for DKIM to verify an emails domain it uses public key encryption to check email by creating a hash using the content of each outbound email. The sending service then encrypts the hash with its private key and adds it to the email header. This is the DKIM signature.

The receiving email service looks up the public key in the sender’s DKIM DNS (DOMAIN NAME SYSTEM) record then uses the public key to decrypt the DKIM signature on the email. It also generates a hash of the email in the same way the sending email service did. If the hash matches the decrypted DKIM signature then the email passes the DKIM check. This means the email came from where it says it came from and has not changed in transit.

An agreed and designed common data standards are used by the Criminal Justice System, ICT suppliers to support ICT communications between systems used by Criminal Justice Organisations (CJO) to support CJS operations. They are also used with open data standards as defined in the government’s Open Standards Principles. These common standards are also used to support data analytics, bidding for CJS contracts etc.

The selection of the CJS data standards is made by the CJS Data Standards Forum. This is a technical forum which has representatives from the principal CJOs.

There is a Data Standard Catalogue used to support the exchange of criminal justice information between different CJOs.

There are three different types of data standard reflected in the catalogued:

• formatting standards

• organisational structure standards

• reference data standard

The Data Standard catalogue is constantly reviewed by the Data Standards Forum to ensure a set of standards is produced that is as small as possible while still being fit for purpose. 

The End User Device (EUD) Security Principles sets out 12 core guidance principles that underpin the safety and security of using devices that serve the purpose of working remotely. The twelve principles are as follows: 

1. Data-in-transit Protection: Data should be protected as it transits from the EUD to any services the EUD uses. 

2. Data-at-rest Protection: Data stored on the device should be satisfactorily encrypted when the device is in its “rest” state. 

3. Authentication:

- User to device: the user is only granted access to the device after successfully authenticating to the device.

- User to service: The user is only able to access enterprise services after successfully authenticating to the service, via their device.

- Device to service: Only devices which can authenticate to the enterprise are granted access.

4. Secure Boot: An unauthorised entity should not be able to modify the boot process of a device, and any attempt to do so should be detected.

5. Platform Integrity and Application Sandboxing: The device can continue to operate securely despite potential compromise of an application or component within the platform, 

6. Application allow Listing: The enterprise can define which applications are able to execute on the device, and these policies are robustly enforced on the device.

7. Malicious code detection and prevention: The device can detect, isolate and defeat malicious code which is present on the device.

8. Security policy enforcement: Security policies set by your organisation are robustly implemented across the platform.

9. External interface protection: The device is able to constrain the set of ports (physical and logical) and services exposed to untrusted networks and devices. 

10. Device Update Policy: You are able to issue security updates and can remotely validate the patch level of your entire device estate.

11. Event Collection for Enterprise Analysis: The device reports security-critical events to your audit and monitoring service. 

12. Incident Response: Your organisation has a plan in place to respond to and understand the impact of security incidents.

All of these principles must be considered when securing and deploying devices.

The End User Device (EUD) Security Principles sets out 12 core guidance principles that underpin the safety and security of using devices that serve the purpose of working remotely. The twelve principles are as follows:

1. Data-in-transit Protection

2. Data-at-rest Protection

3. Authentication

4. Secure Boot

5. Platform Integrity and Application Sandboxing

6. Application allow Listing

7. Malicious Code Detection and Prevention

8. Security policy Enforcement

9. External Interface Protection

10. Device Update Policy

11. Event Collection for Enterprise Analysis

12. Incident Response

All of these principles must be considered when securing and deploying devices.

Statutory auditors should adhere to the highest ethical standards and should be subject to professional ethics. This Directive aims at high-level to bring about harmonisation of statutory audit requirements as a result of lack of a harmonised approach to statutory auditing in the Community. This was the reason why the Commission proposed, in its 1998 Communication on the statutory audit in the European Union that a creation of a Committee on Auditing which could develop further action in close cooperation with the accounting profession and Member States be established.

The output/recommendation from the committee setup was a Recommendation was a set of Fundamental auditing Principles. The statutory audit requires adequate knowledge of matters such as company law, fiscal law and social law for Audit qualifications obtained by statutory auditors. In order to protect third parties, all approved auditors and audit firms should be entered in a register which is accessible to the public and which contains basic information concerning statutory auditors and audit firms. 


It is important to note that good audit quality contributes to the orderly functioning of markets by enhancing the integrity and efficiency of financial statements. 


Digital CCTV installations vary greatly in terms of the recording methods as a result of varying solutions with different capabilities and functionality which are used to capture picture and video evidence with export facilities provided.

This document provides guidance on the retrieval of video from any digital CCTV system in its native file format and the methods for the production of working copies in non-native file formats, where this is necessary to facilitate further processing or replay in court.

The document contains a flowchart to help the user select the most appropriate retrieval method to use for any given CCTV system. Explanatory notes are also provided for each option and guidance

given for assessing the practicality and suitability of each technique to ensure that the right retrieval method is selected to uphold evidential integrity.

The guidance also covers the production of working copies, specifically where this involves a conversion between video formats.

Options have also been presented for final storage of the working copy. Information is given as to the suitability of each conversion technique and storage medium, so that appropriate choices can be made to best minimise the potential degradation in image quality.

A checklist of actions is provided when retrieving data to ensure that all relevant information is captured and evidential integrity is maintained.

The National Intelligence Model (NIM) is a well-established model within the policing world that was established in 2000 by the National Criminal Intelligence service (NCIS) and adopted by Association of Chief Police Officers (ACPO) to help to mange the use of setting strategic direction, making prioritised resourcing decisions, intelligently allocating resources in the most efficient manner, developing and outlining tactical plans, coordinating activities and managing associated risks.

NIM has three levels which it operates on:

• Level 1 – Local/Basic Command Unit (BCU)

• Level 2 – Force and/or regional

• Level 3 – Serious and organised crime that is usually national or international

NIM doesn’t just only help to serve crime and intelligence decision-making but is expansive in its dynamics and touches on the general policing business and decision-making. It also serves as a standardised approach for gathering, co coordinating and disseminating intelligence, which can be integrated across all forces and law enforcement agencies.

