You are on page 1of 32

March 2009

Issue 1.2 NOT PROTECTIVELY MARKED

HMG IA Standard No. 6


Protecting Personal Data
and
Managing Information Risk

<PROTECTIVE MARKING>
NOT PROTECTIVELY MARKED

HMG IA Standard No. 6

Protecting Personal Data


and
Managing Information Risk
Issue No: 1.2
March 2009

HMG IA Standards are issued jointly by Cabinet Office and CESG, the UK National
Technical Authority for Information Assurance, in support of Mandatory
Requirements specified in the HMG Security Policy Framework (SPF). The
Standards outline minimum measures that MUST be implemented by Departments
and Agencies bound by the SPF, and compliance with SPF Mandatory Requirements
cannot be claimed unless adherence to the Standards can be demonstrated. They do
not provide tailored technical or legal advice on specific ICT systems or IA issues.
Cabinet Office and GCHQ/CESG and its advisers accept no liability whatsoever for
any expense, liability, loss, claim or proceedings arising from reliance placed upon
this Standard.

The copyright of this document is reserved and vested in the Crown.

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Protecting Personal Data and


Managing Information Risk

Intended Readership Executive Summary


This Standard is written for all those Information is a key asset, and its
who are involved in the risk proper use is fundamental to the
management of information assets delivery of public services. The public
(information and information systems) are entitled to expect that Government
within central government, including will protect their privacy and use and
information risk owners at the board handle information professionally.
and working level, business managers, Departments are best placed to
security managers, accreditors, understand their information and to
Information and Communications protect it, but need to do so within a
Technology (ICT) consultants, project context of clear minimum standards
managers and system or service ensuring protection of personal
providers. Although aimed at central information.
government Departments and
Agencies and their suppliers and Government has put in place a core
service providers, the contents of this set of mandatory minimum measures
Standard are also relevant to the wider to protect information, to apply across
public sector. central Government. They are
minimum measures in that they oblige
This Standard has also been published individual Departments and agencies
as Annex III, Cross Government to assess their own risk, and those
Actions: Mandatory Minimum organisations will often put in place a
Measures, to the Report of the Data higher level of protection. They will be
Handling Review (Reference [a]). updated in the future to accommodate
lessons and new developments.

Aims and Purpose


This Standard consists of two chapters:

Chapter 1 sets out the mandatory process measures to ensure that Departments
identify and manage their information risks;

Chapter 2 sets out the mandatory specific minimum measures for the protection
of personal information, the release or loss of which could cause harm or distress
to individuals.

This Standard does not cover physical and personnel security or business continuity,
which are addressed elsewhere in the HMG Security Policy Framework (SPF)
(Reference [b]). Departments MUST also comply with other obligations, such as

Page 1

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

those under contracts, codes of connection, and the law. The material in this
document reflects good practice as set out in the ISO/IEC 27000 (Information
Security Management System) series (Reference [c]).

The key terms and abbreviations used in this Standard are intended to be consistent
with those used by the International Standards Organisation (ISO) and publications
produced, sponsored or supported by the Central Sponsor for Information Assurance
(CSIA) and CESG, the National Technical Authority for Information Assurance.

Issue 1.2 of this Standard replaces Issue 1.0, dated October 2008. Issue 1.2 has not
been fully reviewed and revised and differs from the previous version only in the
following ways:

a. An error in the footnotes in Appendix B has been rectified;

b. The references have been updated to reflect new publications, and new
issues of existing publications, in the CESG IA Policy Portfolio.

Page 2

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Protecting Personal Data and


Managing Information Risk

Contents:
Chapter 1 - Process Measures to
Manage Information Risk .................5
Key Principles...................................5
General ..............................................5
Roles ...............................................6
Maximising Public Benefit from
Information.......................................7
Audit ................................................7
Culture .............................................8
Incident Management ......................8
Transparency...................................8
Chapter 2 - Specific Minimum
Measures to Protect Personal
Information......................................11
Key Principles.................................11
General ............................................11
Preventing Unauthorised Access to
Protectively Marked Information ....11
Minimising Risk from Authorised
Access to Protectively Marked
Information.....................................14
Citizen-Facing Work ......................15
Appendix A: Minimum Scope of
Protected Personal Data ................17
Appendix B: External Access by
Impact/e-GIF Level..........................19
References ......................................21
Glossary ..........................................25
Customer Feedback .......................27

Page 3

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

THIS PAGE IS INTENTIONALLY LEFT BLANK

Page 4

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Protecting Personal Data and


Managing Information Risk

Chapter 1 - Process Measures to Manage


Information Risk
Key Principles

• Departments are responsible for managing their own information risks and within
their delivery chains;
• All Departments MUST meet the mandatory minimum measures in this Standard
in order to manage their exposure to information risk;
• These mandatory minimum measures cover risk policy and assessment,
organisation, roles and responsibilities, maximising the use of information assets,
audit, culture, incident management and transparency.

