march 2009 issue 1.2

NOT PROTECTIVELY MARKED

<PROTECTIVE MARKING>

March 2009 Issue 1.2

HMG IA Standard No. 6 Protecting Personal Data and Managing Information Risk


This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information

legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or [email protected]


HMG IA Standard No. 6

Protecting Personal Data and

Managing Information Risk

Issue No: 1.2 March 2009

HMG IA Standards are issued jointly by Cabinet Office and CESG, the UK National Technical Authority for Information Assurance, in support of Mandatory Requirements specified in the HMG Security Policy Framework (SPF). The Standards outline minimum measures that MUST be implemented by Departments and Agencies bound by the SPF, and compliance with SPF Mandatory Requirements cannot be claimed unless adherence to the Standards can be demonstrated. They do not provide tailored technical or legal advice on specific ICT systems or IA issues. Cabinet Office and GCHQ/CESG and its advisers accept no liability whatsoever for any expense, liability, loss, claim or proceedings arising from reliance placed upon this Standard.

The copyright of this document is reserved and vested in the Crown.


Page 1




Protecting Personal Data and Managing Information Risk

Intended Readership This Standard is written for all those who are involved in the risk management of information assets (information and information systems) within central government, including information risk owners at the board and working level, business managers, security managers, accreditors, Information and Communications Technology (ICT) consultants, project managers and system or service providers. Although aimed at central government Departments and Agencies and their suppliers and service providers, the contents of this Standard are also relevant to the wider public sector. This Standard has also been published as Annex III, Cross Government Actions: Mandatory Minimum Measures, to the Report of the Data Handling Review (Reference [a]).

Executive Summary Information is a key asset, and its proper use is fundamental to the delivery of public services. The public are entitled to expect that Government will protect their privacy and use and handle information professionally. Departments are best placed to understand their information and to protect it, but need to do so within a context of clear minimum standards ensuring protection of personal information. Government has put in place a core set of mandatory minimum measures to protect information, to apply across central Government. They are minimum measures in that they oblige individual Departments and agencies to assess their own risk, and those organisations will often put in place a higher level of protection. They will be updated in the future to accommodate lessons and new developments.

Aims and Purpose This Standard consists of two chapters:

Chapter 1 sets out the mandatory process measures to ensure that Departments identify and manage their information risks;

Chapter 2 sets out the mandatory specific minimum measures for the protection of personal information, the release or loss of which could cause harm or distress to individuals.

This Standard does not cover physical and personnel security or business continuity, which are addressed elsewhere in the HMG Security Policy Framework (SPF) (Reference [b]). Departments MUST also comply with other obligations, such as


Page 2




those under contracts, codes of connection, and the law. The material in this document reflects good practice as set out in the ISO/IEC 27000 (Information Security Management System) series (Reference [c]). The key terms and abbreviations used in this Standard are intended to be consistent with those used by the International Standards Organisation (ISO) and publications produced, sponsored or supported by the Central Sponsor for Information Assurance (CSIA) and CESG, the National Technical Authority for Information Assurance. Issue 1.2 of this Standard replaces Issue 1.0, dated October 2008. Issue 1.2 has not been fully reviewed and revised and differs from the previous version only in the following ways:

a. An error in the footnotes in Appendix B has been rectified;

b. The references have been updated to reflect new publications, and new issues of existing publications, in the CESG IA Policy Portfolio.


Page 3





Contents: Chapter 1 - Process Measures to Manage Information Risk.................5

Key Principles...................................5

General ..............................................5

Roles ...............................................6 Maximising Public Benefit from Information.......................................7 Audit ................................................7 Culture .............................................8 Incident Management ......................8 Transparency...................................8

Chapter 2 - Specific Minimum Measures to Protect Personal Information......................................11

Key Principles.................................11

General ............................................11

Preventing Unauthorised Access to Protectively Marked Information ....11 Minimising Risk from Authorised Access to Protectively Marked Information.....................................14 Citizen-Facing Work ......................15

Appendix A: Minimum Scope of Protected Personal Data ................17

Appendix B: External Access by Impact/e-GIF Level..........................19

References ......................................21

Glossary ..........................................25

Customer Feedback .......................27


Page 4




THIS PAGE IS INTENTIONALLY LEFT BLANK


Page 5





Chapter 1 - Process Measures to Manage Information Risk

Key Principles

• Departments are responsible for managing their own information risks and within their delivery chains;

• All Departments MUST meet the mandatory minimum measures in this Standard in order to manage their exposure to information risk;

• These mandatory minimum measures cover risk policy and assessment, organisation, roles and responsibilities, maximising the use of information assets, audit, culture, incident management and transparency.

