Contents

1. Part 1: Context Establishment..................................................................................................2

1.1 Organizational Overview.......................................................................................................2

1.2 Data Breaches........................................................................................................................3

1.3 Assumptions...........................................................................................................................3

1.4 Threat Landscape...................................................................................................................5

2. Part 2: Risk Assessment...........................................................................................................6

2.1 Asset-Based Risk Register.....................................................................................................6

2.1.1 Criminal Case Data:........................................................................................................6

2.1.2 Police Officer Personal Data...........................................................................................7

2.1.3 Public Safety Data:..........................................................................................................7

2.1.4 Legal and Compliance Record:.......................................................................................7

2.1.5 Body-Worn Camera Footages:........................................................................................7

2.1.6 Financial Assets:..............................................................................................................8

2.1.7 Physical Safety (Equipment and Facilities):...................................................................8

2.2 Risk Mitigation Strategies....................................................................................................10

References......................................................................................................................................12
 1. Part 1: Context Establishment

1.1 Organizational Overview

The Police Service of Northern Ireland (PSNI) is the major law enforcement organization

responsible for upholding order in the region. Because it deals with upholding the rule of law,

ensuring public safety, and maintaining law and order, this is a crucial role (Byrne & Monaghan,

2008). The PSNI is a large organization with numerous departments and divisions, each of which

has a specific function. Two significant departments within PSNI are the Information

Management and Records Management sections. These departments are essential to the

business's functioning since they are in charge of handling the private and sensitive data

belonging to employees and police officers (Sinclair, 2012).

The department in charge of records management is in charge of keeping track of and arranging

the paperwork and records needed to keep the police force operating effectively. This includes

keeping track of administrative documents, case files, and evidence. For the operation and

security of the force, sensitive information, including personal data, must be handled securely.

This is the focus of the information management department (De Hert & Papakonstantinou,

2016).

The purpose of the PSNI is contingent upon the efficient management and safeguarding of this

information. It not only guarantees the efficient operation of the police force but also protects the

security and privacy of the personnel, including police officers, whose personal information is

handled by these agencies.

1.2 Data Breaches

In recent years, the PSNI has experienced a number of data breaches, the most notable and

alarming of which was in August 2023 (Analytica, 2023). In response to a Freedom of

Information request, personal information in the form of the names and initials of roughly 10,000

police workers was unintentionally revealed during this incident (BBC, 2023). This hack is

extremely concerning because it jeopardizes police officers' safety and security in addition to

exposing their personal information. Given the seriousness of this violation, the PSNI launched a

separate investigation. The primary goal of this study is to conduct a thorough investigation into

the incident, look at the procedures and actions that resulted in the data breach, and evaluate the

organizational elements that played a role. Understanding the underlying reasons for the breach,

assessing the benefits and drawbacks of the existing procedures, and identifying systemic

problems that require attention are all made possible by the independent study. It's also a

proactive move meant to improve data security, stop such events from happening again, and

regain public and corporate trust.

1.3 Assumptions

Commitment to Information Security Improvement: In order to stop future data breaches, it is

essential to assume that the PSNI is dedicated to enhancing its information security management

procedures and guidelines. It is essential that the PSNI significantly enhances its information

security architecture in light of the recent data breaches. This commitment covers organizational

and technical facets of security, such as data handling protocols, employee training, and security

awareness initiatives, as well as technological components like network infrastructure and

cybersecurity safeguards.
The PSNI may think about using a number of measures to successfully fulfil this goal,

including:

 Carrying out thorough risk analyses to find weak points and potential dangers.

 Putting cutting-edge cybersecurity solutions into practice to guard private information

against online threats.

 Creating and implementing strong access control procedures to prevent unwanted access

to private data.

 Providing all staff with frequent, in-depth training to increase knowledge of security best

practices and possible risks.