General
1. Departments are responsible for managing their own information risks and
ensuring proper management of information risks in their delivery chains, subject to
meeting the mandatory rules set out in this Standard. The Accounting Officer has
overall responsibility for ensuring that information risks are assessed and mitigated to
an acceptable level. They sign the annual Statement on Internal Control. From
financial year 08/09 onwards, this MUST explicitly cover information risk.

2. All Departments MUST:

a. Have an information risk policy setting out how they implement the
measures in this Standard in their own activity and that of their delivery
partners, and monitor compliance with the policy and its effectiveness
(Reference [d]);

b. Assess risks to the confidentiality, integrity and availability of information in


their delivery chain at least quarterly, taking account of extant Government-
wide guidance (Reference [e]), and plan and implement proportionate
responses, which MUST at least include implementation of the measures
in Chapter 2 (below). At least once a year, the risk assessment MUST
examine forthcoming potential changes in services, technology and threats
(Reference [f]; on threats see References [g] and [h]);

Page 5

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

c. Accredit ICT systems handling protectively marked information to the


Government standard (Reference [i]), and to reaccredit when systems
undergo significant change, or at least every five years;

d. Conduct Privacy Impact Assessments (Reference [j]) so that they can be


considered as part of the information risk aspects of Gateway Reviews, or
while going through accreditation if no Gateway has been conducted for a
particular system;

e. Use the security clauses from the Office of Government Commerce’s


(OGC) model ICT contract for services (Reference [k]), with any changes
relevant to information risk being approved by the SIRO (defined in
paragraph 3a, below);

f. Consider whether each measure in this Chapter needs to be applied to any


organisation handling information on its behalf (whether public sector or
private sector) to ensure appropriate information handling across the
delivery chain, and apply those where there is a need to do so;

g. Apply all measures in Chapter 2 (below) by organisations handling


information on their behalf when they deal with Government data, and
monitor the application of those measures. When seeking to apply
measures in Chapters 1 or 2, Departments MUST insist on action where
they can, and seek to influence others where necessary.

Roles
3. All Departments MUST:

a. Name a board member as Senior Information Risk Owner (SIRO)


(Reference [l]). The SIRO is an executive who is familiar with information
risks and the organisation’s response. The SIRO may also be the Chief
Information Officer (CIO) if the latter is on the board. They own the
information risk policy and risk assessment, act as an advocate for
information risk on the board and in internal discussions, and provide
written advice to the accounting officer (Reference [l]) on the content of
their Statement on Internal Control relating to information risk;

b. Identify their information assets and name for each Information Asset
Owner (IAO) (Reference [l]). IAOs MUST be senior individuals involved in
running the relevant business. Their role is to understand what information
is held, what is added and what is removed, how information is moved, and

Page 6

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Protecting Personal Data and


Managing Information Risk

who has access and why. As a result, they are able to understand and
address risks to the information, and ensure that information is fully used
within the law for the public good. They provide a written judgement of the
security and use of their asset annually to support the audit process;

c. Identify and keep a record of those members of staff and contractors with
access to or involved in handling individual records containing protected
personal data (see Appendix A, below), referred to below as ‘users’
(Reference [m]). For simplicity, some Departments may wish to assume
that all staff are users, or to conduct the exercise for their organisation
piece by piece.

Maximising Public Benefit from Information


4. Addressing information risk involves ensuring that information is used, as well
as protecting it when it is used. IAOs MUST consider on an annual basis how better
use could be made of their information assets within the law. Where they consider
that public protection or public services could be enhanced through greater access to
information held by others, they should submit a request to the relevant IAO.
Requests received MUST be logged and considered. Where it is decided that public
access to information is in the public interest, IAOs should reflect this in their
Departmental Freedom of Information Publication Scheme.

Audit
5. All Departments MUST:

a. Share and discuss the information risk assessment (see paragraph 2b,
above) with their audit committee and main board;

b. Conduct at least an annual review of information risk (Reference [f]) for the
SIRO to support their written advice to the Accounting Officer. That review
MUST cover the effectiveness of the overarching policy. It MUST be
informed by the written judgement of the IAOs, and chair of the audit
committee;

c. Once the Statement on Internal Control has been completed, share the
relevant material and the supporting annual assessment with Cabinet
Office.