General 1. Departments are responsible for managing their own information risks and ensuring proper management of information risks in their delivery chains, subject to meeting the mandatory rules set out in this Standard. The Accounting Officer has overall responsibility for ensuring that information risks are assessed and mitigated to an acceptable level. They sign the annual Statement on Internal Control. From financial year 08/09 onwards, this MUST explicitly cover information risk.

2. All Departments MUST:

a. Have an information risk policy setting out how they implement the measures in this Standard in their own activity and that of their delivery partners, and monitor compliance with the policy and its effectiveness (Reference [d]);

b. Assess risks to the confidentiality, integrity and availability of information in their delivery chain at least quarterly, taking account of extant Government-wide guidance (Reference [e]), and plan and implement proportionate responses, which MUST at least include implementation of the measures in Chapter 2 (below). At least once a year, the risk assessment MUST examine forthcoming potential changes in services, technology and threats (Reference [f]; on threats see References [g] and [h]);


Page 6




c. Accredit ICT systems handling protectively marked information to the Government standard (Reference [i]), and to reaccredit when systems undergo significant change, or at least every five years;

d. Conduct Privacy Impact Assessments (Reference [j]) so that they can be considered as part of the information risk aspects of Gateway Reviews, or while going through accreditation if no Gateway has been conducted for a particular system;

e. Use the security clauses from the Office of Government Commerce’s (OGC) model ICT contract for services (Reference [k]), with any changes relevant to information risk being approved by the SIRO (defined in paragraph 3 a, below);

f. Consider whether each measure in this Chapter needs to be applied to any organisation handling information on its behalf (whether public sector or private sector) to ensure appropriate information handling across the delivery chain, and apply those where there is a need to do so;

g. Apply all measures in Chapter 2 (below) by organisations handling information on their behalf when they deal with Government data, and monitor the application of those measures. When seeking to apply measures in Chapters 1 or 2, Departments MUST insist on action where they can, and seek to influence others where necessary.

Roles 3. All Departments MUST:

a. Name a board member as Senior Information Risk Owner (SIRO) (Reference [l]). The SIRO is an executive who is familiar with information risks and the organisation’s response. The SIRO may also be the Chief Information Officer (CIO) if the latter is on the board. They own the information risk policy and risk assessment, act as an advocate for information risk on the board and in internal discussions, and provide written advice to the accounting officer (Reference [l]) on the content of their Statement on Internal Control relating to information risk;

b. Identify their information assets and name for each Information Asset Owner (IAO) (Reference [l]). IAOs MUST be senior individuals involved in running the relevant business. Their role is to understand what information is held, what is added and what is removed, how information is moved, and


Page 7





who has access and why. As a result, they are able to understand and address risks to the information, and ensure that information is fully used within the law for the public good. They provide a written judgement of the security and use of their asset annually to support the audit process;

c. Identify and keep a record of those members of staff and contractors with access to or involved in handling individual records containing protected personal data (see Appendix A, below), referred to below as ‘users’ (Reference [m]). For simplicity, some Departments may wish to assume that all staff are users, or to conduct the exercise for their organisation piece by piece.

Maximising Public Benefit from Information 4. Addressing information risk involves ensuring that information is used, as well as protecting it when it is used. IAOs MUST consider on an annual basis how better use could be made of their information assets within the law. Where they consider that public protection or public services could be enhanced through greater access to information held by others, they should submit a request to the relevant IAO. Requests received MUST be logged and considered. Where it is decided that public access to information is in the public interest, IAOs should reflect this in their Departmental Freedom of Information Publication Scheme.

Audit 5. All Departments MUST:

a. Share and discuss the information risk assessment (see paragraph 2 b, above) with their audit committee and main board;

b. Conduct at least an annual review of information risk (Reference [f]) for the

SIRO to support their written advice to the Accounting Officer. That review MUST cover the effectiveness of the overarching policy. It MUST be informed by the written judgement of the IAOs, and chair of the audit committee;

c. Once the Statement on Internal Control has been completed, share the

relevant material and the supporting annual assessment with Cabinet Office.


