This snapshot taken on 07/04/2010, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
This is the first of seven Security Policies within the HMG Security Policy Framework (SPF); outlining the mandatory security requirements and management arrangements to which all Departments and Agencies (defined as including all bodies directly responsible to them) must adhere. This policy deals with:
Governance arrangements for security rely on the partnership between the centre of Government, Departments and Agencies, their delivery partners, individuals working in the security community, and ultimately all staff employed on behalf of HMG. The role of Cabinet Office at the centre of Government is to provide leadership and co-ordination of shared risks (such as asset control and vetting) by setting policy and overseeing regulation. Departments are responsible for the protection and utilisation of their assets – information, personnel and physical – as appropriate to their business needs and circumstance. Departments are best placed to assess the risks they face, and must develop their own security policies in line with this framework. It is for the Centre to set minimum measures, providing an agreed level of protection and assurance across Government.
The Security Policy Framework (SPF) outlines mandatory security policy requirements that all Departments and Agencies must meet. This framework should also be extended, where necessary, to any organisations working on behalf of, or handling HMG assets, such as Non-Departmental Public Bodies (NDPBs), contractors, Emergency Services, devolved administrations, Local Authorities or any regular suppliers of goods and / or services. In areas where statutory security requirements apply (e.g. air safety, nuclear security) this framework must be applied in line with those requirements. Departmental Security Officers (DSOs) (in consultation with the Senior Information Risk Owner (SIRO) as necessary) will need to determine where and what level of compliance is required of their delivery partners, and where equivalent security policies are acceptable. This policy is supplemented by detailed advice and guidance which the DSO can distribute on a ‘need to know’ basis.
Departments and Agencies must ensure that all staff understand the relevant requirements and responsibilities placed upon them by the Security Policy Framework and that they are properly equipped to meet the mandatory security policies (green boxes) as set out in this framework.
Where Departments, Agencies and their contractors are subject to statutory security requirements, such requirements shall take precedence. The requirements set by security regulators and actions carried out by them will be consistent with this framework.
Departments must ensure that their Agencies and main delivery partners are compliant with this framework, and must consider the extent to which those providing other goods and / or services to them, or carrying out functions on their behalf, are required to comply.
The Official Committee on Security (SO) is responsible for formulating security policy and coordinating its application across government. SO is also the National Security Authority for dealing with international organisations such as NATO and the EU. Cabinet Office Security Policy Division (COSPD) provides the secretariat for SO and is responsible for developing and communicating this framework, ensuring compliance with the minimum requirements, supporting Departments and preparing an annual report to SO on the state of security across Government. COSPD works closely with the security and intelligence community in developing and reviewing security policy.
Whilst security is a collective responsibility for all staff and contractors, ultimate responsibility for security rests with Ministers, Permanent Secretaries, and/or other Accounting Officers and their respective Management Boards which must include a Senior Information Risk Owner (SIRO). Cabinet Office will write to newly appointed Heads of Department setting out their responsibilities with regard to security – the Head of Department/Permanent Secretary is ultimately accountable for security within their Department. The Prime Minister and the Cabinet Secretary have ultimate responsibility for ensuring overall coherence of security across Government, and that security objectives are met.
Departments must have a stated Board level representative responsible for security (e.g. Head of Department/Permanent Secretary). Departments must identify clearly where security responsibilities lie, including the relationship between the Department's main Board and the Boards of their Agencies or other bodies.
Departments and Agencies must have a designated Departmental Security Officer (DSO), with day-to-day responsibilities for all aspects of Protective Security (including physical, personnel and information security).
In addition to the mandatory roles above, and those outlined within Security Policy No. 4- Information Security and Assurance (see MR 35), organisations need to consider appropriate roles within their security/business machinery. For example larger bodies may consider appointing Deputies and / or creating other specific security roles (e.g. Personnel Security Officer), whilst smaller bodies may combine roles. Agencies may wish to consider their parent departmental DSO as their designated DSO. The Head of Department/Permanent Secretary has overall responsibility for security and it is for them to determine appropriate security structures within their organisation and any Agencies for which they are responsible.
Departments need to
Departments should see this as a continuous cycle of assessing and re-evaluating risk. Departments should use the HM Treasury Orange Book on Risk Management for a broad approach to principles and concepts, however, within the disciplines of Information Assurance and Counter-Terrorism Protective Security there are detailed methods of risk assessment that must be adopted (see Security Policy No. 4 – Information Security and Assurance and Security Policy No. 6 – Counter Terrorism for these areas).
Departments and Agencies must adopt a risk management approach (including a detailed risk register) to cover all areas of protective security across their organisation.
Self-assessment, central reporting, audit and review, must combine together to provide for a robust level of assurance across Government, as well as assisting the centre in developing and refining policy.
Departments and Agencies must:
a) Make their departmental security policy widely available internally and reference this in overall business plans.
b) Have a system of assurance of compliance with security policy, and produce an annual report to their Head of Department / Management Board on the state of all aspects of protective security.
Departments should include details of any agencies or other bodies that report to them directly in the annual report to their Head of Department.
Departments must submit an annual security return to the Cabinet Office Security Policy Division, covering their Agencies and main delivery partners, and must include:
Departments will be responsible for carrying out internal reviews of security arrangements as they judge to be necessary. The Cabinet Office, in consultation with Departments and the Official Committee on Security (SO), will review compliance as appropriate on the basis of the minimum mandatory requirements (green boxes) and annual security returns.
Departments and Agencies must comply with oversight arrangements including external audit/compliance arrangements as set out by Cabinet Office.
Fostering a professional culture and developing a positive attitude toward security is critical to the successful delivery of this framework. Security must be seen as an integral part of, and a key enabler to, effective departmental business. Cabinet Office, in conjunction with professional bodies such as the Centre for Protection of National Infrastructure (CPNI) and CESG, the National Technical Authority for Information Assurance, maintain a programme of familiarisation, training and re-fresher courses appropriate for security personnel, including an induction visit to all new DSOs. Departments and Agencies must ensure that regular refresher training, awareness programmes and security briefings are provided to all staff. These should cover individual security responsibilities, as defined by the Civil Service Code, including the reporting of security incidents and criminal behaviour and / or any knowledge of leaking. In addition to line management reporting, all staff must also have recourse to consult with, or report anonymously to a welfare officer or independent arbiter.
Departments and Agencies must ensure that:
HMG is party to a range of multilateral and bilateral international agreements governing the use, handling and protection of classified material. Departments and Agencies engaged in sensitive work with international organisations, or those that handle protectively marked information on their behalf, must ensure that their internal procedures are compliant with the relevant international obligation. Detailed requirements may vary across organisations (e.g. NATO, EU etc.).
Departments and Agencies must ensure that they adhere to any UK obligations in multilateral or bilateral international agreements.