Page 7

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Culture
6. All Departments MUST:

a. Have and execute plans to lead and foster a culture that values, protects
and uses information for the public good, and monitor progress at least
through standardised civil-service wide questions when conducting a
people survey or equivalent;

b. Reflect performance in managing information risk into HR processes, in


particular making clear that failure to apply Departmental procedure is a
serious matter and, in some situations, amounts to gross misconduct;

c. Maintain mechanisms that command the confidence of individuals through


which they may bring concerns about information risk to the attention of
senior management or the audit committee, anonymously if necessary,
and record concerns expressed and action taken in response.

Incident Management
7. All Departments MUST:

a. Have a policy for reporting, managing and recovering from information risk
incidents, including losses of protected personal data and ICT security
incidents, defining responsibilities, and make staff aware of the policy
(References [n] and [o]);

b. Report security incidents to HMG’s incident management schemes


(GovCertUK for network security incidents (Reference [p]) and CINRAS
(Reference [q]) for incidents involving cryptographic items). Significant
actual or potential losses of personal data should be shared with the
Information Commissioner and the Cabinet Office.

Transparency
8. All Departments MUST:

a. Publish an information charter (Reference [r]) setting out how they handle
information and how members of the public can address any concerns that
they have;

b. Set out in the Departmental annual report summary material on information


risk, covering the overall judgement in the Statement on Internal Control,

Page 8

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Protecting Personal Data and


Managing Information Risk

numbers of information risk incidents sufficiently significant for the


Information Commissioner to be informed, the numbers of people
potentially affected, and actions taken to contain the breach and prevent
recurrence.

Page 9

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

THIS PAGE IS INTENTIONALLY LEFT BLANK

Page 10

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Protecting Personal Data and


Managing Information Risk

Chapter 2 - Specific Minimum Measures to Protect


Personal Information
Key Principles

• Departments and their delivery partners MUST protect sensitive personal


information from unauthorised access, release or loss;
• Sensitive personal information MUST be handled in accordance with specific
measures covering access, removable media, controlled disposal, authentication,
audit, forensic readiness and citizen-facing work;
• Those with authorised access to, or management responsibility for, sensitive
personal data MUST undergo appropriate training.

General
9. Departments MUST be particularly careful to protect personal data whose
release or loss could cause harm or distress to individuals. All Departments MUST:

a. Determine what information they or their delivery partners hold that falls
into this category. This MUST include at least the information outlined in
Appendix A (below);

b. Handle all such information as if it were marked at least PROTECT –


PERSONAL DATA while it is processed or stored within Government or its
delivery partners, applying the measures in this Standard. Information
should continue to be marked to a higher level where that is already done
or where justified, for example, as a result of aggregation of data
(Reference [s]).

Preventing Unauthorised Access to Protectively Marked Information


10. When PROTECT level information is held on paper, it MUST be locked away
when not in use or the premises on which it is held secured. When information is held
and accessed on ICT systems on secure premises, all Departments MUST apply the
minimum protections for information set out in the matrix in Appendix B (below), or
equivalent measures, as well as any additional protections as needed as a result of
their risk assessment. Where equivalent measures are adopted, or, in exceptional
circumstances in which such measures cannot be applied, the SIRO MUST agree
this action with the Accounting Officer and notify Cabinet Office.

Page 11

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

11. Wherever possible, protected personal data should be held and accessed on
paper or ICT systems on secure premises in accordance with the SPF (Reference
[b]), protected as above. This means Departments should avoid the use of removable
media (including laptops (Reference [t]), removable discs, CDs, USB memory sticks,
PDAs (Reference [u]) and media card formats) for storage or access to such data
where possible. Where this is not possible, all Departments should work to the
following hierarchy, recording the reasons why a particular approach has been
adopted in a particular case or a particular business area:

a. The best option is to hold and access data on ICT systems on secure
premises;

b. Second best is secure remote access, so that data can be viewed or


amended without being permanently stored on the remote computer. This
is possible at PROTECT level over the Internet using products meeting the
FIPS 140-2 standard or equivalent, or using a smaller set of products at
RESTRICTED level. The National Technical Authority for Information
Assurance, CESG, provides advice on suitable products and how to use
them (References [v] and [w]);

c. Third best is secure transfer of information to a remote computer on a


secure site on which it will be permanently stored (Reference [x]). Both the
data at rest and the link should be protected at least to the FIPS 140-2
standard or equivalent, using approved products as above. Protectively
marked information MUST not be stored on privately owned computers
unless they are protected in this way;

d. In all cases, the remote computer should be password protected


(References , [z] and [aa]), configured so that its functionality is minimised
to its intended business use only, and have up to date software patches
and anti-virus software (Reference [bb]).

