Professional Documents
Culture Documents
1.3 Assumptions...........................................................................................................................3
References......................................................................................................................................12
1. Part 1: Context Establishment
The Police Service of Northern Ireland (PSNI) is the major law enforcement organization
responsible for upholding order in the region. Because it deals with upholding the rule of law,
ensuring public safety, and maintaining law and order, this is a crucial role (Byrne & Monaghan,
2008). The PSNI is a large organization with numerous departments and divisions, each of which
has a specific function. Two significant departments within PSNI are the Information
Management and Records Management sections. These departments are essential to the
business's functioning since they are in charge of handling the private and sensitive data
The department in charge of records management is in charge of keeping track of and arranging
the paperwork and records needed to keep the police force operating effectively. This includes
keeping track of administrative documents, case files, and evidence. For the operation and
security of the force, sensitive information, including personal data, must be handled securely.
This is the focus of the information management department (De Hert & Papakonstantinou,
2016).
The purpose of the PSNI is contingent upon the efficient management and safeguarding of this
information. It not only guarantees the efficient operation of the police force but also protects the
security and privacy of the personnel, including police officers, whose personal information is
In recent years, the PSNI has experienced a number of data breaches, the most notable and
Information request, personal information in the form of the names and initials of roughly 10,000
police workers was unintentionally revealed during this incident (BBC, 2023). This hack is
extremely concerning because it jeopardizes police officers' safety and security in addition to
exposing their personal information. Given the seriousness of this violation, the PSNI launched a
separate investigation. The primary goal of this study is to conduct a thorough investigation into
the incident, look at the procedures and actions that resulted in the data breach, and evaluate the
organizational elements that played a role. Understanding the underlying reasons for the breach,
assessing the benefits and drawbacks of the existing procedures, and identifying systemic
problems that require attention are all made possible by the independent study. It's also a
proactive move meant to improve data security, stop such events from happening again, and
1.3 Assumptions
essential to assume that the PSNI is dedicated to enhancing its information security management
procedures and guidelines. It is essential that the PSNI significantly enhances its information
security architecture in light of the recent data breaches. This commitment covers organizational
and technical facets of security, such as data handling protocols, employee training, and security
cybersecurity safeguards.
The PSNI may think about using a number of measures to successfully fulfil this goal,
including:
Carrying out thorough risk analyses to find weak points and potential dangers.
Creating and implementing strong access control procedures to prevent unwanted access
to private data.
Providing all staff with frequent, in-depth training to increase knowledge of security best
Cooperation with the Independent Review: A key component of tackling the issues raised by
data breaches is the presumption that the organization would collaborate with the independent
review and make the required adjustments to guarantee compliance with pertinent legal,
statutory, and regulatory obligations. Participation in the review indicates a proactive effort to
find and address the core causes of the incident. This collaboration entails:
Giving the review complete access to all pertinent information, procedures, and breach
participants.
Cooperation with Regulatory Bodies: It is a proactive and legally compliant move for the PSNI
to presume that it will collaborate extensively with the Police Ombudsman and the Information
Commissioner's Office (ICO) to address data protection and information security concerns.
Working together with these regulatory authorities is important because it guarantees that the
company will continue to comply with the laws and rules that control information security and
data protection. In order to properly carry out this assumption, the PSNI may do the following:
Actively cooperating with the ICO to comprehend and abide by the General Data
Working together with the Police Ombudsman to guarantee that all activities, such as
data management and security procedures, comply with all applicable statutory and legal
requirements.