Page 8




Culture 6. All Departments MUST:

a. Have and execute plans to lead and foster a culture that values, protects and uses information for the public good, and monitor progress at least through standardised civil-service wide questions when conducting a people survey or equivalent;

b. Reflect performance in managing information risk into HR processes, in particular making clear that failure to apply Departmental procedure is a serious matter and, in some situations, amounts to gross misconduct;

c. Maintain mechanisms that command the confidence of individuals through which they may bring concerns about information risk to the attention of senior management or the audit committee, anonymously if necessary, and record concerns expressed and action taken in response.

Incident Management 7. All Departments MUST:

a. Have a policy for reporting, managing and recovering from information risk incidents, including losses of protected personal data and ICT security incidents, defining responsibilities, and make staff aware of the policy (References [n] and [o]);

b. Report security incidents to HMG’s incident management schemes (GovCertUK for network security incidents (Reference [p]) and CINRAS (Reference [q]) for incidents involving cryptographic items). Significant actual or potential losses of personal data should be shared with the Information Commissioner and the Cabinet Office.

Transparency 8. All Departments MUST:

a. Publish an information charter (Reference [r]) setting out how they handle information and how members of the public can address any concerns that they have;

b. Set out in the Departmental annual report summary material on information risk, covering the overall judgement in the Statement on Internal Control,


Page 9





numbers of information risk incidents sufficiently significant for the Information Commissioner to be informed, the numbers of people potentially affected, and actions taken to contain the breach and prevent recurrence.


Page 10






Page 11





Chapter 2 - Specific Minimum Measures to Protect Personal Information

Key Principles

• Departments and their delivery partners MUST protect sensitive personal information from unauthorised access, release or loss;

• Sensitive personal information MUST be handled in accordance with specific measures covering access, removable media, controlled disposal, authentication, audit, forensic readiness and citizen-facing work;

• Those with authorised access to, or management responsibility for, sensitive personal data MUST undergo appropriate training.

General 9. Departments MUST be particularly careful to protect personal data whose release or loss could cause harm or distress to individuals. All Departments MUST:

a. Determine what information they or their delivery partners hold that falls into this category. This MUST include at least the information outlined in Appendix A (below);

b. Handle all such information as if it were marked at least PROTECT – PERSONAL DATA while it is processed or stored within Government or its delivery partners, applying the measures in this Standard. Information should continue to be marked to a higher level where that is already done or where justified, for example, as a result of aggregation of data (Reference [s]).

Preventing Unauthorised Access to Protectively Marked Information 10. When PROTECT level information is held on paper, it MUST be locked away when not in use or the premises on which it is held secured. When information is held and accessed on ICT systems on secure premises, all Departments MUST apply the minimum protections for information set out in the matrix in Appendix B (below), or equivalent measures, as well as any additional protections as needed as a result of their risk assessment. Where equivalent measures are adopted, or, in exceptional circumstances in which such measures cannot be applied, the SIRO MUST agree this action with the Accounting Officer and notify Cabinet Office.


Page 12




11. Wherever possible, protected personal data should be held and accessed on paper or ICT systems on secure premises in accordance with the SPF (Reference [b]), protected as above. This means Departments should avoid the use of removable media (including laptops (Reference [t]), removable discs, CDs, USB memory sticks, PDAs (Reference [u]) and media card formats) for storage or access to such data where possible. Where this is not possible, all Departments should work to the following hierarchy, recording the reasons why a particular approach has been adopted in a particular case or a particular business area:

a. The best option is to hold and access data on ICT systems on secure premises;

b. Second best is secure remote access, so that data can be viewed or amended without being permanently stored on the remote computer. This is possible at PROTECT level over the Internet using products meeting the FIPS 140-2 standard or equivalent, or using a smaller set of products at RESTRICTED level. The National Technical Authority for Information Assurance, CESG, provides advice on suitable products and how to use them (References [v] and [w]);

c. Third best is secure transfer of information to a remote computer on a secure site on which it will be permanently stored (Reference [x]). Both the data at rest and the link should be protected at least to the FIPS 140-2 standard or equivalent, using approved products as above. Protectively marked information MUST not be stored on privately owned computers unless they are protected in this way;

d. In all cases, the remote computer should be password protected (References , [z] and [aa]), configured so that its functionality is minimised to its intended business use only, and have up to date software patches and anti-virus software (Reference [bb]).