Cooperation with the Independent Review: A key component of tackling the issues raised by

data breaches is the presumption that the organization would collaborate with the independent

review and make the required adjustments to guarantee compliance with pertinent legal,

statutory, and regulatory obligations. Participation in the review indicates a proactive effort to

find and address the core causes of the incident. This collaboration entails:

 Giving the review complete access to all pertinent information, procedures, and breach

participants.

 Promoting a transparent and open interchange of data and conclusions.

 Paying attention to the recommendations of review and making a commitment to making

the required adjustments to resolve any problems that are found.

Cooperation with Regulatory Bodies: It is a proactive and legally compliant move for the PSNI

to presume that it will collaborate extensively with the Police Ombudsman and the Information

Commissioner's Office (ICO) to address data protection and information security concerns.
Working together with these regulatory authorities is important because it guarantees that the

company will continue to comply with the laws and rules that control information security and

data protection. In order to properly carry out this assumption, the PSNI may do the following:

 Actively cooperating with the ICO to comprehend and abide by the General Data

Protection Regulation (GDPR) details, guaranteeing that personal data is handled in

compliance with the law.

 Working together with the Police Ombudsman to guarantee that all activities, such as

data management and security procedures, comply with all applicable statutory and legal

requirements.

 Taking part in regular training sessions and conversations hosted by these organizations

to stay current on changing data security and protection procedures.

1.4 Threat Landscape

The PSNI works in a complicated setting where there are a number of information security

concerns. A few of the main dangers are as follows:

Cyberattacks and Data Breaches: In the past, the PSNI has suffered from cyberattacks and data

breaches. These mishaps have the potential to reveal private information, jeopardizing public

confidence and operational effectiveness.

Insider Threats: When workers or contractors reveal confidential knowledge, they may

unintentionally or purposely create an insider threat. These risks could result from carelessness

or, in rare instances, deliberate acts that jeopardize data security.

External Threats: There is always a risk that hackers and other malevolent actors will attack the

PSNI's personnel or systems. Vulnerabilities may be exploited by these people or organizations

to obtain unauthorized access or interfere with operations.

In conclusion, the PSNI is dedicated to resolving these concerns, adhering to legal and regulatory

obligations, and rebuilding public trust despite the organization's substantial challenges with data

breaches and information security. It will be able to better fulfil its overarching goal of

safeguarding Northern Ireland's safety and security while defending the rights and interests of all

parties involved by doing this.

2. Part 2: Risk Assessment

2.1 Asset-Based Risk Register

An essential instrument for risk management, an asset-based risk register helps in the

identification, evaluation, and prioritization of risks related to assets for institutions (Korn &

Veldman, 2008), such as the Police Service of Northern Ireland (PSNI). In this sense, the term

"assets" refers to a variety of components or resources that are important to the company, each of

which has a unique set of risks. To better grasp the risks and their ramifications, let's examine the

Asset-Based Risk Register for the PSNI:

2.1.1 Criminal Case Data:

Since it includes details on current investigations and court cases, criminal case data is a vital

resource for the PSNI. There could be dire repercussions from the possibility of illegal access or

data breaches. Investigations that are compromised may lead to missing evidence or private

information being revealed, which could endanger the legal system.

2.1.2 Police Officer Personal Data

Personal information about police officers, including addresses, phone numbers, and identifying

characteristics, is valuable and sensitive. Identity theft is a possible consequence of unauthorized

access to this data, which can also lead to privacy violations (Aïmeur & Schőnfeld, 2011). Legal

repercussions may ensue, particularly in cases when police enforcement personnel's personal

information is not protected.

2.1.3 Public Safety Data:

The primary goal of PSNI is to provide public safety information (Byrne & Monaghan, 2008).

Threats to public safety may arise from unauthorized access or data breaches that reveal private

information that could be used by bad actors. Additionally, perceived inadequacies in protecting

this important data may lead to a decline in public confidence.

2.1.4 Legal and Compliance Record:

Documents pertaining to legal and compliance are essential for proving conformity to rules and

laws (Boella et al., 2012). Loss of data or unauthorized access might result in non-compliance,

which can have negative legal and regulatory repercussions. Such events have a moderate chance

of occurring, yet they can have a big impact.