12. Where it is not possible to avoid the use of removable media, all Departments
should apply all of the following conditions:

a. The information transferred to the removable media should be the


minimum necessary to achieve the business purpose, both in terms of the
numbers of people covered by the information and the scope of information
held. Where possible, only anonymised information should be held;

Page 12

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Protecting Personal Data and


Managing Information Risk

b. The removable media should be encrypted to a standard of at least FIPS


140-2 or equivalent in addition to being protected by an authentication
mechanism, such as a password (References [y], [z] and [aa]);

c. User rights to transfer data to removable media should be carefully


considered and strictly limited to ensure that this is only provided where
absolutely necessary for business purposes and subject to monitoring by
managers and the IAO;

d. The individual responsible for the removable media should handle it –


themselves or if they entrust it to others – as if it were the equivalent of a
large amount of their own cash.

13. There are some exceptional situations in which the second condition of
encryption cannot be applied consistent with business continuity and disaster
recovery. For example, full system back-up tapes MUST contain all the relevant data
and Departments may judge that encrypted data cannot be recovered with sufficient
speed or certainty in the event of a disaster. Such unprotected data include some of
the most valuable assets owned by a Department, and should be treated accordingly,
being recorded, moved, stored and monitored with strong controls – equivalent to
handling arrangements for very large amounts of public money in cash. There are
also specific situations in which Departments hold removable media that they cannot
encrypt for legal reasons, such as when such material is collected in evidence for a
legal proceeding. In those situations, the legal obligation prevails.

14. All material that has been used for protected data should be subject to
controlled disposal. All Departments MUST:

a. Destroy paper records containing protected personal data by incineration,


pulping or shredding so that reconstruction is unlikely;

b. Dispose of electronic media that have been used for protected personal
data through secure destruction, overwriting, erasure or degaussing for re-
use (References [cc] and [dd]).

15. Decisions on handling on the issues in paragraphs 11 – 14 (above) should be


approved in writing by the relevant IAO. In preparing for the annual assessment of
information risk, all Departments MUST:

Page 13

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

a. Review compliance with the matrix in Appendix B (below) or equivalent


measures and any SIRO decision to take other action agreed with the
Accounting Officer;

b. Review and test documentation relating to decisions made relating to


paragraphs 11 – 14 (above);

c. Inspect a sample of the activities of those individuals with rights to transfer


protected personal data to removable media, to ensure that there is still a
business case for them to have those rights;

d. Inspect a sample of those individuals who have left roles with access to
protected personal data, to ensure that access rights have been removed;

e. Inspect a sample of removable media to ensure that required safeguards


are in place;

f. Inspect unencrypted back-ups (see paragraph 13, above) and reconcile


them with material that has been recorded;

g. Monitor disposal channels for paper records containing protected personal


data to ensure this has been properly handled;

h. Ask for sample electronic media to be processed as in paragraph 14b


(above) and testing to attempt data recovery.

16. All Departments whose delivery chain involves the handling of information
relating to 100,000 or more identifiable individuals MUST engage independent
experts to carry out penetration testing of their ICT systems and to make
recommendations.

Minimising Risk from Authorised Access to Protectively Marked Information


17. All Departments MUST ensure that all data users successfully undergo
information risk awareness training on appointment and at least annually (Reference
[ee]). In addition, all IAOs MUST pass information management training on
appointment and at least annually, and accounting officers, SIROs, and members of
the audit committee MUST pass strategic information risk management training at
least annually (Reference [ff]).

18. All Departments MUST plan their business taking into account the information
risks involved in different business models as well as their benefits. Once a business
model is adopted, Departments MUST explicitly define and document the access

Page 14

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Protecting Personal Data and


Managing Information Risk

rights granted to protected personal data that users enjoy, and minimise access
rights within the adopted model. The IAO MUST agree in writing that access rights
permit the business to be transacted with an acceptable level of risk, and if not, an
alternative MUST be identified. Access rights should be minimised in respect of each
of the following:

a. Pool of records accessible. The default should be that any member of staff
has no access to protected personal information. If access is necessary, it
should be to the smallest possible sub-set of records;

b. Numbers of records viewed. The hierarchy should be no access / ability to


view only aggregated data / ability to view only anonymous records / ability
to view material from single identifiable records / ability to view material
from many identifiable records simultaneously;

c. Nature of information available. The hierarchy should be responses to


defined queries (e.g. does X claim free school meals) without seeing the
record / view of parts of the record itself / view of the whole record;

d. Functionality, including searching, alteration, deletion, printing,


downloading or transferring information.