12. Where it is not possible to avoid the use of removable media, all Departments should apply all of the following conditions:

a. The information transferred to the removable media should be the minimum necessary to achieve the business purpose, both in terms of the numbers of people covered by the information and the scope of information held. Where possible, only anonymised information should be held;


Page 13





b. The removable media should be encrypted to a standard of at least FIPS 140-2 or equivalent in addition to being protected by an authentication mechanism, such as a password (References [y], [z] and [aa]);

c. User rights to transfer data to removable media should be carefully considered and strictly limited to ensure that this is only provided where absolutely necessary for business purposes and subject to monitoring by managers and the IAO;

d. The individual responsible for the removable media should handle it – themselves or if they entrust it to others – as if it were the equivalent of a large amount of their own cash.

13. There are some exceptional situations in which the second condition of encryption cannot be applied consistent with business continuity and disaster recovery. For example, full system back-up tapes MUST contain all the relevant data and Departments may judge that encrypted data cannot be recovered with sufficient speed or certainty in the event of a disaster. Such unprotected data include some of the most valuable assets owned by a Department, and should be treated accordingly, being recorded, moved, stored and monitored with strong controls – equivalent to handling arrangements for very large amounts of public money in cash. There are also specific situations in which Departments hold removable media that they cannot encrypt for legal reasons, such as when such material is collected in evidence for a legal proceeding. In those situations, the legal obligation prevails.

14. All material that has been used for protected data should be subject to controlled disposal. All Departments MUST:

a. Destroy paper records containing protected personal data by incineration, pulping or shredding so that reconstruction is unlikely;

b. Dispose of electronic media that have been used for protected personal data through secure destruction, overwriting, erasure or degaussing for re-use (References [cc] and [dd]).

15. Decisions on handling on the issues in paragraphs 11 – 14 (above) should be approved in writing by the relevant IAO. In preparing for the annual assessment of information risk, all Departments MUST:


Page 14




a. Review compliance with the matrix in Appendix B (below) or equivalent measures and any SIRO decision to take other action agreed with the Accounting Officer;

b. Review and test documentation relating to decisions made relating to paragraphs 11 – 14 (above);

c. Inspect a sample of the activities of those individuals with rights to transfer protected personal data to removable media, to ensure that there is still a business case for them to have those rights;

d. Inspect a sample of those individuals who have left roles with access to protected personal data, to ensure that access rights have been removed;

e. Inspect a sample of removable media to ensure that required safeguards are in place;

f. Inspect unencrypted back-ups (see paragraph 13, above) and reconcile them with material that has been recorded;

g. Monitor disposal channels for paper records containing protected personal data to ensure this has been properly handled;

h. Ask for sample electronic media to be processed as in paragraph 14 b (above) and testing to attempt data recovery.

16. All Departments whose delivery chain involves the handling of information relating to 100,000 or more identifiable individuals MUST engage independent experts to carry out penetration testing of their ICT systems and to make recommendations.

Minimising Risk from Authorised Access to Protectively Marked Information 17. All Departments MUST ensure that all data users successfully undergo information risk awareness training on appointment and at least annually (Reference [ee]). In addition, all IAOs MUST pass information management training on appointment and at least annually, and accounting officers, SIROs, and members of the audit committee MUST pass strategic information risk management training at least annually (Reference [ff]).

18. All Departments MUST plan their business taking into account the information risks involved in different business models as well as their benefits. Once a business model is adopted, Departments MUST explicitly define and document the access


Page 15





rights granted to protected personal data that users enjoy, and minimise access rights within the adopted model. The IAO MUST agree in writing that access rights permit the business to be transacted with an acceptable level of risk, and if not, an alternative MUST be identified. Access rights should be minimised in respect of each of the following:

a. Pool of records accessible. The default should be that any member of staff has no access to protected personal information. If access is necessary, it should be to the smallest possible sub-set of records;

b. Numbers of records viewed. The hierarchy should be no access / ability to view only aggregated data / ability to view only anonymous records / ability to view material from single identifiable records / ability to view material from many identifiable records simultaneously;

c. Nature of information available. The hierarchy should be responses to defined queries (e.g. does X claim free school meals) without seeing the record / view of parts of the record itself / view of the whole record;

d. Functionality, including searching, alteration, deletion, printing, downloading or transferring information.