Taking part in regular training sessions and conversations hosted by these organizations
The PSNI works in a complicated setting where there are a number of information security
Cyberattacks and Data Breaches: In the past, the PSNI has suffered from cyberattacks and data
breaches. These mishaps have the potential to reveal private information, jeopardizing public
Insider Threats: When workers or contractors reveal confidential knowledge, they may
unintentionally or purposely create an insider threat. These risks could result from carelessness
In conclusion, the PSNI is dedicated to resolving these concerns, adhering to legal and regulatory
obligations, and rebuilding public trust despite the organization's substantial challenges with data
breaches and information security. It will be able to better fulfil its overarching goal of
safeguarding Northern Ireland's safety and security while defending the rights and interests of all
An essential instrument for risk management, an asset-based risk register helps in the
identification, evaluation, and prioritization of risks related to assets for institutions (Korn &
Veldman, 2008), such as the Police Service of Northern Ireland (PSNI). In this sense, the term
"assets" refers to a variety of components or resources that are important to the company, each of
which has a unique set of risks. To better grasp the risks and their ramifications, let's examine the
Since it includes details on current investigations and court cases, criminal case data is a vital
resource for the PSNI. There could be dire repercussions from the possibility of illegal access or
data breaches. Investigations that are compromised may lead to missing evidence or private
Personal information about police officers, including addresses, phone numbers, and identifying
access to this data, which can also lead to privacy violations (Aïmeur & Schőnfeld, 2011). Legal
repercussions may ensue, particularly in cases when police enforcement personnel's personal
The primary goal of PSNI is to provide public safety information (Byrne & Monaghan, 2008).
Threats to public safety may arise from unauthorized access or data breaches that reveal private
information that could be used by bad actors. Additionally, perceived inadequacies in protecting
Documents pertaining to legal and compliance are essential for proving conformity to rules and
laws (Boella et al., 2012). Loss of data or unauthorized access might result in non-compliance,
which can have negative legal and regulatory repercussions. Such events have a moderate chance
In-the-field interactions and vital evidence are recorded by body-worn cameras. Unauthorized
access to this video may lead to invasions of privacy, legal repercussions, and tainted
investigations. Sustaining credibility and confidence requires ensuring the security and integrity
of this data.
2.1.6 Financial Assets:
The financial assets of PSNI are represented by its financial resources. Although not very likely,
risks associated with fraud or financial mismanagement can have a big effect. This covers
Physical security includes safeguarding PSNI property and tools. Dangers from theft, vandalism,
and illegal access can interfere with regular business operations and cause property damage.
Despite the generally low to moderate likelihood, there may be substantial effects.
In conclusion, the PSNI's Asset-Based Risk Register outlines the wide variety of assets, risks
connected with them, possible consequences, and the chance that these risks may materialize.
The PSNI can protect its vital information assets and preserve the integrity, privacy, and trust
necessary for its goals by thoroughly evaluating these risks and putting in place the necessary
Compromised
Unauthorized access, Moderate to
Criminal Case Data investigations, legal
data breaches high
consequences
Physical Security
Unauthorized access, Disruption of operations, Low to
(Facilities and
theft, vandalism property damage moderate
Equipment)
2.2 Risk Mitigation Strategies
Criminal Case Data: Strong data encryption and access restrictions will be put in place to reduce
the possibility of unauthorized access and data breaches involving criminal case data. Ensuring
the lawful and secure management of data is contingent upon compliance with GDPR and data
protection legislation. Moreover, regular evaluation of security measures to find and counter new
threats.
Police Officer Personal Data: Strict access controls, data encryption, and GDPR compliance
will all help to reduce the risk of unauthorized access and data breaches involving police officer
personal data. Staff members must complete mandatory data protection training to increase
Public Safety Information: To reduce the possibility of unauthorized access and data breaches
involving public safety information, strict access restrictions, data encryption, and adherence to
GDPR and data protection regulations will be implemented. Security will be improved by regular
Legal and Compliance Records: Encryption and access restrictions will be used to reduce the
possibility of unwanted access and data loss. Priority will be given to adhering to legal and
regulatory obligations, including GDPR, with frequent audits confirming compliance and data
integrity.
Body-Worn Camera Footage: By putting encryption and access controls in place, the threat of
unauthorized access and data breaches in body-worn camera footage will be reduced. The
privacy of the video will be guaranteed by compliance with GDPR and data protection
legislation, and regular security audits will maintain the security measures current.