NIM allows for greater consistency of policing across the UK, operational strategies to focus on key priorities, ensures more officers are focused on solving priority problems and targeting the most active offender, achieves greater compliance with human rights legislation, improves direction and briefing of patrols, helps to reduce rates of persistent offenders through targeting the most prolific and helps to improves integration with partner agencies.

The use of Body worn video (BWV) includes video and microphone both audio and visual recording. The recording can also be stored and exported.

BWV has become extremely in the video surveillance sector and within the Police Force, as officers are able to use BWV and capture key important evidence whilst on operational duty. However have been some issues around privacy, data security technical capabilities.

To ensure that BWV, is used for its intended purpose this standard has been written to provide operational and technical guidance to help strike a balance between safety and the privacy of the individuals being recorded and foster public trust in where and when BWV can be used.

Some of the activities in which BWV can be used are in emergency responses, night-time economy operations/events, security guarding, parking enforcement, door supervision.

Intended readers are Police officers, security companies, entertainment venues, local authorities.

Fees to accessing the standard may apply.

Intelligence is information (raw data) worked, evaluated in context to its source and reliability to create added value and meaning to its user (Information + Evaluation = Intelligence).

Analysis is about tracing their source to discover the general principles behind the information and ascertaining parts. Therefore we can say that intelligence analysis is about collecting and utilising information, evaluating it to process it into intelligence, and then analysing that intelligence to produce products to support informed decision-making. 

Analysis goes beyond the facts asking questions such as: 

• What exactly is the problem?

• What is it a problem?

• What information do we already possess that is relevant to the problem?

• Where is the information held?

• How can we obtain it?

• What meaning can we extract from the information?

• Are we ready to take action with the information received?

The process of applying these questions, evaluating the answers, choosing the response and outputs/actions is the process and essence of what analysis is about. Analysis is going beyond the facts and digging deeper.

Therefore criminal intelligence analysis is the in-depth analysis of criminal activity, criminal information and the criminals. This also includes the retrieval and storage of digital/online content. The use of Information Technology has become ever so critical in the modern age.

The role of the forensic science regulator is to advise the Government and the criminal justice system on quality standards in the provision of forensic science. Recommend new requirements for new and improved standards and providing advice and guidance so that providers will be able to demonstrate compliance with common standards, in procurement and in courts 


A key requirement of any standards framework in forensic science is that the output meets the requirements of the Criminal Justice System (CJS). 
 This document sets out the view of the Regulator as to the legal landscape within which forensic scientists operate within the CJS. 


There are legal obligations placed on expert witnesses as sources in the Criminal Justice System in England and Wales as Expert evidence is admissible “to furnish the court with scientific information which is likely to be outside the experience and the knowledge of a judge or jury”. This places the expert witness in a privileged position.

It is important to note that expert evidence can only be given by a person who is an expert in the relevant field. An expert witness must provide the court with objective, unbiased opinion on 
matters within his expertise 
Witnesses must act with honesty and good faith. 


Police engagement and communication is key to the success of community policing and having an effective presence in the area the police serves in. Developing and maintaining healthy and positive relationships with community leaders and the wider public is crucial for establishing engagement. Without this being able to prevent, detect or investigate and solve crime may become much more difficult, as well as bringing offenders to justice. It will reduce confidence and public image in the Police service as service to the public may become unworkable. There it is important that both the public and Police service both cooperate and be in intentional about developing strong relations.

It is important to the local police that communities have confidence and trust in the Police Service in order for the Police to carry out their duties effectively and to keep communities safe. Both parties play an essential role in the world of policing.

This document sets out the principles of engagement and communication, including public relations.

Asset Disposal & Information Security Alliance (ADISA) is an organisation designed to improve risk management and data protection within business processes for IT asset retirement and disposal.

The ADISA ICT Asset Recovery Standard 7.0 is an updated version released in January 2020 from its first launch from its first launch in 2010. It better aligns to the updates and amendments of the Data Protection legislation including but not limited to the EU General Data Protection Regulation, the UK Data Protection Act and the Californian Consumer Privacy Act 2018.

This area covers asset management and data sanitisation. The ADISA ICT Asset Recovery Standard was developed to identify risk which might exist within this process and to then assess countermeasures which are in place to mitigate that risk.

 The objective of the ADISA Asset Recovery Standard is to ensure that every data bearing asset is managed throughout the process and that any resident data is sanitised in accordance with the client’s requirements or to industry best practice levels, to promote the re-use of assets through risk management and to help organisations comply with Data Protection Laws.

These are achieved by creating a physical environment within the ITAD process which offers equivalent levels of security to those in place when the asset is in its live environment, testing the abilities of the service provider to create and then maintain the chain of custody throughout the process, ensuring the process is consistent and repeatable, assessing current data sanitisation processes on ALL media types.

The Standard is presented in 10 Modules each covering different aspects in asset recovery and contain mandatory requirements.

There are current plans for version 8 of this document.

European Pool against Organised Crime (EPOC IV) was introduced in 2004 as the Eurojust Case Management System.  It facilitates the secure storage of case-related personal data, the exchange of information amongst National Members and the analysis of that data.

EPOC also provides a set of tools to facilitate interoperability of national systems and can be used as a component to support international cooperation in national systems.   

Reference Dataset consists of:

• Currency Class

• EU EPOC Country (Bulgarian)

• EU EPOC Country (English)

• EU EPOC Country (French)

• EU EPOC Country (Lithuanian)

• EU EPOC Country (Slovene)

• EU EPOC Crime Type (Bulgarian)

• EU EPOC Crime Type (English)

• EU EPOC Crime Type (French)

• EU EPOC Crime Type (Lithuanian)

• EU EPOC Crime Type (Slovene)

• EU EPOC Currency Type (English)

• EU EPOC Currency Type (Lithuanian)

• EU EPOC Drug Code (English and Other Languages) L1 (English)

• EU EPOC Drug Code (English and Other Languages) L2 (Other Languages)

• EU EPOC Drug Code (Lithuanian)

• Home Office Drug Codes L2 (Description)

• ISO 3166-1 Country Codes 2 Char

An investigation is undertaken when a crime has been reported and a police officer investigates the circumstance following all lines of enquiry of the situation to determine if a crime has been conducted and where a person/s should be charged with an offence, or if the person who offended is guilty.