19. All Departments MUST:

a. Put in place arrangements to log activity of data users in respect of


electronically-held protected personal information, and for managers to
check it is being properly conducted, with a particular focus on those
working remotely and those with higher levels of functionality. Summary
records of managers’ activity MUST be shared with the relevant IAO and
be available for inspection by the Information Commissioner’s Office on
request;

b. Have a forensic readiness policy to maximise their ability to preserve,


analyse and use evidence from an ICT system, should it be required
(References [gg] and [hh]).

Citizen-Facing Work
20. Departments and agencies need to ensure that citizen-facing services are
secure, while being easy for people or their representatives to use. Where possible,
the same protective measures should be taken in transacting business with
individuals as when information is stored or used within Government, but
Page 15

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Departments should set their own proportionate standards in this area so long as
those standards (and possible alternative service routes) are clearly explained.

Page 16

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Protecting Personal Data and


Managing Information Risk

Appendix A: Minimum Scope of Protected Personal


Data
21. Departments MUST identify data they or their delivery partners hold whose
release or loss could cause harm or distress to individuals. This MUST include as a
minimum all data falling into one or both categories below.

A. Any information that links one or more identifiable living person with
information about them whose release would put them at significant risk of
harm or distress.

1. One or more of the 2. Information about that


pieces of information combined individual whose release is likely
which can be used along with to cause harm or distress
with public domain
information to identify an
individual
Name / addresses (home or Sensitive personal data as defined
business or both) / postcode by s2 of the Data Protection Act,
/ email / telephone numbers / including records relating to the
driving licence number / date criminal justice system, and group
of birth. membership.

[Note that driving licence DNA or fingerprints / bank, financial


number is included in this list or credit card details / mother’s
because it directly yields maiden name / National Insurance
date of birth and first part of number / tax, benefit or pension
surname] records / health records /
employment record / school
attendance or records / material
relating to social services including
child protection and housing.

22. These are not exhaustive lists. Departments should determine whether other
information they hold should be included in either category.

Page 17

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

B. Any source of information about 1000 or more identifiable individuals,


other than information sourced from the public domain.

23. This could be a database with 1000 or more entries containing the facts listed
in Box 1 (above), or an electronic folder or drive containing 1000 or more records
about individuals. 1 Again, this is a minimum standard. Information on smaller
numbers of individuals may warrant protection because of the nature of the
individuals, nature or source of the information, or extent of information.

1
The Business Impact Level tables in Reference [e] (Appendix A, also published separately)
should be consulted for guidance on the appropriate Impact Level and Reference [s] consulted
for guidance on taking aggregation issues into account.

Page 18

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Protecting Personal Data and


Managing Information Risk

Appendix B: External Access by Impact/e-GIF Level1


e-Gif/CSIA External Access
Business
Impact Types of data/ Home
2 Gov PC WWW
Level / system included Registration Network “PED” Gov PC
Authentication To WWW “café”
“Protective in category Level LAN
Levels
Marking” 3G Data Blue Bootable
WIFI
Card Tooth USB
Physical / personal / procedural
Level Three Y
3
N N Y
4
protection with appropriate technical
Violent & Sex Full ID verification
IL4 authentication mechanisms such as x.GSi
offenders with appropriate
Confidential User Name + Password xCJX
Witness Protection vetting and need to N N N Y
5
Or
know measures
Biometric / Certificate / Token
Level Two 6 7
Health record Y N Y Y
IL3 Cross-checked
ContactPoint User Name N3
Restricted ID verification with
Crime Password / Biometric GSi
“NHS appropriate vetting 8 9 10
Record/PNC Digital Certificate CJX Y Y N Y
Confidential” and need to know
measures
General citizen User Name GCSx Y N Y Y
IL2 Level One
data Password Best
Protect Basic ID verification
Finance Systems and commercial best practice Commercial Y Y Y
11
Y
Google search No authentication
IL1/IL0 Anonymous Any Y Y Y Y
BBC News required

Arrangements for material at higher protective markings are dealt with separately.