19. All Departments MUST:

a. Put in place arrangements to log activity of data users in respect of electronically-held protected personal information, and for managers to check it is being properly conducted, with a particular focus on those working remotely and those with higher levels of functionality. Summary records of managers’ activity MUST be shared with the relevant IAO and be available for inspection by the Information Commissioner’s Office on request;

b. Have a forensic readiness policy to maximise their ability to preserve, analyse and use evidence from an ICT system, should it be required (References [gg] and [hh]).

Citizen-Facing Work 20. Departments and agencies need to ensure that citizen-facing services are secure, while being easy for people or their representatives to use. Where possible, the same protective measures should be taken in transacting business with individuals as when information is stored or used within Government, but


Page 16




Departments should set their own proportionate standards in this area so long as those standards (and possible alternative service routes) are clearly explained.


Page 17





Appendix A: Minimum Scope of Protected Personal Data 21. Departments MUST identify data they or their delivery partners hold whose release or loss could cause harm or distress to individuals. This MUST include as a minimum all data falling into one or both categories below.

A. Any information that links one or more identifiable living person with information about them whose release would put them at significant risk of harm or distress.

1. One or more of the pieces of information which can be used along with public domain information to identify an individual

combined

with

2. Information about that individual whose release is likely to cause harm or distress

Name / addresses (home or business or both) / postcode / email / telephone numbers / driving licence number / date of birth. [Note that driving licence number is included in this list because it directly yields date of birth and first part of surname]

Sensitive personal data as defined by s2 of the Data Protection Act, including records relating to the criminal justice system, and group membership. DNA or fingerprints / bank, financial or credit card details / mother’s maiden name / National Insurance number / tax, benefit or pension records / health records / employment record / school attendance or records / material relating to social services including child protection and housing.

22. These are not exhaustive lists. Departments should determine whether other information they hold should be included in either category.


Page 18




B. Any source of information about 1000 or more identifiable individuals, other than information sourced from the public domain.

23. This could be a database with 1000 or more entries containing the facts listed in Box 1 (above), or an electronic folder or drive containing 1000 or more records about individuals. 1 Again, this is a minimum standard. Information on smaller numbers of individuals may warrant protection because of the nature of the individuals, nature or source of the information, or extent of information.

1 The Business Impact Level tables in Reference [e] (Appendix A, also published separately) should be consulted for guidance on the appropriate Impact Level and Reference [s] consulted for guidance on taking aggregation issues into account.


Page 19

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or

[email protected]



Appendix B: External Access by Impact/e-GIF Level1 e-Gif/CSIA External Access Gov PC

To WWW WWW “café” “PED”

Home Gov PC

LAN

Business Impact Level2 /

“Protective Marking”

Types of data/ system included

in category Registration

Level

Authentication Levels

Network

WIFI 3G Data Card

Blue Tooth

Bootable USB

Y3 N N Y4

IL4 Confidential

Violent & Sex offenders

Witness Protection

Level Three Full ID verification with appropriate

vetting and need to know measures

Physical / personal / procedural protection with appropriate technical authentication mechanisms such as

User Name + Password Or

Biometric / Certificate / Token

x.GSi xCJX

N N N Y5

Y N Y6 Y7

IL3

Restricted “NHS

Confidential”

Health record ContactPoint

Crime Record/PNC

Level Two Cross-checked

ID verification with appropriate vetting and need to know

measures

User Name Password / Biometric

Digital Certificate

N3 GSi CJX Y8 Y9 N Y10

Y N Y Y

IL2 Protect

General citizen data

Finance Systems

Level One Basic ID verification

User Name Password

and commercial best practice

GCSx Best

Commercial Y Y Y11 Y IL1/IL0

Google search BBC News

Anonymous No authentication required

Any

Y Y Y Y

Arrangements for material at higher protective markings are dealt with separately.

