Security Policy Framework

Last updated December 31, 2021

The Security Policy Framework (or "SPF") is a set of high-level policies on security, mainly affecting the UK government and its suppliers.^[1]^[2]

The structure has changed over time. Version 11 was published in October 2013; it has 20 "Mandatory Requirements" grouped into four policy areas. Previously the SPF had as many as 70 Mandatory Requirements, which were more detailed, and which were grouped into 7 areas:^[3]

1: Governance, Risk Management & Compliance

2: Protective Marking & Asset Control

3: Personnel Security

4: Information Security & Assurance

5: Physical Security

6: Counter-Terrorism

7: Business Continuity

These mandatory requirements are a baseline which apply to all UK government departments; higher requirements may apply in some cases.^[4] Public-sector bodies are responsible for managing their own technical security risks, but can draw on expertise and guidelines provided by CESG and the Cabinet Office. The Centre for Protection of National Infrastructure also helps protect critical infrastructure.^[5] The Ministry of Defence has its own separate policies and systems.

The SPF superseded the Manual of Protective Security. Part of the SPF is produced by CESG, and part by the Cabinet Office's Security Policy Division.^[6]

External links

Related Research Articles

The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It is currently in version 3.1 revision 5.

Audit Systematic and independent examination of books, accounts, documents and vouchers of an organization

An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon.” Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, and evaluate the propositions in their auditing report.

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

IT security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

The National Information Assurance Certification and Accreditation Process (NIACAP) formerly was the minimum-standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national-security information. NIACAP was derived from the Department of Defense Certification and Accreditation Process (DITSCAP), and it played a key role in the National Information Assurance Partnership.

Classified information in the United Kingdom is a system used to protect information from intentional or inadvertent release to unauthorised readers. The system is organised by the Cabinet Office and is implemented throughout central and local government and critical national infrastructure. The system is also used by private sector bodies that provide services to the public sector.

Government Secure Intranet (GSi) is a United Kingdom government wide area network, whose main purpose is to enable connected organisations to communicate electronically and securely at low protective marking levels.

The Risk Management Framework (RMF) is a United States federal government guideline, standard and process for risk management to help secure information systems developed by National Institute of Standards and Technology. The Risk Management Framework (RMF), illustrated in the diagram to the right, provides a disciplined and structured process that integrates information security, privacy and risk management activities into the system development life cycle.

Commercial Product Assurance (CPA) is a CESG approach to gaining confidence in the security of commercial products.

HMG Information Assurance Standard No.1, usually abbreviated to IS1, was a security standard applied to government computer systems in the UK.

The CESG Listed Adviser Scheme was a programme run by CESG, to provide a pool of information assurance consultants to government departments and other public-sector bodies in the UK.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

The Public Services Network (PSN) is the UK government's high-performance network, which helps public sector organisations work together, reduce duplication and share resources. It unified the provision of network infrastructure across the United Kingdom public sector into an interconnected "network of networks" to increase efficiency and reduce overall public expenditure.

The cyber security community in the United Kingdom is diverse, with many stakeholders groups contributing to support the UK Cyber Security Strategy. The following is a list of some of these stakeholders.

The Government Security Classifications Policy (GSCP) is a system for classifying sensitive government data in the United Kingdom.

National Cyber Security Policy is a policy framework by Department of Electronics and Information Technology (DeitY) It aims at protecting the public and private infrastructure from cyber attacks. The policy also intends to safeguard "information, such as personal information, financial and banking information and sovereign data". This was particularly relevant in the wake of US National Security Agency (NSA) leaks that suggested the US government agencies are spying on Indian users, who have no legal or technical safeguards against it. Ministry of Communications and Information Technology (India) defines Cyberspace as a complex environment consisting of interactions between people, software services supported by worldwide distribution of information and communication technology.

Egress Software Technologies Ltd is a UK-based software company providing security software for e-mail, secure messaging, Document and Email Classification, and associated technologies to assist secure file sharing and handling.

Cyber Essentials is a United Kingdom certification scheme designed to show an organisation has a minimum level of protection in cyber security through annual assessments to maintain certification.

NIST Cybersecurity Framework is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

References

↑ "Government publishes new Security Policy Framework". Agenda Security. Archived from the original on 22 July 2012. Retrieved 14 August 2011.
↑ "Information Assurance Requirements for Transformational Government" (PDF). CESG. January 2010. Retrieved 14 August 2011.
↑ "STREAM for the Security Policy Framework" (PDF). Acuity Risk Management. 14 August 2011. Archived from the original (PDF) on 23 July 2011.
↑ "Only one in five adults trust government to keep their personal details safe". Security Park. 16 June 2009. Archived from the original on 21 July 2011. Retrieved 14 August 2011.
↑ "Cyber Security Strategy of the United Kingdom" (PDF). June 2009. p. 23. Archived from the original (PDF) on 13 August 2011. Retrieved 14 August 2011.
↑ "The Department of 'No' - The Privacy, Identity & Consent Blog". 17 February 2011. Retrieved 14 August 2011.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Government publishes new Security Policy Framework". Agenda Security. Archived from the original on 22 July 2012. Retrieved 14 August 2011.

[2] "Information Assurance Requirements for Transformational Government" (PDF). CESG. January 2010. Retrieved 14 August 2011.

[3] "STREAM for the Security Policy Framework" (PDF). Acuity Risk Management. 14 August 2011. Archived from the original (PDF) on 23 July 2011.

[4] "Only one in five adults trust government to keep their personal details safe". Security Park. 16 June 2009. Archived from the original on 21 July 2011. Retrieved 14 August 2011.

[5] "Cyber Security Strategy of the United Kingdom" (PDF). June 2009. p. 23. Archived from the original (PDF) on 13 August 2011. Retrieved 14 August 2011.

[6] "The Department of 'No' - The Privacy, Identity & Consent Blog". 17 February 2011. Retrieved 14 August 2011.

[1]

[2]

[3]

[4]

[5]

[6]