1
For information on e-GIF, see Reference [ii]
2
For guidance on business impact level tables, see Reference [jj]
3
Via ‘Thin Client Internet Browse-down’
4
Via hard-wired Government issue secure laptop (RAS)
5
Requires a strong business case and CESG advice
6
Via CESG-approved product such as Blackberry (References [kk] and [ll])
7
Via CESG-approved VPN or validated CESG Manual T or Manual V solutions (References [mm] and [nn])
8
Implementations must be compliant with CESG Manual Y (Reference [oo])
9
Via Government issue secure laptop with software (RAS)
10
Using software-based cryptography
11
Requires a strong business case and CESG advice

Page 19

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or
infoleg@gchq.gsi.gov.uk
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED

THIS PAGE IS INTENTIONALLY LEFT BLANK

Page 20

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491
x30306 (non-sec) or email infoleg@gchq.gsi.gov.uk
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED

Protecting Personal Data and


Managing Information Risk

References
[a] Cabinet Office, Data Handling Procedures in Government: Final Report, June
2008 (Not Protectively Marked). Available at:
http://www.cabinetoffice.gov.uk/media/cabinetoffice/csia/assets/dhr/cross_gov0
80625.pdf

[b] HMG Security Policy Framework, December 2008. Tiers 1-3 (Not Protectively
Marked) are available at: http://www.cabinetoffice.gov.uk/spf.aspx

[c] ISO/IEC Standard 27001, Information Security Management Systems:


Requirements, October 2005 (Replaces ISO/IEC 17799, Part 2). Further
information on ISO/IEC Standards is available at: http://www.iso-standards-
international.com

[d] CSIA, Guidance on the Departmental Information Risk Policy, April 2008.
Available in Tier 4 of the SPF.

[e] HMG IA Standard No. 1, Technical Risk Assessment, Part 1, Issue 3.3, March
2009 (Not Protectively Marked). Available from the CESG IA Policy Portfolio.

[f] CSIA, Guidance on the Annual Assessment of Information Risk Management,


v2.0, May 2008. Available in Tier 4 of the SPF.

[g] Centre for the Protection of National Infrastructure, Threats to National Security
(June 2008) (RESTRICTED). Copies for those who ‘need to know’ on a
personal basis are available on request from CPNI, Central Support, PO Box
60628, London SW1P 9HA or enquiries@cpni.gov.uk

[h] CESG Infosec Memorandum No. 2, The Threat of Technical Attack Against
Information and Communications Technology Systems, Issue 5.2, May 2008
(UK RESTRICTED). Available from the CESG IA Policy Portfolio.

[i] HMG IA Standard No. 2, Risk Management and Accreditation of Information


Systems, Issue 3.1, October 2008 (Not Protectively Marked). Available from the
CESG IA Policy Portfolio.

[j] Information Commissioner’s Office, Privacy Impact Assessments. Available at:


http://www.ico.gov.uk/upload/documents/pia_handbook_html/html/foreword.html

Page 21

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

[k] Office of Government Commerce, Current Model Terms and Conditions of


Contract. Available at:
http://www.ogc.gov.uk/0_procurement_principles_terms_and_conditions.asp

[l] CSIA, Guidance on Mandatory Roles (AO, SIRO, IAO), v1.0, April 2008.
Available in Tier 4 of the SPF.

[m] CSIA, Guidance on Non Mandatory Roles, May 2008. Available at:
http://www.cabinetoffice.gov.uk/csia/publications.aspx and in Tier 4 of the SPF.

[n] CSIA, Guidance on Notification of Breaches of a Classified Nature, v1.0, May


2008. Available in Tier 4 of the SPF.

[o] CSIA, Reporting of Data Breaches of an Unclassified Nature, v2.0, October


2008. Available in Tier 4 of the SPF.

[p] Information on GovCertUK and its services is available at:


http://www.govcertuk.gov.uk

[q] HMG IA Standard No. 4, Communications Security and Cryptography, Issue 3.1,
October 2008 (UK RESTRICTED), Part 1, Chapter 17. Available from the
CESG IA Policy Portfolio.

[r] CSIA, Guidance on the Information Charter, v2.0, May 2008. Available in Tier 4
of the SPF.

[s] CESG Good Practice Guide No. 9, Taking Account of the Aggregation of
Information, Issue 1.2, March 2009 (Not Protectively Marked). Available from
the CESG IA Policy Portfolio.

[t] CESG Good Practice Guide No. 10, Remote Working, Issue 1.0, March 2009
(UK RESTRICTED). Available from the CESG IA Policy Portfolio.

[u] CESG Good Practice Guide No. 5, Securing Data at Rest on Laptops, Issue 2.0,
March 2009 (UK RESTRICTED). Available from the CESG IA Policy Portfolio.

[v] For policy on encryption grades, including the FIPS-140-2 standard, see HMG
IA Standard No. 4, Communications Security and Cryptography, Issue 3.1,
October 2008, Part 1, Chapter 3 (UK RESTRICTED). Available from the CESG
IA Policy Portfolio.