1 For information on e-GIF, see Reference [ii] 2 For guidance on business impact level tables, see Reference [jj] 3 Via ‘Thin Client Internet Browse-down’ 4 Via hard-wired Government issue secure laptop (RAS) 5 Requires a strong business case and CESG advice 6 Via CESG-approved product such as Blackberry (References [kk] and [ll]) 7 Via CESG-approved VPN or validated CESG Manual T or Manual V solutions (References [mm] and [nn]) 8 Implementations must be compliant with CESG Manual Y (Reference [oo]) 9 Via Government issue secure laptop with software (RAS) 10 Using software-based cryptography 11 Requires a strong business case and CESG advice


Page 20

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491

x30306 (non-sec) or email [email protected]




Page 21





References [a] Cabinet Office, Data Handling Procedures in Government: Final Report, June

2008 (Not Protectively Marked). Available at: http://www.cabinetoffice.gov.uk/media/cabinetoffice/csia/assets/dhr/cross_gov080625.pdf

[b] HMG Security Policy Framework, December 2008. Tiers 1-3 (Not Protectively Marked) are available at: http://www.cabinetoffice.gov.uk/spf.aspx

[c] ISO/IEC Standard 27001, Information Security Management Systems: Requirements, October 2005 (Replaces ISO/IEC 17799, Part 2). Further information on ISO/IEC Standards is available at: http://www.iso-standards-international.com

[d] CSIA, Guidance on the Departmental Information Risk Policy, April 2008. Available in Tier 4 of the SPF.

[e] HMG IA Standard No. 1, Technical Risk Assessment, Part 1, Issue 3.3, March 2009 (Not Protectively Marked). Available from the CESG IA Policy Portfolio.

[f] CSIA, Guidance on the Annual Assessment of Information Risk Management, v2.0, May 2008. Available in Tier 4 of the SPF.

[g] Centre for the Protection of National Infrastructure, Threats to National Security (June 2008) (RESTRICTED). Copies for those who ‘need to know’ on a personal basis are available on request from CPNI, Central Support, PO Box 60628, London SW1P 9HA or [email protected]

[h] CESG Infosec Memorandum No. 2, The Threat of Technical Attack Against Information and Communications Technology Systems, Issue 5.2, May 2008 (UK RESTRICTED). Available from the CESG IA Policy Portfolio.

[i] HMG IA Standard No. 2, Risk Management and Accreditation of Information Systems, Issue 3.1, October 2008 (Not Protectively Marked). Available from the CESG IA Policy Portfolio.

[j] Information Commissioner’s Office, Privacy Impact Assessments. Available at: http://www.ico.gov.uk/upload/documents/pia_handbook_html/html/foreword.html

http://www.cabinetoffice.gov.uk/media/cabinetoffice/csia/assets/dhr/cross_gov080625.pdf

http://www.cabinetoffice.gov.uk/media/cabinetoffice/csia/assets/dhr/cross_gov080625.pdf

http://www.security-matters.gsi.gov.uk/

http://www.iso-standards-international.com/

http://www.iso-standards-international.com/

mailto:[email protected]

http://www.ico.gov.uk/upload/documents/pia_handbook_html/html/foreword.html


Page 22




[k] Office of Government Commerce, Current Model Terms and Conditions of Contract. Available at: http://www.ogc.gov.uk/0_procurement_principles_terms_and_conditions.asp

[l] CSIA, Guidance on Mandatory Roles (AO, SIRO, IAO), v1.0, April 2008. Available in Tier 4 of the SPF.

[m] CSIA, Guidance on Non Mandatory Roles, May 2008. Available at: http://www.cabinetoffice.gov.uk/csia/publications.aspx and in Tier 4 of the SPF.

[n] CSIA, Guidance on Notification of Breaches of a Classified Nature, v1.0, May 2008. Available in Tier 4 of the SPF.

[o] CSIA, Reporting of Data Breaches of an Unclassified Nature, v2.0, October 2008. Available in Tier 4 of the SPF.

[p] Information on GovCertUK and its services is available at: http://www.govcertuk.gov.uk

[q] HMG IA Standard No. 4, Communications Security and Cryptography, Issue 3.1, October 2008 (UK RESTRICTED), Part 1, Chapter 17. Available from the CESG IA Policy Portfolio.

[r] CSIA, Guidance on the Information Charter, v2.0, May 2008. Available in Tier 4 of the SPF.

[s] CESG Good Practice Guide No. 9, Taking Account of the Aggregation of Information, Issue 1.2, March 2009 (Not Protectively Marked). Available from the CESG IA Policy Portfolio.

[t] CESG Good Practice Guide No. 10, Remote Working, Issue 1.0, March 2009 (UK RESTRICTED). Available from the CESG IA Policy Portfolio.