Under the Home Office counting rules, when members of the public are making a complaint, victims should be believed for the matter of recording a crime unless it's clear that the incident did not happen. An investigators duty is to gather and test all material presented including witness accounts/statements and use technical and scientific expertise to maximise evidential opportunity.

The following outcomes may be that the suspect is prosecuted in court, receives an out of court disposal, community resolution or charges dropped. A lot of the times investigators may not find enough evidential material to make a charging decision either as a result of lack of evidence or not enough lines of enquiry to pursue. However the investigation outcome must still be recorded accurately for intelligence purposes and especially for future use, as this will help police identify crime hotspots and help reduce crime rates.  

The Police and Criminal Evidence Act 1984 (PACE) and the associated Codes of Practice set out the legislation and standards for dealing with people who come into contact with the police. Whilst members of the public are detained in custody, officers and staff should treat them in a way that is dignified and takes account of their human rights and individual needs. The Police force are only allowed to use force within a custody suite which is deemed necessary, proportionate and lawful and must be recorded by officers who have undergone appropriate and adequate training.

The PACE covers the following:

• police use of force

• lawful arrest

• searches

• designation of a police station

• police resources

When an officer makes an arrest, they are personally responsible for the risk assessment and welfare of the detained person. This responsibility continues until the suspect is handed over to the custody officer for a decision regarding detention. For a member of the public to be detained at a police station the following must be addressed and considered by the Custody officer:

• the grounds for detention

• whether to grant bail

• whether to authorise or refuse detention

It is possible for an individual arrested not to be detained if the custody officer believes that there are insufficient grounds for detention. The reasons must be and the detainee must be released.

There are occasions that require the use of firearms by Authorised Firearms Officers (AFOs) in conflict situations. This response is a well-established and necessary approach to managing conflict. Commanders and AFOs are trained to analyse and determine appropriate courses of action in the course of armed deployments.

Police officers have a positive duty to protect the public from harm – a duty of care to all involved must be the overriding consideration. Police decision-making and response is vital in such situations and thus the National Decision model (NDM) is used to assist with the decision-making process.

The Authorised Professional Practice for Armed Policing covers guidance on the appropriate use of firearms within the police force. It also acts as a basis for training police officers in matters relating to the operational use of firearms.

The also provides guidance on structural command, tactical options and operational challenges with the deployment of Authorised Firearms Officers (AFOs).

Undercover policing is a covert tactic used by the Police to obtain evidence and intelligence. It is also used to detect crime and disorder and help maintain public safety.

Undercover policing is a lawful and ethical tactic and when applied rightly can be very effective tool. In order to ensure it is kept this way, Authorised Professional Practice (APP) has been developed and used by Law Enforcement Agencies (LEAs) across the United Kingdom.

There is an undercover accreditation process that has been developed to provide an assessment of whether the management and governance of undercover units are effective in supporting safe, ethical and lawful undercover operations.

Undercover operatives (UCOs) are deployed as covert human intelligence sources (CHIS) in authorised investigations. There are three different types of UCOs, Undercover foundation(UCFs), Undercover advanced operatives (UCAs) AND Undercover online operatives (UCOLs). All must go through vigorous training and go through a robust selection process.

Police have a duty to respond to every incident reported in an appropriate way and in a timely manner. A critical incident (CI) is defined as:

any incident where the effectiveness of the police response is likely to have a significant impact on the confidence of the victim, their family and/or the community. An incident can be escalated to a CI when the police fail to meet the expectation of a victim/family and/or the community in responding to an incident.

Therefore critical incident management (CIM) is key within the police force. Different types of incidents can become critical, high profile, serious or homicide related. If the police do not respond in a timely manner to serious incidents it can result in loss of confidence by the public.

There are 3 stages to CIM:

1. Preparing for critical incidents – considering current management structures to ensure staff are trained effectively and resources are available

2. Managing critical incidents – identifying critical incidents early on and notified to the most appropriate person.

3. Restoring public confidence – restoring broken confidence amongst the public by community engagement, resolution and public inquiry.

Decision-making in the Police service can be very complex. Police officers most often have to make decisions in very difficult circumstances and situations and may not have all the necessary or complete information to hand. It is also very important to note that the role that police officers play and the environment where they have to make decisions can be very complicated. Police officers and police staff are sometimes required to make decisions in circumstances where those involved deliberately mislead or try to mislead them. As a result it may not always lead to the best outcome.

Therefore to create a framework that could allow officers to base their decisions on, and allow for examination of each decision and allow for some form of standardisation in decision making the National Decision Model (NDM) was created.

At the heart of the NDM, the Code of Ethics highlighted is essential for all decision making. This gives confidence for police officers to use the NDM and reduces risk. Decision makers will be supported by their organisation where it can be shown that their decision was assessed by the NDM and the circumstances at the time, even when harm has resulted as part of the decision making process.

Civil emergencies require a professional and structured response to all emergencies, this includes Police, fire and ambulance services and must meet the Civil Contingencies Act 2004. These services must have interoperable arrangements to allow for well-coordinated responses to major or complex incidents, as this would affect life.

This document helps to cover contingency planning and responses to civil emergences from the Police service.

Some major incidents may result in loss of life. Disaster victim identification (DVI) is the process of being able to identify a deceased in multiple fatality incidents. This involves combining antemortem and post-mortem examinations to make a positive identification using scientific means. This takes place at the same time an investigation is being undertaken.  DVI is an internationally accepter terms is and its principles are subject to international agreement through INTERPOL.

