Sections:

• Home
• ABOUT DFID
• FIGHTING POVERTY
• COUNTRY PROFILES
• NEWSROOM
• PUBLICATIONS
• CASE STUDIES
• PROCUREMENT
  • Contract documents
  • Complaints procedure
  • Procurement of goods & equipment
  • Future development activities
• CONSULTATIONS
• POLICY AND RESEARCH
• FUNDING SCHEMES
• RECRUITMENT
• DISCOVERY ZONE
• GET INVOLVED

DFID Information Security Policy for Contractors/Consultants

This document specifies the requirements that must be met by contractors in the handling, management, storage and processing of information belonging to DFID or its partners.

Data Handling

Any data transferred to the contractor must be stored securely in a protected environment, with limited and controlled access appropriate to its classification. RESTRICTED data can only be stored using a caps approved encryption product. Data must not be stored on removable devices including laptops, without the express permission, in writing, of the data owner and only where the relevant security has been employed (e.g. password protection, encryption, etc.). Only those devices currently certified by the Information Systems Department will be permitted. Data must not be transferred between DFID and any other organisation or body (and vice versa) without first being logged, by the data owner, and the relevant security applied in accordance with the data classification (e.g. encryption). Live data may only be used for test purposes where obfuscation is employed to hide personal details and by agreement with the Data owner. It must be deleted so that it cannot be retrieved after use.

Access Control

Access to DFID systems, hardware, software, applications and communications will be by express permission of the data owner and the Information Systems Department. Contractors must not attempt to enter, unescorted, any DFID area that houses computer processing or communications equipment. This applies to data centres, patch rooms, switch rooms and any other rooms housing IT processing equipment.

Acceptable Use

All contractors working in a DFID environment and accessing DFID systems will abide by the policies set out in the Department’s Security Manual. DFID is certified to the Information Security Standard ISO27001. Contractors must adhere to this standard. Failure to comply with any of the above policies will be considered a security breach.

Security Clearance to Work in a DFID Building or Access Classified Information

Any contractor required to receive classified information and/or work in a DFID building must either hold or be prepared to apply for a Baseline Standard clearance. This entails identity, nationality and criminal record checks. Baseline Standard clearances obtained through other government departments may be accepted by DFID. If access is required to classified information at Secret and above then additional national security vetting checks will be required.

Business Recovery Plans A contractor holding DFID data must have in place processes to ensure that critical DFID information held by them can be promptly and efficiently recovered following an emergency.

Deputy Head of Security (IT)

Security Section