[u] CESG Good Practice Guide No. 5, Securing Data at Rest on Laptops, Issue 2.0, March 2009 (UK RESTRICTED). Available from the CESG IA Policy Portfolio.

[v] For policy on encryption grades, including the FIPS-140-2 standard, see HMG IA Standard No. 4, Communications Security and Cryptography, Issue 3.1, October 2008, Part 1, Chapter 3 (UK RESTRICTED). Available from the CESG IA Policy Portfolio.

http://www.ogc.gov.uk/

http://www.cabinetoffice.gov.uk/csia/publications.aspx

http://www.govcertuk.gov.uk/


Page 23





[w] For information on CESG-approved encryption products, see the CESG Directory of Infosec Approved Products, July 2008 (Not Protectively Marked), available at http://www.cesg.gov.uk/site/publications/media/directory.pdf

[x] CESG Good Practice Guide No. 3, Securing Bulk Data Transfers, Issue 2.0, March 2009 (UK RESTRICTED) (under review). Available from the CESG IA Policy Portfolio.

[y] CESG Infosec Memorandum No. 24, Passwords, Tokens and Biometrics Used in Combination for Identification and Authentication of Users of Government IT Systems, Issue 2.2, February 2006 (Not Protectively Marked) (under review). Available from the CESG IA Policy Portfolio.

[z] CESG Infosec Memorandum No. 26, Passwords for Identification and Authentication, Issue 4.0, February 2008 (Not Protectively Marked) (under review). Available from the CESG IA Policy Portfolio.

[aa] CESG Infosec Memorandum No. 27, Assessment of the Contribution of Tokens to Multi-Factor Identification and Authentication Systems, Issue 1.0, June 2004 (Not Protectively Marked) (under review). Available from the CESG IA Policy Portfolio.

[bb] CESG Good Practice Guide No. 8, Protecting External Connections to the Internet, Issue 1.0, March 2009 (Not Protectively Marked). Available from the CESG IA Policy Portfolio.

[cc] HMG IA Standard No. 5, Secure Sanitisation of Protectively Marked Information or Sensitive Information, Issue 3.0, March 2009 (Not Protectively Marked) (under review). Available from the CESG IA Policy Portfolio.

[dd] CESG Infosec Manual S, Guidance on Secure Sanitisation and Disposal, Issue 2.0, September 2007 (Not Protectively Marked) (under review). Available from the CESG IA Policy Portfolio.

[ee] CSIA, Outline Specification for DHR Information Awareness Training, v2.1, May 2008. Available at: http://www.cabinetoffice.gov.uk/csia/publications.aspx (under Outline Specification for DHR Information Risk Awareness Training) and in Tier 4 of the SPF.

[ff] CSIA, Specification for Training for DHR Mandatory Roles: AO, SIRO and IAO, v2.0, May 2008. Available at:

http://www.cesg.gov.uk/site/publications/media/directory.pdf



Page 24




http://www.cabinetoffice.gov.uk/csia/publications.aspx (under Guidance on Role Specific Training) and in Tier 4 of the SPF.

[gg] CSIA, Guidance on the Forensic Readiness Policy, v1.0, May 2008. Available in Tier 4 of the SPF.

[hh] NISCC Technical Note 01/2005, An Introduction to Forensic Readiness Planning, 27 May 2005 (Not Protectively Marked). Available at: http://www.cpni.gov.uk/docs/re-20050621-00503.pdf

[ii] CSIA, The e-Government Interoperability Framework, Version 6.1, March 2005 (Not Protectively Marked). Available at: http://www.govtalk.gov.uk/schemesstandards/egif.asp

[jj] CSIA, Guidance on the Use of the Business Impact Level Tables, v1.0, May 2008. Available in Tier 4 of the SPF.

[kk] CESG Security Procedures for BlackBerry® Enterprise Solution Administrators, Issue 1.5, October 2008 (Not Protectively Marked). Available from the CESG IA Policy Portfolio.

[ll] CESG Security Procedures for BlackBerry® Enterprise Solution Users, Issue 1.3, July 2007 (Not Protectively Marked). Available from the CESG IA Policy Portfolio.

[mm] CESG Infosec Manual T, Use of the Transport Layer Security Protocol for HMG Protectively Marked Material – Implementation Standards, Issue 2.0, August 2007 (Not Protectively Marked). Available from the CESG IA Policy Portfolio.

