HMG Information Assurance Policy

Security Policy Framework (SPF)

The SPF replaces the Manual of Protective Security (MPS) and the Counter-Terrorist Protective Security Manual (CTPM). It sets out universal mandatory standards, as well as offering guidance on risk management and defining new compliance and assurance arrangements. The framework is largely in the public domain unlike MPS which is entirely RESTRICTED. The SPF is broken down in to 4 Tiers. Tiers 1-3 are in the Public Domain (NPM) and available from the Cabinet Office Website. Tier 4 is RESTRICTED and only held by authorised Government Departments, their agencies and CLAS consultants.

Manual of Protective Security (MPS)

The MPS was issued by the Cabinet Office Security Policy Division on the authority of the Official Committee on Security (SO). It provided guidance to assist Government Departments and Agencies and other organisations (that hold Government protectively marked information), through their Departmental Security Officer (DSO) or equivalent, to discharge their security responsibilities. It also provided the government guidance for the implementation of BS7799 controls for protectively marked material.

Baseline Personnel Security Standard

The Baseline Personnel Security Standard (BPSS, commonly referred to as a BS) (formerly known as Basic Check) allows routine and unrestricted access to material marked RESTRICTED and below with occasional, supervised, access to confidential material where required in the course of one's duties. A ‘BS’ confirms identity, immigration status, address and employment/education history.

SEAP Catalogue of Security Equipment

The SEAP Catalogue of Security Equipment is the Governments bible of physically tested physical security equipment. This ranges from document box’s and filing cabinets to fencing and hostile vehicle mitigation. The SEAP Catalogue is marked RESTRICTED only held by authorised Government Departments, their agencies and CLAS consultants.

CESG Information Security Standards (IS) and Good Practice Guidance (GPG)

CESG’s documentation is issued by the UK’s National Technical Authority on Information Assurance with the aim of informing intended recipients of the general security issues they should consider in their approach to information and communications technologies. GPG’s are slowly superseding previously issued CESG Manuals, Memo’s and SEN’s. CESG documentation range from NOT PROTECTIVLY MARKED, but issued on a need to know basis, to UK CONFIDENTIAL and above.

Information Classification

The Government Protective Marking Scheme is one of a number of government measures aimed at protecting information across the public sector.

Protective marking ensures the appropriate management and safeguarding of information in its various forms and covers every stage a document will go through, including creation, storage, transmission and destruction.

It should be noted that not all government departments use the protective marking scheme, historically its developed out of Central Government, Intelligence and Defence requirements but has recently rapidly expanded to be used and useful to all departments and agencies.

The Protective Marking Scheme has six markings. In increasing order of sensitivity, they are:

• NOT PROTECTIVLY MARKED
• PROTECT
• RESTRICTED
• CONFIDENTIAL
• SECRET
• TOP SECRET

Although most commonly applied to electronic or paper documents, these classifications can be used for any form of government information. Unmarked material is considered ‘unclassified’ and does not need to be labeled, although the term ‘NOT PROTECTIVELY MARKED’ may be used.

It should be noted that RESTRICTED, CONFIDENTIAL, SECRET and TOP SECRET are National Security markings and are therefore covered by the Official Secrets Act.

Who Protectively Marks Information?

The information owner or originator is responsible for applying the correct protective marking. The right level of protective marking is determined by assessing the adverse impact or damage that would occur if the information was lost, stolen or disclosed.

To help assess impact the following descriptors can be used:

PROTECT information is data that can generally be shared with colleagues. It can:

• cause distress to individuals
• breach proper undertakings to maintain the confidence of third party information
• breach statutory restrictions on information disclosure
• cause financial loss or loss of earning potential, or facilitate improper gain or unfair advantage for individuals or companies
• prejudice the investigation of or aid crime
• disadvantage government in commercial or policy negotiations with others.

RESTRICTED information is data that should only be shared with colleagues on a ‘need to know’ basis. It can:

• cause substantial distress to individuals
• cause financial loss, loss of earning potential or aid improper gain or advantage for individuals or companies
• prejudice the investigation of or aid crime
• breach proper undertakings to maintain the confidence of third party information
• impede the effective development or operation of government policies
• breach statutory restrictions on information disclosure
• disadvantage government in commercial or policy negotiations with others
• undermine the proper management of the public sector and its operations.

CONFIDENTIAL information is data that should not be shared with anyone without permission from the author or owner. It can:

• prejudice individual security or liberty
• work substantially against national finances or economic and commercial interests
• substantially undermine the financial viability of major organisations
• impede the investigation of or aid serious crime
• seriously impede the development or operation of major government policies
• shut down or substantially disrupt significant national operations.

SECRET information is highly sensitive material that can:

• raise international tension
• directly threaten life, seriously prejudice public order, or individual security or liberty
• cause serious damage to the operational effectiveness or security of UK or allied forces, or the continued effectiveness of highly valuable security or intelligence operations
• cause substantial material damage to national finances or economic and commercial interests.

TOP SECRET information is highly sensitive material that can:

• directly threaten the internal stability of the UK or friendly countries
• lead directly to widespread loss of life
• cause exceptionally grave damage to the effectiveness or security of UK or allied forces, the continued effectiveness of extremely valuable security or intelligence operations, or grave damage to relations with friendly governments
• cause severe long-term damage to the UK economy.

Information Assurance
HMG Accreditation of IT Systems