2.1.5 Body-Worn Camera Footages:

In-the-field interactions and vital evidence are recorded by body-worn cameras. Unauthorized

access to this video may lead to invasions of privacy, legal repercussions, and tainted

investigations. Sustaining credibility and confidence requires ensuring the security and integrity

of this data.
2.1.6 Financial Assets:

The financial assets of PSNI are represented by its financial resources. Although not very likely,

risks associated with fraud or financial mismanagement can have a big effect. This covers

monetary losses, court cases, and fines from regulations.

2.1.7 Physical Safety (Equipment and Facilities):

Physical security includes safeguarding PSNI property and tools. Dangers from theft, vandalism,

and illegal access can interfere with regular business operations and cause property damage.

Despite the generally low to moderate likelihood, there may be substantial effects.

In conclusion, the PSNI's Asset-Based Risk Register outlines the wide variety of assets, risks

connected with them, possible consequences, and the chance that these risks may materialize.

The PSNI can protect its vital information assets and preserve the integrity, privacy, and trust

necessary for its goals by thoroughly evaluating these risks and putting in place the necessary

mitigating measures. The organization's risk management and well-informed decision-making

are supported by this registry.

Table 1: Asset-Based Risk Register for the Police Service of Northern Ireland (PSNI)

Asset Category Risk Impact Likelihood

Compromised
Unauthorized access, Moderate to
Criminal Case Data investigations, legal
data breaches high
consequences

Police Officer Unauthorized access, Privacy violations, identity Moderate to

Personal Data data breaches theft, legal consequences high

Public Safety Unauthorized access, Public safety threats, loss of Moderate to

Information data breaches public trust high

Legal and regulatory non-

Legal and Unauthorized access,
compliance, legal Moderate
Compliance Records data loss
consequences

Body-Worn Unauthorized access, Privacy violations, legal Moderate to

Cameras Footage data breaches consequences high

Financial Financial losses, legal and Low to

Financial Assets
mismanagement, fraud regulatory consequences moderate

Physical Security
Unauthorized access, Disruption of operations, Low to
(Facilities and
theft, vandalism property damage moderate
Equipment)
2.2 Risk Mitigation Strategies

Criminal Case Data: Strong data encryption and access restrictions will be put in place to reduce

the possibility of unauthorized access and data breaches involving criminal case data. Ensuring

the lawful and secure management of data is contingent upon compliance with GDPR and data

protection legislation. Moreover, regular evaluation of security measures to find and counter new

threats.

Police Officer Personal Data: Strict access controls, data encryption, and GDPR compliance

will all help to reduce the risk of unauthorized access and data breaches involving police officer

personal data. Staff members must complete mandatory data protection training to increase

awareness and guarantee compliance with data protection regulations.

Public Safety Information: To reduce the possibility of unauthorized access and data breaches

involving public safety information, strict access restrictions, data encryption, and adherence to

GDPR and data protection regulations will be implemented. Security will be improved by regular

employee training on privacy and data protection.

Legal and Compliance Records: Encryption and access restrictions will be used to reduce the

possibility of unwanted access and data loss. Priority will be given to adhering to legal and

regulatory obligations, including GDPR, with frequent audits confirming compliance and data

integrity.

Body-Worn Camera Footage: By putting encryption and access controls in place, the threat of

unauthorized access and data breaches in body-worn camera footage will be reduced. The

privacy of the video will be guaranteed by compliance with GDPR and data protection

legislation, and regular security audits will maintain the security measures current.
Financial Resources: Regular financial risk analysis will be carried out to identify abnormalities

and stop fraud in order to reduce the risk of financial mismanagement and fraud. In addition to

routine audits to guarantee financial compliance, internal controls will be implemented for

financial monitoring and responsibility.