Financial Resources: Regular financial risk analysis will be carried out to identify abnormalities
and stop fraud in order to reduce the risk of financial mismanagement and fraud. In addition to
routine audits to guarantee financial compliance, internal controls will be implemented for
Physical Security (Facilities and Equipment): The use of security guards, access controls, and
surveillance systems will help reduce theft, damage, and unauthorized entry. There will be a
disaster recovery strategy in place to handle any possible harm, and vulnerabilities and
For every asset class, these risk mitigation strategies offer a clear approach to information
security and risk management while addressing the hazards that have been identified.
Contents
Secure Access and Document Management Policy.........................................................................3
1. Policy Statement......................................................................................................................3
2. Objective..................................................................................................................................3
3. Scope........................................................................................................................................4
4. Responsibilities........................................................................................................................4
4.4 Users...................................................................................................................................5
10. Appendix..............................................................................................................................10
1. Policy Statement
The first and foremost objective of PSNI is to maintain the secrecy of all the confidential
information. In this connection, this document offers some valuable strategies that will be helpful
for PSNI to avoid any potential data breach. The objective of this document is to provide the
PSNI with useful strategies that will help the internal staff to access the valuable information.
Moreover, the other objective is to protect the documents and information from external threats.
Since it is impossible to stop access control on information, but offering an organization with
control is a workable idea. Thus, the purpose of this document is to provide PSNI with secure
2. Objective
This extensive policy aims to give the PSNI a solid and well-defined framework for the safe
access to and efficient handling of documents. The goal of this document is to handle the
constant information security threats that businesses encounter while maintaining tight adherence
to the numerous legal, regulatory, and contractual obligations that control our business.
Information asset management is critical in today's networked environment. The main goal of
this policy document is to provide precise rules and operational protocols that protect the data
from threats and enable the staff to handle these assets with knowledge. By doing this, this
document strengthens the safety against information breach threats and promote a common sense
not just a formality. This document seeks to reassure that all the stakeholders those have a robust
and proactive plan in place to safeguard the most valuable asset, which is information, through
these guidelines. This policy document goes in line with ISO 27002, demonstrating the
information management.
3. Scope
All employees, contractors, and other persons having access to PSNI information assets are
subject to the terms of this policy. It includes all of the physical and digital records and
documents kept by PSNI. The scope is in line with ISO 27002, Section 5.1, which highlights the
necessity of informing pertinent staff members and interested parties about policies in order to
4. Responsibilities
Roles must be clearly specified in order for this policy to be implemented and enforced
successfully. Every function is essential to guarantee that the information assets are safeguarded
and that everyone must adhere to the guidelines provided in ISO 27002, Section 5.1—"Policies
This crucial position is in charge of coordinating and monitoring adherence to this policy. The
PSNI's information security environment is unified and robust thanks to the Information Security
The important responsibility of categorizing and protecting information assets falls to data
owners. Data owners make sure that information is adequately classified according to its
classification aids in determining the degree of security required to preserve the data's
As highlighted in ISO 27002, Section 5.15 on "Access Control," system administrators are at
the forefront of implementing access controls and monitoring access. They play a hands-on role
in making sure that the right people have the right level of access to our information assets while
4.4 Users
Every PSNI member is essential to preserving the integrity of this policy. It is the responsibility
of users to follow access guidelines, comprehend data categorization, and handle documents
efficiently. User compliance is necessary to ensure that the goals of the policy are collectively
upheld. This is in line with ISO 27002, Section 5.1, which highlights the necessity of
communicating policies to pertinent staff members and interested parties in order for them to be
implemented effectively.
PSNI should use Role-based Access Control (RBAC) as its guiding principle for access
permissions in compliance that is in line with ISO 27002, Section 5.15 on "Access Control."
Access permissions can be granted in accordance with this policy according to work positions
and responsibilities. This procedure ensures that access is only provided to employees to the
degree required to carry out their tasks, in accordance with ISO 27002, Section 5.15.
