This snapshot taken on 07/04/2010, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
This is the sixth of seven Security Policies within the HMG Security Policy Framework (SPF); outlining the mandatory security requirements and management arrangements to which all Departments and Agencies (defined as including all bodies directly responsible to them) must adhere. This policy deals with:
Departments and Agencies are responsible for managing their assets – people, infrastructure and information. This includes reducing risk from terrorist attack to as low a level as is reasonably practicable. Here it is important to recognise that the visible level of security is a factor in terrorist targeting. Departments have legal obligations to protect employees and visitors. Departments must be resilient in the face of an attack and have in place physical security measures, proportionate with the threat and the assets to be protected and also contingency arrangements to facilitate the quick resumption of vital services (including contracted services). HMG is perceived by many terrorist groups as an attractive and ‘legitimate’ target, it is therefore of critical importance that Departments meet the obligations outlined in this framework.
CONTEST is the Government's long term strategy for reducing the risk to the UK and its overseas interests from international terrorism. The strategy was published in July 2006 and more details can be found at: Counter-terrorism strategy [External website].
Departments must employ a risk management approach to Counter-Terrorism (CT) protective security, although it is recognised that for certain areas (for example the protection of nuclear weapons and nuclear materials) CT security policy will be intentionally more prescriptive. It should be noted that CT measures are likely to complement other security measures and therefore should be considered in conjunction with general protective security risk management (please see Security Policy No. 5 – Physical Security and Security Policy No.7 – Business Continuity). However, there are some very specific baseline CT measures that all Departments must take and these are outlined in this policy.
All Departments should be considered a potential target for terrorist attack or hostile interest. Government establishments fall into three risk categories according to the likelihood of being a target of a terrorist attack. These risk categories are HIGH, MODERATE, LOW.
MANDATORY REQUIREMENT 64
All Government establishments must be categorised according to the likelihood of being, or in close proximity to, a potential terrorist target.
Threat Levels are designed to give a broad indication of the likelihood of a terrorist attack. The Threat Levels are LOW, MODERATE, SUBSTANTIAL, SEVERE and CRITICAL. The five levels reflect an assessment of probability of attack based on an analysis of terrorists' intentions, targeting priorities, capabilities and any evidence of current planning and timescales. Information on the national Threat Level is available on the Security Service website [External website].
If an establishment is identified as being at immediate threat, the police and security authorities will inform the Department and may take control of the scene. This can be either pre or post-incident depending on circumstances and may require careful handling to avoid compromising intelligence. In order to ensure Departments have current information on the terrorist threat, the Centre for the Protection of the National Infrastructure (CPNI) and Cabinet Office Security Policy Division (COSPD) produce regular threat updates, some of which can only be seen on a ‘need to know’ basis.
The Cabinet Office operates a system of response giving Departments a broad indication of the level of protective security readiness required at any one time. The Response Level is informed by the level of threat as well as specific assessments of vulnerability and risk to HMG but Response Levels tend to relate to sites, whereas Threat Levels usually relate to broad areas of activity. The three Response Levels are: NORMAL, HEIGHTENED and EXCEPTIONAL. Precise measures adopted for each individual site and at each Response Level are the responsibility of Departmental Security Officers (DSOs) in consultation with CPNI and specialist Counter-Terrorist Security Advisers, and must form part of CT planning. Measures are likely to include restricting access, increasing patrols and frequency of bag searching, however a more detailed description of incremental security measures is set out in the supplementary material within the framework.
MANDATORY REQUIREMENT 65
Department Security Officers must ensure that the Department and its Agencies have baseline Counter-Terrorist physical security measures and Counter-Terrorist incremental security measures in place at each Response Level. Further, at each Response Level, DSOs must ensure that the identified Counter-Terrorist incremental security measures are applied. Departments must be ready to impose or remove those measures with immediate effect when there is a change in Response Level and ensure that all staff are made clearly aware of the current Response Level and what Counter-Terrorist physical security measures must be adopted.
Departments are best placed to assess the risks they face, and must develop their own security policies in an integrated manner, this must include a CT policy and plans. These should be produced in accordance with national security authorities' advice, and in consultation with local emergency services and should form part of business continuity plans.
MANDATORY REQUIREMENT 66
Departments and Agencies must, as part of their overall protective security policy, have a Counter-Terrorist protective security policy in place. This must seek to deter and minimise impact of an attack or hostile interest, and must include:
MANDATORY REQUIREMENT 67
Departments and Agencies must have a Counter-Terrorist protective security plan in place. This must seek to deter or minimise impact of an attack or hostile interest and must include:
This framework provides detailed policy and guidance on all aspects of protective security and DSOs must refer to these when developing CT policies and plans, but in broad terms they need to ensure:
That establishments (both new construction and existing), including non-government establishments which sustain HMG business, such as data centres, are suitably robust and offer an appropriate degree of protection against attack and hostile interest. Considerations may include protected spaces, glazing, stand-off, barriers, CCTV, public areas, internal communications, signage, Perimeter Intrusion Detection systems (PIDs), access points and control, building services (e.g. ventilation inlets) and parking areas.
There is adequate protection for all staff, as well as personal protection arrangements required for high-threat personnel such as Ministers and VIPs. National Security Vetting is a core element of ensuring trusted individuals are employed in sensitive posts. The Counter-Terrorist Check (CTC) plays an important part in CT vetting measures but other aspects of personnel security must be considered equally important, such as the Baseline Personnel Security Standard (BPSS) and ongoing personnel security management.
That all ICT systems, as part of the formal ICT accreditation process, consider and mitigate potential physical and electronic terrorist attack, and that CT plans include the need to protect electronic and paper based information from unauthorised access, compromise or destruction.
MANDATORY REQUIREMENT 68
The annual security report made by DSOs to their Head of Department, must explicitly provide a statement of assurance on Counter-Terrorist protective security, including compliance with additional measures implemented after any increase in the Government Response Level.
Testing and exercises are essential elements in providing assurance – they ensure that staff are well versed in procedure, that equipment and communications are functioning and adequate and that arrangements with external bodies (e.g. emergency services, contractors, suppliers) are effective. They also provide an opportunity to identify and address problem areas. The testing of CT arrangements should form an important part of testing overall Business Continuity and emergency response plans.
MANDATORY REQUIREMENT 69
As part of Business Continuity and emergency response plans, Departments and Agencies must test their Counter-Terrorist protective security plans regularly, minimum requirements being:
Tests must be reported in the annual report to Heads of Department, demonstrating that plans are effective and potential problems are identified and remedied.