Physical Security (Facilities and Equipment): The use of security guards, access controls, and

surveillance systems will help reduce theft, damage, and unauthorized entry. There will be a

disaster recovery strategy in place to handle any possible harm, and vulnerabilities and

weaknesses will be found through routine security risk assessments.

For every asset class, these risk mitigation strategies offer a clear approach to information

security and risk management while addressing the hazards that have been identified.
 Contents
Secure Access and Document Management Policy.........................................................................3

1. Policy Statement......................................................................................................................3

2. Objective..................................................................................................................................3

3. Scope........................................................................................................................................4

4. Responsibilities........................................................................................................................4

4.1 Information Security Officer..............................................................................................4

4.2 Data Owners.......................................................................................................................5

4.3 System Administrators.......................................................................................................5

4.4 Users...................................................................................................................................5

5. Access Control Policy..............................................................................................................5

5.1 Role-based Access Control (RBAC)..................................................................................5

5.2 Strong Authentication.........................................................................................................6

5.3 Access Logs........................................................................................................................6

5.4 Least Privilege Principle....................................................................................................6

6. Document Management Policy................................................................................................7

6.1 Classification of Documents (ISO 27002, Section 5.12)...................................................7

6.2 Document Encryption (Section 8.12 of ISO 27002)..........................................................7

6.3 Document Disposal and Retention (Section 5.1 of ISO 27002).........................................7

6.4 Audit Trail (Section 5.1 of ISO 27002)..............................................................................8

7. Data Leakage Prevention Policy..............................................................................................8

7.1 Solutions for Data Loss Prevention (DLP).........................................................................8

 7.2 Examining Content.............................................................................................................8

7.3 Response Plan for Incidents...............................................................................................8

7.4 Education and Knowledge..................................................................................................8

7.5 Procedures for Reporting....................................................................................................8

8. Compliance with Legal and Regulatory Requirements...........................................................9

8.1 Data Protection Officer......................................................................................................9

8.2 Consistent Audits...............................................................................................................9

8.3 Rights of Data Subjects......................................................................................................9

8.4 Reporting of Incidents........................................................................................................9

9. Review and Revisions..............................................................................................................9

10. Appendix..............................................................................................................................10

10.1 Documents Classification...............................................................................................10

10.2 Data Breach Reporting...................................................................................................10

Secure Access and Document Management Policy

1. Policy Statement

The first and foremost objective of PSNI is to maintain the secrecy of all the confidential

information. In this connection, this document offers some valuable strategies that will be helpful

for PSNI to avoid any potential data breach. The objective of this document is to provide the

PSNI with useful strategies that will help the internal staff to access the valuable information.

Moreover, the other objective is to protect the documents and information from external threats.

Since it is impossible to stop access control on information, but offering an organization with

control is a workable idea. Thus, the purpose of this document is to provide PSNI with secure

access and document management policy.

2. Objective

This extensive policy aims to give the PSNI a solid and well-defined framework for the safe

access to and efficient handling of documents. The goal of this document is to handle the

constant information security threats that businesses encounter while maintaining tight adherence

to the numerous legal, regulatory, and contractual obligations that control our business.

Information asset management is critical in today's networked environment. The main goal of

this policy document is to provide precise rules and operational protocols that protect the data

from threats and enable the staff to handle these assets with knowledge. By doing this, this

document strengthens the safety against information breach threats and promote a common sense

of accountability and alertness.

This policy is the cornerstone of the dedication to offering dependable and secure services; it is

not just a formality. This document seeks to reassure that all the stakeholders those have a robust

and proactive plan in place to safeguard the most valuable asset, which is information, through

these guidelines. This policy document goes in line with ISO 27002, demonstrating the

commitment to the values of availability, confidentiality, and integrity in all facets of

information management.

3. Scope

All employees, contractors, and other persons having access to PSNI information assets are

subject to the terms of this policy. It includes all of the physical and digital records and

documents kept by PSNI. The scope is in line with ISO 27002, Section 5.1, which highlights the

necessity of informing pertinent staff members and interested parties about policies in order to

ensure their successful implementation.