The Command and Control (C&C) solution is the incident management and deployment solution for police officers responding to incidents reports by the public. Command and control is the authority and capability of an organisation to direct the actions of its personnel and the use of its equipment.

Incidents are usually graded based on severity of the incident and officers have Service Level Agreements (SLA’s) target in responding to incidents especially serious/critical incidents. SLA’s may differ from police force. C&C can also be used for a wide range of scenarios ranging from policing local community events, to responding to a major criminal investigation such as a terrorist attack, arson attack requiring several officers to respond to more sensitive investigations such as a rape incident requiring more specialised officers.

There are times where certain incidents or operations where the police response requires a different approach and it may be necessary to establish a dedicated command structure such as bronze, silver and gold.

The success of any major incident coordination requires an organised, professional and methodical approach. The Major Room Incident (MIR) is critical to this coordination as this is where all information is gathered and analysed for response coordination.

Major investigation and public protection has many strands and arms. It consists of:

Major Crime:

• Child abuse

• Child sexual exploitation

• Domestic abuse

• Female genital mutilation

• Firearms licensing

• Forced marriage and honour-based violence

• Gangs and youth violence

• Gun crime

• Hate crime

• Homicide

• Kidnap and extortion

• Knife crime

• Missing persons

• Modern slavery

• Prostitution

• Rape and sexual offences

• Stalking or harassment

• Vulnerable adults

• Operation Hydrant

Public protection:

• Mental health

• Managing sexual offenders

It also has major elements of mental health. The Mental health Authorised Professional Practice (APP) has provided guidance on Police response to members of the public who are experiencing mental ill health, have learning disabilities and mental and emotional vulnerable individuals. The guidance applies whether the police are acting in a criminal justice or health care capacity or in both of these roles. 

There are incidents that take place where the police respond to a serious injury/incident or where there is a deceased or where at a later time the victim dies. This APP – describes the post-incident procedures, management, welfare and legal issues stemming from serious incidents.

The guidance outlines provision of accounts by officers and staff, provides responsibilities for key roles, and sets out approaches to organisational learning and debriefing. The information provided is relevant to any investigation, whether carried out by the force’s professional standards department (PSD) or by the relevant independent investigative authority (IIA).

It is the responsibility of each force to determine how the post-incident procedures will be implemented and should therefore create an implementation plan showing how each area, roles and responsibilities will be fulfilled. This should include any training plans needed for individuals carrying out specific roles.

Where serious injury or death has resulted in the discharge of a firearm by a police officer or member of police staff, this guidance will not apply. Please refer to APP Armed Policing.

It is important to note that a serious injury is referred to as a fracture, deep cut, deep laceration or injury causing damage to an internal organ or the impairment of any bodily function.

The Public Services Network (PSN) provides technical policies regarding the operation of its network. This provides a high-level guidance for the way in which government networks, as a whole should be managed.

The policies aim to create a simple mechanism for managing network services in government. The objectives of the policies are to:

• operate the PSN as a single OFFICIAL network enabling services to be consumed from both the Assured and Protected networks.

• enable the use of cloud email services that meet specific security standards for government email.

• bring PSN and other government Domain Name System (DNS) services into line with best practice.  

Email feedback to psnservicedesk@digital.cabinet-office.gov.uk 

This guidance gives practical advice on the secure development, procurement and deployment of generic applications.

There are three types of common security issues:

1. Secure data handling

2. Application hardening

3. Third party applications

This guidance is written main for risk assessors and application developers on how to minimise the loss of data from applications running on all devices handling sensitive data. Sensitive information should not be stored on devices when it's not required. If it must be stored on a device, a native data storage protection APIs (Application Programming Interface) available on the platform must be utilised. You must also ensure that the applications allows administrators to delete sensitive data from devices if they are compromised or lost and encrypt sensitive information when stored, protected by an authentication mechanism.

You must also securely implement cryptographic functions and store sensitive information securely, and hide it from the user until they have been authenticated and ensure that sessions timeout periodically and require the user or application to repeat the authentication process and where possible manage user accounts centrally.

This guidance covers the deployment of a range of end user device platforms for the secure configuration of Windows 10 1809. Risk owners and administrators should agree a configuration which balances business requirements, usability and security.

• Protective Monitoring Solution: All data should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic. This also allows the devices, and data on them, to be protected.

• Applications should be authorised by an administrator and deployed via a trusted mechanism.

• Most users should have accounts with no administrative privileges.  Administrator accounts should have a unique strong password per device.

Testing was performed on a Windows Hardware Certified device, running Windows 10 Enterprise. This guidance is not applicable to Windows devices managed via an MDM or Windows To Go. 

This guidance is not applicable to Windows devices managed via an MDM or Windows To Go. 

Risk owners and administrators should agree a configuration, which balances business requirements, usability and security.

The exchange of incident information between key organisations such as the Police Force, Highways England, Ambulance Service, Fire service is critical to saving lives and keeping members of the public safe.

The exchange of key information between organisations using command and control systems that manage incidents and deployments are used through formatted messages using extensible markup Language (XML).

This technical document aims to describe the implementation guidelines for exchanging information between multiple command and control systems between different organisations (Multi Agency Incident Transfer (MAIT), describe communications and data management issues that need to be considered, whilst providing suitable implementation guidance as well as describing interfaces available and their XML’s.

The purpose of the code will be to ensure that individuals and wider communities have confidence that surveillance cameras are deployed to protect and support them, rather than spy on them. 
Surveillance cameras when used appropriately can be a great tool used for public safety, protection of property and people and serve as security.

The Surveillance cameras Code of Practice was issued under Section 30 of the 2012 Act to provide guidance appropriate and effective use of surveillance camera systems by relevant authorities. It is welcomed and encouraged for other operators to use the code but it is not mandatory.

This is a significant step in achieving the ongoing process of delivering the government’s commitment to the ‘further regulation of CCTV’, which is a gradual process. As the understanding and application of the code grows and matures overtime, the government may consider expanding its members of the code to other relevant bodies that they deem fit they will benefit from the code of practice. This is clearly seen by the government as a way of improving the standards of camera security operators.