27002, Section 5.15. Accordingly, the PSNI requires that all users gaining access to sensitive
data employ multi-factor authentication (MFA). By forcing users to submit several forms of
verification, such as a password and a one-time code, before getting access, MFA improves
security. It is essential to have this extra security layer in place to stop illegal access to sensitive
data.
The core of this access control policy is to keep access records in accordance with ISO 27002,
Section 5.15. Our attempts to maintain auditability and accountability depend heavily on these
logs. Access logs are a vital technique to spot any anomaly of usage. It helps in identifying any
unauthorized access to the account or document. Thus, it helps an organization to avoid any
In accordance with ISO 27002, Section 5.15, a fundamental component of this access control
strategy is the concept of least privilege. It requires that access be limited to what is minimally
required for employees to carry out their responsibilities. This procedure reduces the possibility
of unintentional data breaches and stops unwanted access to information systems. By ensuring
that employees only access information that is necessary for their jobs, the least privilege
concept helps to minimize the attack surface that could be exploited by hostile actors.
6. Document Management Policy
Information security is based on efficient document management, and this policy seeks to make
sure that digital and physical documents are managed carefully and in accordance with ISO
This document proposes the need of encryption to protect the privacy of important digital
information and papers. We preserve our digital assets by following the guidelines in ISO 27002,
Section 8.12 on "Data Leakage Prevention." Sensitive data integrity and confidentiality are
This document recognizes the need to uphold precise policies and procedures for document
keeping. This document seeks to propose a method that conforms to ISO 27002, Section 5.1,
which addresses "Policies for Information Security." These regulations prescribe the safe and
orderly destruction of records that are no longer required, guaranteeing that private data is not
left on file for an extended period of time. Appendix 10.1 contains specific instructions regarding
An exact audit trail of document access, modifications, and disposals is kept for compliance and
accountability purposes. The audit trail, which helps in monitoring and investigation of any
suspicious activity concerning documents, and provides transparency. This protocol adheres to
As stated in Appendix 10.2, Data Breach Reporting Procedure, DLP solutions must be used in
Regular content scans are necessary to identify and restrict the delivery of sensitive material.
An incident response strategy needs to be developed and kept up to date in order to respond
Employees must take part in mandatory training sessions to learn about the dangers of data leaks
It is necessary to set up a private reporting system so that staff members can report occurrences
To guarantee adherence to data protection rules and regulations, a Data Protection Officer must
be hired.
To make sure that the GDPR and other pertinent legislation are being followed, audits must be
Procedures for handling requests for access, rectification, and erasure made by data subjects
GDPR mandates that mandatory data breach reporting be done in accordance with the Data
This policy will be examined once a year or as frequently as needed to make sure it stays current
and useful. Any changes must be quickly communicated, recorded, and put into effect. As it is in
Aïmeur, E., & Schőnfeld, D. (2011). The ultimate invasion of privacy: Identity theft. 2011 Ninth
Analytica, O. (2023). Data breach increases Northern Irish security risk. Emerald Expert
Briefings(oxan-es).
https://www.bbc.com/news/uk-northern-ireland-66578582
Boella, G., Humphreys, L., Martin, M., Rossi, P., Van Der Torre, L., & Violato, A. (2012).
Accounting and Engineering: ItAIS: The Italian Association for Information Systems,
Byrne, J., & Monaghan, L. (2008). Policing Loyalist and Republican Communities:
Understanding key issues for local communities and the PSNI. Institute for Conflict
Research Belfast.
De Hert, P., & Papakonstantinou, V. (2016). The new police and criminal justice data protection
directive: a first analysis. New journal of European criminal law, 7(1), 7-19.
Korn, M. S., & Veldman, E. (2008). Benefits of continuous risk management in (physical) asset
Sinclair, G. (2012). Exporting the UK police ‘brand’: The RUC-PSNI and the international