Page 22

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Protecting Personal Data and


Managing Information Risk

[w] For information on CESG-approved encryption products, see the CESG


Directory of Infosec Approved Products, July 2008 (Not Protectively Marked),
available at http://www.cesg.gov.uk/site/publications/media/directory.pdf

[x] CESG Good Practice Guide No. 3, Securing Bulk Data Transfers, Issue 2.0,
March 2009 (UK RESTRICTED) (under review). Available from the CESG IA
Policy Portfolio.

[y] CESG Infosec Memorandum No. 24, Passwords, Tokens and Biometrics Used
in Combination for Identification and Authentication of Users of Government IT
Systems, Issue 2.2, February 2006 (Not Protectively Marked) (under review).
Available from the CESG IA Policy Portfolio.

[z] CESG Infosec Memorandum No. 26, Passwords for Identification and
Authentication, Issue 4.0, February 2008 (Not Protectively Marked) (under
review). Available from the CESG IA Policy Portfolio.

[aa] CESG Infosec Memorandum No. 27, Assessment of the Contribution of Tokens
to Multi-Factor Identification and Authentication Systems, Issue 1.0, June 2004
(Not Protectively Marked) (under review). Available from the CESG IA Policy
Portfolio.

[bb] CESG Good Practice Guide No. 8, Protecting External Connections to the
Internet, Issue 1.0, March 2009 (Not Protectively Marked). Available from the
CESG IA Policy Portfolio.

[cc] HMG IA Standard No. 5, Secure Sanitisation of Protectively Marked Information


or Sensitive Information, Issue 3.0, March 2009 (Not Protectively Marked)
(under review). Available from the CESG IA Policy Portfolio.

[dd] CESG Infosec Manual S, Guidance on Secure Sanitisation and Disposal, Issue
2.0, September 2007 (Not Protectively Marked) (under review). Available from
the CESG IA Policy Portfolio.

[ee] CSIA, Outline Specification for DHR Information Awareness Training, v2.1, May
2008. Available at: http://www.cabinetoffice.gov.uk/csia/publications.aspx
(under Outline Specification for DHR Information Risk Awareness Training) and
in Tier 4 of the SPF.

[ff] CSIA, Specification for Training for DHR Mandatory Roles: AO, SIRO and IAO,
v2.0, May 2008. Available at:

Page 23

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

http://www.cabinetoffice.gov.uk/csia/publications.aspx (under Guidance on Role


Specific Training) and in Tier 4 of the SPF.

[gg] CSIA, Guidance on the Forensic Readiness Policy, v1.0, May 2008. Available in
Tier 4 of the SPF.

[hh] NISCC Technical Note 01/2005, An Introduction to Forensic Readiness


Planning, 27 May 2005 (Not Protectively Marked). Available at:
http://www.cpni.gov.uk/docs/re-20050621-00503.pdf

[ii] CSIA, The e-Government Interoperability Framework, Version 6.1, March 2005
(Not Protectively Marked). Available at:
http://www.govtalk.gov.uk/schemesstandards/egif.asp

[jj] CSIA, Guidance on the Use of the Business Impact Level Tables, v1.0, May
2008. Available in Tier 4 of the SPF.

[kk] CESG Security Procedures for BlackBerry® Enterprise Solution Administrators,


Issue 1.5, October 2008 (Not Protectively Marked). Available from the CESG IA
Policy Portfolio.

[ll] CESG Security Procedures for BlackBerry® Enterprise Solution Users, Issue 1.3,
July 2007 (Not Protectively Marked). Available from the CESG IA Policy
Portfolio.

[mm] CESG Infosec Manual T, Use of the Transport Layer Security Protocol for HMG
Protectively Marked Material – Implementation Standards, Issue 2.0, August
2007 (Not Protectively Marked). Available from the CESG IA Policy Portfolio.

[nn] CESG Infosec Manual V, Use of IPSec in Government Systems –


Implementation Standards, Issue 3.0, October 2007 (UK RESTRICTED).
Available from the CESG IA Policy Portfolio.

[oo] CESG Infosec Manual Y, Use of WPA2 Unevaluated Wireless Technology in


Government Systems, Issue 1.0, January 2007 (UK RESTRICTED). Available
from the CESG IA Policy Portfolio.

Page 24

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

Protecting Personal Data and


Managing Information Risk

Glossary
Accounting Officer – Has overall responsibility for ensuring that a Department’s
information risks are assessed and mitigated to an acceptable level. The accounting
officer signs the annual Statement on Internal Control. From financial year 08/09
onwards, this MUST explicitly cover information risk.