This document was reviewed by the National Standards Assurance Board in February 2021 and although related documentation, such as the Surveillance Camera Commissioners 'Facing the Camera' code of practice exists, it did not replace this existing document, which still offers value.

The National ICT Strategic Principles sets out architectural rules and guidelines in fulfilling its ICT strategies across the force. It helps to define the underlying general rules for the use and deployment of all ICT capabilities across the Police Force.

The document includes the following principles:

   Architectural Business Principles:

• Business Continuity

• Service Orientation

• Compliance with Law

• ICT responsibility

• Responsive Change Management

   Technology:

• Cloud First

• Interoperability

   Data:

• Data is a an Asset

• Data is Accessible

• Information Asset Owner

• Data Security

• Management of Police Information

   Application Principles: 

• Technology Independence

• Single Authentication model

These have been reviewed by the National Standards Assurance Board in March 2021 and still deemed to posses relevant information. PDS confirmed that a new set of principles are in development to replace these.

Please note this is an OFFICIAL-SENSITIVE document, to request access please use the 'Contact Us' tab to raise a general query

The purpose of this document is to inform force/agency Senior Information Risk Owners (SIRO), National Information Asset Owners, National and force/agency Accreditors/Projects/programmes and other interested parties of the National Information Risk Appetite and its implications. This document should be read in conjunction with the BRG on Risk Appetite .

This document helps provide a baseline for defining and managing risk for all National information systems and National Police Infrastructure used within the Police services such as as Police National Database, Police National Computer, ViSOR/MAPS.

The document also helps form part of the national Information Assurance governance for information risk management and focuses on national Information Systems risk management and governance and force/agency risk management and governance.

The National Information Risk Appetite echoes the need for the police service to protect and manage risk with regards to information handling, as information mismanagement can compromise confidentiality and integrity, have an adverse impact on police operations and damage police public image and increase risks to the compliance or legal standing of the police force.

Intended audience readers are for police force SIROs, Information Asset Owners, police force Accreditors, programme and project managers as well as other interested parties in National Information risk management.

ISO 27033-2 gives guidelines to police forces on how to plan, design, implement and document effective network security.

This standard was reviewed by the authoring body in 2018 and still deemed current. This was also further reviewed by the National Standards Assurance Board in May 2021 and still found to be current and of value.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

Over the years, information and communication technology (ICT) has become an integral part of many of the activities which are major elements of the critical infrastructures in all organisations. The proliferation of the Internet and other IT capabilities of systems and applications, has also meant that organisations have become ever more reliant on reliable, safe and secure ICT infrastructures. This reliance means that disruptions to ICT can constitute strategic risks to the reputation of the organisation and its ability to operate.

Failures of ICT services, including the occurrence of security issues such as systems intrusion and malware infections, will impact the continuity of business operations. Thus managing ICT and related continuity and other security aspects form a key part of business continuity requirements. In order for an organisation to achieve ICT Readiness for Business Continuity (IRBC), it needs to put in place a systematic process to prevent, predict and manage ICT disruption and incidents which have the potential to disrupt ICT services. 

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

In todays modern world, most organisations have their information systems connected by networks either within the organisation, between different organisations or between the organisation and the general public. The purpose of this International Standard is to provide detailed guidance on the security aspects of the management, operation and use of information system networks, and their inter-connections. 

This part of ISO/IEC 27033 provides an overview of network security. It defines and describes the concepts associated with, and provides management guidance on, network security. It also defines how to identify and analyse network security risks and then define network security requirements. It also introduces how to achieve good quality technical security architectures, and the risk, design and control aspects associated with typical network scenarios and network technology areas.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

This international standard has been created for establishing, implementing, maintaining and continually improving a service management system (SMS). An SMS supports the management of the service lifecycle, including the planning, design, transition, delivery and improvement of services, which meet agreed requirements and deliver value for customers, users and the organisation delivering the services. Implementation and operation of an SMS provides on-going visibility, control of services and continual improvement, leading to greater effectiveness and efficiency.

This standard can be used by

• Customer seeking services and requiring assurance regarding quality of the service being provided

• Customer requiring consistent approach to the service lifecycle by all its service providers

• an organisation to demonstrate its capability for the planning, design, transition, delivery and improvement of services

• an organisation to monitor, measure and review its SMS and the services

• a provider of training or advice in service management.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

Cloud service providers who process Personally Identifiable Information (PII) under contract to their customers need to operate their services in ways that allow both parties to meet the requirements of applicable legislation and regulations covering the protection of PII.

PII is sometimes referred to as personal data or personal information. A public cloud service provider is a “PII processor” when it processes PII for and according to the instructions of a cloud service customer. 

This standard was created to help the public cloud service provider to comply with applicable obligations when acting as a PII processor, enable the public cloud PII processor to be transparent in relevant matters, assist the cloud service customer and the public cloud PII processor in entering into a contractual agreement and provide cloud service customers with a mechanism for exercising audit and compliance rights and responsibilities.

There are three main requirements an organisation must identify for the protection of PII:

1. Legal, Statutory, Regulatory and Contractual Requirements

2. Risks Assessment

3. Corporate policies

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

This international standard was created to help organisations evaluate the information security performance and the effectiveness of an information security management system. The results of monitoring and measurement of an information security management system (ISMS) can be supportive of decisions relating to ISMS governance, management, operational effectiveness and continual improvement. It also helps to establish

1. the monitoring and measurement of information security performance

2. the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls

3. the analysis and evaluation of the results of monitoring and measurement.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

This standard speaks into  the structure and requirements for implementing and maintaining a business continuity management system (BCMS) that develops business continuity within an organisation experience disruption.

A BCMS emphasises the importance of:

• understanding the organisation’s needs and the necessity for establishing business continuity policies and objectives;

• operating and maintaining processes, capabilities and response structures for ensuring the organisation will survive disruptions;

• monitoring and reviewing the performance and effectiveness of the BCMS;

• continual improvement based on qualitative and quantitative measures.