4. Responsibilities

Roles must be clearly specified in order for this policy to be implemented and enforced

successfully. Every function is essential to guarantee that the information assets are safeguarded

and that everyone must adhere to the guidelines provided in ISO 27002, Section 5.1—"Policies

for Information Security."

4.1 Information Security Officer

This crucial position is in charge of coordinating and monitoring adherence to this policy. The

PSNI's information security environment is unified and robust thanks to the Information Security

Officer's diligent implementation of all policy provisions.

4.2 Data Owners

The important responsibility of categorizing and protecting information assets falls to data

owners. Data owners make sure that information is adequately classified according to its

sensitivity by following ISO 27002, Section 5.12 on "Classification of Information." This

classification aids in determining the degree of security required to preserve the data's

availability, confidentiality, and integrity.

4.3 System Administrators

As highlighted in ISO 27002, Section 5.15 on "Access Control," system administrators are at

the forefront of implementing access controls and monitoring access. They play a hands-on role

in making sure that the right people have the right level of access to our information assets while

also monitoring and addressing any deviations.

4.4 Users

Every PSNI member is essential to preserving the integrity of this policy. It is the responsibility

of users to follow access guidelines, comprehend data categorization, and handle documents

efficiently. User compliance is necessary to ensure that the goals of the policy are collectively

upheld. This is in line with ISO 27002, Section 5.1, which highlights the necessity of

communicating policies to pertinent staff members and interested parties in order for them to be

implemented effectively.

5. Access Control Policy

5.1 Role-based Access Control (RBAC)

PSNI should use Role-based Access Control (RBAC) as its guiding principle for access

permissions in compliance that is in line with ISO 27002, Section 5.15 on "Access Control."
Access permissions can be granted in accordance with this policy according to work positions

and responsibilities. This procedure ensures that access is only provided to employees to the

degree required to carry out their tasks, in accordance with ISO 27002, Section 5.15.

5.2 Strong Authentication

Strong authentication is emphasized as being crucial to protecting information assets in ISO

27002, Section 5.15. Accordingly, the PSNI requires that all users gaining access to sensitive

data employ multi-factor authentication (MFA). By forcing users to submit several forms of

verification, such as a password and a one-time code, before getting access, MFA improves

security. It is essential to have this extra security layer in place to stop illegal access to sensitive

data.

5.3 Access Logs

The core of this access control policy is to keep access records in accordance with ISO 27002,

Section 5.15. Our attempts to maintain auditability and accountability depend heavily on these

logs. Access logs are a vital technique to spot any anomaly of usage. It helps in identifying any

unauthorized access to the account or document. Thus, it helps an organization to avoid any

potential risk of data breach.

5.4 Least Privilege Principle

In accordance with ISO 27002, Section 5.15, a fundamental component of this access control

strategy is the concept of least privilege. It requires that access be limited to what is minimally

required for employees to carry out their responsibilities. This procedure reduces the possibility

of unintentional data breaches and stops unwanted access to information systems. By ensuring

that employees only access information that is necessary for their jobs, the least privilege

concept helps to minimize the attack surface that could be exploited by hostile actors.
6. Document Management Policy

Information security is based on efficient document management, and this policy seeks to make

sure that digital and physical documents are managed carefully and in accordance with ISO

27002 requirements in different areas.

6.1 Classification of Documents (ISO 27002, Section 5.12)

To align with ISO 27002's emphasis on "Classification of Information," we require all

documents to be systematically classified according to their level of sensitivity. This procedure

adheres to the Appendix 10.1 document classification scheme.

6.2 Document Encryption (Section 8.12 of ISO 27002)

This document proposes the need of encryption to protect the privacy of important digital

information and papers. We preserve our digital assets by following the guidelines in ISO 27002,

Section 8.12 on "Data Leakage Prevention." Sensitive data integrity and confidentiality are

protected by encryption, a strong defense against unwanted access.