[nn] CESG Infosec Manual V, Use of IPSec in Government Systems – Implementation Standards, Issue 3.0, October 2007 (UK RESTRICTED). Available from the CESG IA Policy Portfolio.

[oo] CESG Infosec Manual Y, Use of WPA2 Unevaluated Wireless Technology in Government Systems, Issue 1.0, January 2007 (UK RESTRICTED). Available from the CESG IA Policy Portfolio.


http://www.govtalk.gov.uk/schemesstandards/egif.asp


Page 25





Glossary Accounting Officer – Has overall responsibility for ensuring that a Department’s information risks are assessed and mitigated to an acceptable level. The accounting officer signs the annual Statement on Internal Control. From financial year 08/09 onwards, this MUST explicitly cover information risk. Aggregation – The effect produced when a large number of data items at one Impact Level are collected, which often, but not always, results in the Impact Level of the compromise of the whole collection being significantly higher than the Impact of compromise of a single item. CESG – The National Technical Authority for Information Assurance (formerly Communications-Electronic Security Group), part of Government Communications Headquarters. CINRAS (Comsec Incident Notification, Reporting and Alerting Scheme) – A national scheme managed by CESG, as the UK Comsec evaluating authority, to provide assistance and alerting when cryptographic items (encryption devices or key material) compromised, and to monitor general trends and problems in order to inform training and systems design requirements. CIO (Chief Information Officer) – The senior individual responsible for policies and procedures concerning the handling of information within a Department, sometimes combined with the head of information technology role. The role of CIO, if a board-level appointment, may be combined with that of the SIRO. e-GIF (e-Government Interoperability Framework) – Defines the technical policies and specifications governing information flows across government and the public sector, covering interconnectivity, data integration, e-service access and content management. FIPS 140-2 – A standard for cryptographic modules formulated by the US National Institute of Standards and Technology and the Canadian Communications Security Establishment. Gateway – The OGC GatewayTM process examines the progress and likelihood of successful delivery of programmes and projects. Its use is mandatory in central Government for procurement, IT-enabled and construction projects.


Page 26




GovCertUK – The UK Government’s Computer Emergency Response Team, part of CESG, responsible for providing advice and assistance on network security incidents. IAO (Information Asset Owner) – IAOs MUST be senior individuals involved in running the relevant business. Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result, they are able to understand and address risks to the information, and ensure that information is fully used within the law for the public good. They provide a written judgement of the security and use of their asset annually to support the audit process. ICT (Information and Communications Technology) – A generic term used to describe any system used for storing, processing or transmitting information. Privacy Impact Assessment – A structured assessment, adopting a risk management approach, of a project’s potential impact on privacy, enabling Departments to anticipate and address the likely impacts of new initiatives, foresee problems and negotiate solutions. SIRO (Senior Information Risk Owner) – An executive who is familiar with information risks and the organisation’s response. They own the information risk policy and risk assessment, act as an advocate for information risk on the board and in internal discussions, and provide written advice to the accounting officer on the content of their Statement on Internal Control relating to information risk. Statement on Internal Control – An annual statement, informed by a Department’s annual assessments, submitted by the Accounting Officer and scrutinised by the National Audit Office to assess compliance with mandatory requirements.

<INSERT THE PROTECTIVE MARKING ON COMPLETION>

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or [email protected]



Customer Feedback CESG Information Assurance Guidance and Standards welcomes feedback and encourage readers to inform CESG of their experiences, good or bad in this document. We would especially like to know about any inconsistencies and ambiguities. Please use this page to send your comments to: Customer Support CESG A2j Hubble Road Cheltenham GL51 0EX (for the attention of IA Policy Development Team) Fax: (01242) 709193 (for NOT PROTECTIVELY MARKED FAXES ONLY) Email: [email protected] For additional hard copies of this document and general queries please contact CESG enquiries at the address above

PLEASE PRINT

Your Name: Department/Company Name and Address: Phone number: Email address: Comments:

mailto:[email protected]


This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or [email protected]




CESG B2h Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Fax: +44 (0)1242 709293 Email: [email protected] © Crown Copyright 2009. Communications on CESG telecommunications systems may be monitored or recorded to secure the effective operation of the system and for other lawful purposes. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other U.K. Information legislation. Refer disclosure requests to the originating Agency.

march 2009 issue 1.2

Documents