The purpose of a BCMS is to prepare for, provide and maintain controls and capabilities for managing an organisation’s overall ability to continue to operate during disruptions.

• supporting its strategic objectives

• creating a competitive advantage

• protecting and enhancing its reputation and credibility

• reducing legal and financial exposure

• reducing direct and indirect costs of disruptions

• protecting life, property and the environment

• providing confidence in the organisation’s ability to succeed

• improving its capability to remain effective during disruptions

• addressing operational vulnerabilities

The management process of BCMS are categorised by the following:

• policy

• planning

• implementation and operation

• performance assessment

• management review

• continual improvement

The outcomes of maintaining a BCMS are shaped by the organisation’s legal, regulatory, organisational and industry requirements, products and services provided, processes employed, size and structure of the organisation, and the requirements of its interested parties.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

The relationship between information security management and service management is so close that many organisations already recognise the benefits of adopting the two International Standards for these domains. There are a number of advantages in implementing an integrated management system.

Benefits:

• Enhanced credibility, with internal and external customers

• Lower cost of an integrated programme of two projects

• Reduction in implementation time due to the integrated development of processes common to both standards

• Better communication, reduced cost and improved operational efficiency through elimination of unnecessary duplication

•  a greater understanding by service management

This International Standard is intended for use by persons with knowledge of both of the International Standards ISO/IEC 27001 (information security management system (ISMS) and ISO/IEC 20000-1 (a service management system (SMS)) and provides guidance on the implementation of both international standards.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

The implementation of an information security management system is a strategic decision for an organisation that is influenced by the organisation’s needs and objectives, security requirements, the organisational processes and thus the International Standard has been setup to establish, implement, maintain and continually improve an information security management system.

The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

This International Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. This also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation and is applicable to all organisations, irrespective of size and structure.

The International Organisation Standardisation (ISO) and the International Electrotechnical Commission (IEC) form the specialised system for worldwide standardisation. National bodies that are apart of the ISO or IEC participate through technical committees in the development of International standards to deal with particular areas of technical activities.

ISO/IEC in light of information technology provides an international standard and overview by for management systems by which a model can be followed in setting up and operating a management system. Information Security Management System (ISMS) is responsible for ensuring continuous development of the international management system standards.

Through the various standards developed, organisations can develop and implement a framework for managing and protecting the security of the information assets and systems including financial information, intellectual property, employee details, customer, client and third parties personal details.

The ISMS Standard includes standards that define requirements for an ISMS, provides direct support and guidance for the overall process to implement and maintain an ISMS standard, address conformity assessment for ISMS and provide terms and definitions for the international standard.

This document informs the implementation of controls within an information security management system based on ISO 27001.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

This International Standard is designed for organisations to use as a reference for selecting controls within the process of implementing an Information Security Management System (ISMS) based on ISO/IEC 27001. It can also be used as guidance for implementing commonly accepted information security controls.

All types of organisations including public and private sector, commercial and non-profit organisations collect collect, process, store and transmit information in many forms including electronic, physical and verbal and therefore the value of information goes beyond the written words, numbers and images. Knowledge can also be intangible such as concepts, ideas, knowledge, brands, reputation – these are all forms of intangible information. As a result vital information can be very valuable to an organisation’s and as such deserves and require protection against various hazards.

Therefore it is essential that an organisation identify its security requirements by 1. Assessing risk 2. Observing all statutory, regulatory and contractual requirements that an organisation has to satisfy 3. Setting principles, objectives and business requirements for information handling, processing, storing, communicating and archiving that an organisation has developed to support its operations.

This Framework describes the Cabinet Secretary and Official Committee on Security expectations of how HMG organisations and third parties handling HMG information and other assets will apply protective security to ensure HMG can function effectively, efficiently and securely.

The Security Policy Framework should be applied across Her Majesty’s Government and assets that are held by third parties in the wider public sector and by our commercial partners and personal responsibility and accountability should be undertaken to uphold the policy as attitudes and behaviours are key for exercising good security.

It is important to note that proper management, risk management, good governance and judgment and discretion remain the most form of effective security protection. 

This code of practice issued by the Secretary of State (regulated by the Surveillance Camera Commissioner) under the Protection of Freedoms Act 2012 (PoFA) covers police forces in England & Wales. Chief officers must have regard to this code when using facial recognition algorithms as part of the operation of surveillance camera systems, or the use or processing of images or other information obtained.

The code only applies to the use of facial recognition technology and processing of images from surveillance cameras operated in 'live time' or 'near real time' operational scenarios.

The code includes considerations into:

• Applicability
• Biometrics
• Ethics
• Human Rights
• Legal frameworks
• Police policy documents
• Governance
• Evidence handling
• Public engagement
• Accountability and certification

Also included as an attachment is the National Surveillance Camera Strategy for context.

This document provides guidance on how to create and iterate a Sender Policy Framework record, which is a system of email authentication.

SPF works by providing domain owners a way to publish a list of the IP addresses which should be trusted for a given domain. A receiving email service can then check that a sending email service has an IP address which appears in the sender's published list.

If the IP address appears in the list of acceptable IPs, the receiving email service will forward the email to the recipient's inbox. If the receiving email service cannot confirm the IP address is valid, then it marks the email in accordance with the DMARC policy you have implemented on the domain the email is being sent from.

The CJS Data Standards Catalogue is a collection of data standards used by Criminal Justice Organisations in England & Wales to support interoperability between their different ICT systems.

If you are a member of a Criminal Justice Organisation and work in the area of data standards then you too can help to shape that change. If you have any questions then please raise them with the Forum representative for your organisation by visiting https://www.gov.uk/guidance/criminal-justice-system-data-standards-forum-guidance. 