Aggregation – The effect produced when a large number of data items at one
Impact Level are collected, which often, but not always, results in the Impact Level of
the compromise of the whole collection being significantly higher than the Impact of
compromise of a single item.

CESG – The National Technical Authority for Information Assurance (formerly


Communications-Electronic Security Group), part of Government Communications
Headquarters.

CINRAS (Comsec Incident Notification, Reporting and Alerting Scheme) – A national


scheme managed by CESG, as the UK Comsec evaluating authority, to provide
assistance and alerting when cryptographic items (encryption devices or key material)
compromised, and to monitor general trends and problems in order to inform training
and systems design requirements.

CIO (Chief Information Officer) – The senior individual responsible for policies and
procedures concerning the handling of information within a Department, sometimes
combined with the head of information technology role. The role of CIO, if a board-
level appointment, may be combined with that of the SIRO.

e-GIF (e-Government Interoperability Framework) – Defines the technical policies


and specifications governing information flows across government and the public
sector, covering interconnectivity, data integration, e-service access and content
management.

FIPS 140-2 – A standard for cryptographic modules formulated by the US National


Institute of Standards and Technology and the Canadian Communications Security
Establishment.

Gateway – The OGC GatewayTM process examines the progress and likelihood of
successful delivery of programmes and projects. Its use is mandatory in central
Government for procurement, IT-enabled and construction projects.

Page 25

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

GovCertUK – The UK Government’s Computer Emergency Response Team, part of


CESG, responsible for providing advice and assistance on network security
incidents.

IAO (Information Asset Owner) – IAOs MUST be senior individuals involved in


running the relevant business. Their role is to understand what information is held,
what is added and what is removed, how information is moved, and who has access
and why. As a result, they are able to understand and address risks to the
information, and ensure that information is fully used within the law for the public
good. They provide a written judgement of the security and use of their asset
annually to support the audit process.

ICT (Information and Communications Technology) – A generic term used to


describe any system used for storing, processing or transmitting information.

Privacy Impact Assessment – A structured assessment, adopting a risk


management approach, of a project’s potential impact on privacy, enabling
Departments to anticipate and address the likely impacts of new initiatives, foresee
problems and negotiate solutions.

SIRO (Senior Information Risk Owner) – An executive who is familiar with information
risks and the organisation’s response. They own the information risk policy and risk
assessment, act as an advocate for information risk on the board and in internal
discussions, and provide written advice to the accounting officer on the content of
their Statement on Internal Control relating to information risk.

Statement on Internal Control – An annual statement, informed by a Department’s


annual assessments, submitted by the Accounting Officer and scrutinised by the
National Audit Office to assess compliance with mandatory requirements.

Page 26

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

NOT PROTECTIVELY MARKED


<INSERT THE PROTECTIVE MARKING ON COMPLETION>

Protecting Personal Data and


Managing Information Risk

Customer Feedback
CESG Information Assurance Guidance and Standards welcomes feedback and
encourage readers to inform CESG of their experiences, good or bad in this
document. We would especially like to know about any inconsistencies and
ambiguities. Please use this page to send your comments to:

Customer Support
CESG
A2j
Hubble Road
Cheltenham GL51 0EX
(for the attention of IA Policy Development Team)

Fax: (01242) 709193 (for NOT PROTECTIVELY MARKED FAXES ONLY)


Email: enquiries@cesg.gsi.gov.uk

For additional hard copies of this document and general queries please contact
CESG enquiries at the address above

PLEASE PRINT

Your Name:

Department/Company Name and Address:

Phone number:
Email address:

Comments:

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk

<INSERT THE PROTECTIVE MARKING ON COMPLETION>


<INSERT THE PROTECTIVE MARKING ON COMPLETION>

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information
legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or infoleg@gchq.gsi.gov.uk
<INSERT THE PROTECTIVE MARKING ON COMPLETION>
NOT PROTECTIVELY MARKED

NOT PROTECTIVELY MARKED


NOT PROTECTIVELY MARKED

CESG
B2h
Hubble Road
Cheltenham
Gloucestershire
GL51 0EX

Tel: +44 (0)1242 709141


Fax: +44 (0)1242 709293
Email: enquiries@cesg.gsi.gov.uk

© Crown Copyright 2009. Communications on CESG telecommunications systems may be monitored


or recorded to secure the effective operation of the system and for other lawful purposes. This
information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject
to exemption under other U.K. Information legislation. Refer disclosure requests to the originating
Agency.

NOT PROTECTIVELY MARKED