6.3 Document Disposal and Retention (Section 5.1 of ISO 27002)

This document recognizes the need to uphold precise policies and procedures for document

keeping. This document seeks to propose a method that conforms to ISO 27002, Section 5.1,

which addresses "Policies for Information Security." These regulations prescribe the safe and

orderly destruction of records that are no longer required, guaranteeing that private data is not

left on file for an extended period of time. Appendix 10.1 contains specific instructions regarding

document retention and destruction.

6.4 Audit Trail (Section 5.1 of ISO 27002)

An exact audit trail of document access, modifications, and disposals is kept for compliance and

accountability purposes. The audit trail, which helps in monitoring and investigation of any

suspicious activity concerning documents, and provides transparency. This protocol adheres to

the "Policies for Information Security" specified in ISO 27002.

7. Data Leakage Prevention Policy

7.1 Solutions for Data Loss Prevention (DLP)

As stated in Appendix 10.2, Data Breach Reporting Procedure, DLP solutions must be used in

order to detect and stop unlawful data transfers.

7.2 Examining Content

Regular content scans are necessary to identify and restrict the delivery of sensitive material.

7.3 Response Plan for Incidents

An incident response strategy needs to be developed and kept up to date in order to respond

quickly in the event that data leaks.

7.4 Education and Knowledge

Employees must take part in mandatory training sessions to learn about the dangers of data leaks

and how to prevent them.

7.5 Procedures for Reporting

It is necessary to set up a private reporting system so that staff members can report occurrences

of suspected data leaks.

8. Compliance with Legal and Regulatory Requirements

8.1 Data Protection Officer

To guarantee adherence to data protection rules and regulations, a Data Protection Officer must

be hired.

8.2 Consistent Audits

To make sure that the GDPR and other pertinent legislation are being followed, audits must be

done on a regular basis.

8.3 Rights of Data Subjects

Procedures for handling requests for access, rectification, and erasure made by data subjects

must be set up.

8.4 Reporting of Incidents

GDPR mandates that mandatory data breach reporting be done in accordance with the Data

Breach Reporting Procedure in Appendix 10.2.

9. Review and Revisions

This policy will be examined once a year or as frequently as needed to make sure it stays current

and useful. Any changes must be quickly communicated, recorded, and put into effect. As it is in

line with ISO 27002, Section 5.1: Information Security Policies.

10. Appendix

10.1 Documents Classification

10.2 Data Breach Reporting

References

Aïmeur, E., & Schőnfeld, D. (2011). The ultimate invasion of privacy: Identity theft. 2011 Ninth

Annual International Conference on Privacy, Security and Trust,

Analytica, O. (2023). Data breach increases Northern Irish security risk. Emerald Expert

Briefings(oxan-es).

BBC. (2023). PSNI data breach: Independent review to be launched.

https://www.bbc.com/news/uk-northern-ireland-66578582

Boella, G., Humphreys, L., Martin, M., Rossi, P., Van Der Torre, L., & Violato, A. (2012).

Eunomos, a legal document and knowledge management system for regulatory

compliance. Information Systems: Crossroads for Organization, Management,

Accounting and Engineering: ItAIS: The Italian Association for Information Systems,

Byrne, J., & Monaghan, L. (2008). Policing Loyalist and Republican Communities:

Understanding key issues for local communities and the PSNI. Institute for Conflict

Research Belfast.

De Hert, P., & Papakonstantinou, V. (2016). The new police and criminal justice data protection

directive: a first analysis. New journal of European criminal law, 7(1), 7-19.

Korn, M. S., & Veldman, E. (2008). Benefits of continuous risk management in (physical) asset

orientated companies. 2008 First International Conference on Infrastructure Systems and

Services: Building Networks for a Brighter Future (INFRA),

Sinclair, G. (2012). Exporting the UK police ‘brand’: The RUC-PSNI and the international

policing agenda. Policing: a journal of policy and practice, 6(1), 55-66.