This document should be used in reference to the appropriate legislation, such as the Protection of Freedoms Act 2012: DNA & Fingerprint Provisions

IDENT1 is the UK’s nationals automated fingerprint system that provides biometric series for the police force and law enforcement agencies covering England, Scotland and Wales.

IDENT1 was introduced in 2004 and replaced the National Automated Fingerprint Identification System (NAFIS) of England and Wales, as well as the electronic fingerprint identification system used by the Scottish police forces. It was developed by Northrop Grumman with the use of advanced biometric identification technology.

IDENT1 enables the forces to search and compare fingerprints and crime scene marks in a single database, providing a unified collection of finger and palm prints.

The datasets that consist in within IDENT1 are the following:

• Colour Type

• Fingerprint Bureau Code Type

• Fingerprint Owners sex Type

• Fingerprint Status Type

• Force Code Type

• Force Station Coe Type

• IDENT Offence Code Type

• Jurisdiction Type

By using efficient algorithms and technology, IDENT1 is able to deliver a high degree of search accuracy and performance for the fingerprint officers (FPOs) and police officers by taking advantage of Biometric fusion technology.

The standards referred to by W3C are community generated standards, last reviewed by the National Standards Assurance Board in May 2021.

The World Wide Web Consortium (W3C) is an international community where Member organisations and the public work together to develop Web standards. It’s aim is to lead the World Wide Web to its full potential by developing protocols and guidelines that ensure the long-term growth of the Web. 

The social value of the Web is that it enables human communication, commerce, and opportunities to share knowledge. One of W3C's primary goals is to make these benefits available to all people, whatever their hardware, software, network infrastructure, native language, culture, geographical location, or physical or mental ability. Some people view the Web as a giant repository of linked data while others as a giant set of services that exchange messages.

W3C's vision for the Web involves participation, sharing knowledge, and thereby building trust on a global scale.

The Web has transformed the way we communicate with each other. In doing so, it has also modified the nature of our social relationships. People now "meet on the Web" and carry out commercial and personal relationships, in some cases without ever meeting in person. W3C recognises that trust is a social phenomenon, but technology design can foster trust and confidence. As more activity moves on-line, it will become even more important to support complex interactions among parties around the globe.

This document has been reviewed by the National Standards Assurance Board in May 2021 and is still deemed relevant with sound principles, despite being dated in some areas. Users should also be aware of the NEP Windows Blueprints.

This document describes the features, testing and deployment requirements necessary to meet CPA certification for Software Full Disk Encryption security products. It is intended for vendors, system architects, developers, evaluation and technical staff operating within the security arena.

The purpose of a software disk encryption product is to protect the confidentiality of data. This document aims to describe the requirements for Software Full Disk Encryption products and obtaining Commercial Product Assurance (CPA) certification under the CPA scheme.

A typical use case is the protection of a mobile device such as a laptop in case of accidental loss or theft.

The Security Characteristic is primarily targeted towards a single user for each protected devices only applicable to software disk encryption products that operate on PCs with Extensible Firmware Interface (UEFI) or  Basic Input/Output System (BIOS). Multiple users can also be evaluated.

Intended readers are for developers, system, architects, vendors and technical staff. The disk encryption software will prevent an attacker from accessing the data.

This document provides a framework for application security.

ISO (the International Organisation for Standardisation) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organisation to deal with particular fields of technical activity. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

There is an ever increasing need for businesses to focus on protecting their information and  technological infrastructures and Organisations must do this in order to stay in business. ISO/IEC 27034 provides concepts, principles, frameworks, components and processes to assist organisations in integrating security seamlessly throughout the life cycle of their applications. When an organisation uses a systematic approach for improving application security, it provides the organisation evidence and confidence that information being used and held in its application is being adequately protected. This part of ISO/IEC 27034 defines the processes required to manage the security of applications in the organisation.

The Organisation Normative Framework (ONF) is a key component for application security and provides a framework for best practises. It is the foundation of application security in the organisation. All organisations should base their decision regarding application security on this framework.

Therefore the purpose of this part of ISO/IEC 27034 is to assist organisations to create, maintain and validate their own ONF in compliance with the requirements of this International Standard.

Intended audience are managers, domain experts, auditors, ONF committee.

Guidance on the risk-based approach to using Bluetooth enabled technology within the policing environment, including examples. This guide does not cover all use cases and for advice on exemptions for specific use cases, the NPIRMT team should be approached to provide a bespoke risk assessment.

This document seeks to provide clarity and national guidance on the retention of both physical and digital evidence in order to provide policing with a framework to support a comprehensive physical and digital storage strategy.

There are a vast number of legislative sources to help determine how to manage and retain evidence, further compounded by confusion around records managed under Management of Police Information (MoPI) and physical evidence principally managed under the Criminal Procedure and Investigations Act (CPIA) and Police and Criminal Evidence Act (PACE). This document seeks to provide clarity on the difference between these two distinct areas of business as well as provide more general guidance.

The GDS Service Standard provides 14 principles for all Government teams to use when creating public services.

This document has been written by subject matter experts, together with many governmental organisations, test houses and equipment manufacturers to defined a common framework for video surveillance transmission in order to achieve interoperability between products. 

The 62676 series is divided into 4 independent parts:
Part 1: System requirements (with 2 sub-parts: General and Performance requirements)
Part 2: Video transmission protocols
Part 3: Analog and digital video interfaces
Part 4: Application guidelines

This standard is intended to assist Video Surveillance System suppliers, users (including law enforcement), integrators and other interested parties achieve a complete and accurate specification of the surveillance system. This standard standard does not specify the type of technology required for a certain observation task.

[Note that this document, despite being authored in 2014, has been reviewed by subject matter experts in April 2021 and deemed to still represent good practice and relevancy]

Laboratories within the UK who wish to demonstrate that they operate to a quality system, are technically competent and are able to generate technically valid results must now meet the ISO/IEC 17025 requirements. This has now become the standard that UKAS now to assess a laboratory’s competence for the purposes of accreditation.

The purpose of this document is to set down United Kingdom Accreditation Service (UKAS) policy, process and guidance on assessment and accreditation of laboratories 

The difference in this policy set out is that laboratories UKAS policy that laboratory accreditation to ISO/IEC 17025 can now include the expression of opinions and interpretation of test/calibration results in reports as it is considered to be an inherent part of testing. Whereas before this was not permitted.

The laboratory’s documented quality system must reflect whether it is expressing opinions and interpretations and if so, for which activities. The process of interpreting test/calibration results for the purpose of expressing opinions and interpretations must be documented. 

This guidance document suggests how to set up, maintain, monitor and maximise the performance of an ANPR system. It is written for law enforcement ANPR operatives and commercial installers on behalf of the National ANPR Strategy Board. It applies to ANPR systems that are part of the National ANPR Infrastructure (NAI) and may feed data into the National ANPR System (NAS).

Users should also consider the Data protection Act 2018 and Surveillance Camera Code of Practice when using this document.

This document describes how HM Government classifies information assets into OFFICAL, OFFICIAL SENSITIVE, SECRET and TOP SECRET to ensure information can be protected but also efficiently shared. This is not a statutory scheme, but operates within the requirements of the Official Secrets Acts (1911 and 1989) and the Freedom of Information Act (2000) and Data Protection legislation.

Please note this is an OFFICIAL-SENSITIVE document, to request access please use the 'Contact Us' tab to raise a general query

National Police information, systems and networks must be safeguarded to ensure the Police Community can meet their statutory and regulatory responsibilities. The Police Community meets these responsibilities through a community of trust and by the implementation of this Community Security Policy (CSP).

This document relates to all National Police information; systems/services and networks, for which Chief Officers or Chief Executives are Joint Data Controllers. Furthermore it extends to all systems whether national or local that connect to access police information. 

This document sets out the obligations on the police under the Data Protection Act 2018 and how these interact with other relevant legislation and case law. It provides police officers and staff with a set of principles to inform how they obtain digital devices – most often mobile phones but also laptops and other computers – from victims, witnesses and suspects for the purpose of an investigation and how they then extract the digital material from those devices. It will also help the public understand the responsibilities of the police when gathering evidence, obtaining devices and accessing the material held on them.

Most cyber attacks are conducted by unskilled individuals and are very basic in nature and cyber security is an important aspect to guard any organisation from cyber attacks. There are five essential technical controls that any organisation can put in place the following:

1. Use a firewall to secure your internet connection

Many organisations will have a dedicated boundary firewall which protects their whole network. This effectively creates a ‘buffer zone’ between your IT network and other, external networks.

2. Choose the most secure settings for your device an software

always check the settings of new software and devices and where possible, make changes which raise your level of security. For important accounts such as banking and IT administration, you should use two-factor authentication

3. Control who has access to your data and services

To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. 

4. Protect yourself from viruses and other malware

Viruses are another well-known form of malware (malicious software). These programs are designed to infect legitimate software, passing unnoticed between machines. A user may open an infected email attachment, browse a malicious website, or use a removable storage drive, such as a USB memory stick, which is carrying malware. You can use anti-malware/virus software to detect and treat them.

5. Keep your devices and software up to date

Manufacturers and developers release regular updates which not only add new features, but also fix any security vulnerabilities that have been discovered. Therefore it is important that manufacturers support the device with regular security updates.

This guidance is designed to help organisations protect themselves in cyberspace and best practises for cyberspace security. It relays the task of defending your networks, systems and information into its essential components.

It is important to note, when dealing cyberspace protection, the organisation knows the kinds of cyber attacks it expects to understand what protection would be needed. 

Note: This high level guidance provides context on the 10 steps. Each step is also individually signposted on the National Standards platform.

Published by the National cyber security centre, this guidance document provides details and context on the following 14 cloud security principles.

1. Data in transit

2. Asset protection and resilience

3. Separation between users

4. Governance framework

5. Operational security

6. Personnel security

7. Secure development

8. Supply chain security

9. Secure user management

10. Identity and authentication

11. External interface protection

12. Secure service administration

13. Audit information for users

14. Secure use of the service

Step 3 from the 10 steps to Cyber Security covers asset management, ensuring you know what data and systems you manage, and what business need they support.

Asset management encompasses the way you can establish and maintain the required knowledge of your assets. Over time, systems generally grow organically, and it can be hard to maintain an understanding of all the assets within your environment. Incidents can occur as the result of not fully understanding an environment, whether it is an unpatched service, an exposed cloud storage account or a mis-classified document. Ensuring you know about all of these assets is a fundamental precursor to being able to understand and address the resulting risks. Understanding when your systems will no longer be supported can help you to better plan for upgrades and replacements, to help avoid running vulnerable legacy systems.

Step 4 from the 10 steps to Cyber Security covers how to design, build and maintain systems securely.

The technology and cyber security landscape is constantly evolving. To address this, organisations need to ensure that good cyber security is baked into their systems and services from the outset, and that those systems and services can be maintained and updated to adapt effectively to emerging threats and risks.

Step 9 from the 10 steps to Cyber Security covers how to plan your response to cyber incidents in advance.

Incidents can have a huge impact on an organisation in terms of cost, productivity and reputation. However, good incident management will reduce the impact when they do happen. Being able to detect and quickly respond to incidents will help to prevent further damage, reducing the financial and operational impact. Managing the incident whilst in the media spotlight will reduce the reputational impact. Finally, applying what you’ve learned in the aftermath of an incident will mean you are better prepared for any future incidents.

Step 5 from the 10 steps to Cyber Security covers how to keep your systems protected throughout their lifecycle.

The majority of cyber security incidents are the result of attackers exploiting publicly disclosed vulnerabilities to gain access to systems and networks. Attackers will, often indiscriminately, seek to exploit vulnerabilities as soon as they have been disclosed. So it is important (and essential for any systems that are exploitable from the internet) to install security updates as soon as possible to protect your organisation. Some vulnerabilities may be harder to fix, and a good vulnerability management process will help you understand which ones are most serious and need addressing first.