Cyber and Technical Security Guidance
Summary
This site documents some of the security decisions that the Ministry of Justice (MoJ) has made for the products we operate, and our relationships with suppliers.
The MoJ Technical Guidance covers technical decisions in the MoJ more widely.
Note: This guidance is dated: 22 January 2023.
Popular links
Popular links for all users:
Change log
A ‘change log’ is available. It details the most recent changes to this information.
The changes are also available as RSS or Atom feeds.
Offline content
For convenience, offline versions of this guidance are available.
Audience |
PDF format |
EPUB format |
All users. Does not include lots of technical detail. |
PDF |
EPUB |
Group Security. Contains Group Security policy and guidance. |
PDF |
EPUB |
Technical users. Includes lots of technical detail. This document contains all content, including for ‘All users’ and from Group Security. Download this document if you want the complete set of published MoJ security policy and guidance. |
PDF |
EPUB |
The offline versions of this guidance are time-limited, and are not valid after 22 February 2023.
Security culture
In addition to the obvious security resources such as policies, controls, and software and hardware tools, all organisations need employees, suppliers and other colleagues to behave in a way that helps ensure good security at all times. A simple example is where someone will act in a way that maintains good security, even if they don’t know exactly what the formal process is. The extent to which an organisation has good security in indicated by its security culture.
Security culture refers to the set of values, shared by everyone in an organisation, that determines how people are expected to think about and approach security. Getting security culture right helps develop a security conscious workforce, and promotes the desired security behaviours expected from everyone working in or for the organisation.
The MoJ is creating a portfolio of security culture resources to help supplement the formal policy and guidance material. Initial security culture material is available for preview here.
Getting in touch
Background
Government Functional Standard - GovS 007: Security replaces the HMG Security Policy Framework (SPF). The policies which sit within that framework remain in effect, but are now in support of this standard.

Sections 6.3 Cyber security and 6.4 Technical security of the standard state:
-
The purpose of cyber security is to ensure the security of data and information. To operate effectively, the UK government needs to maintain the confidentiality, integrity and availability of its information, systems and infrastructure, and the services it provides.
-
The purpose of technical security measures is to holistically protect sensitive information and technology from close access acquisition or exploitation by hostile actors, as well as any other form of technical manipulation. Technical security also relates to the protection of security systems from compromise and/or external interference.
The MoJ has developed our cyber and technical security taxonomy as follows:
The documents have been developed and defined within this taxonomy, and are listed in the next section, together with their suggested target audiences.
Avoiding too much security |
All users |
IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER |
All users |
IT Security All Users Policy |
All users (Policy) |
IT Security Policy (Overview) |
All users (Policy) |
IT Security Technical Users Policy |
Technical Architect, DevOps, IT Service Manager, Software Developer (Policy) |
Line Manager approval |
All users |
Shared Responsibility Models |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Technical Controls Policy |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Mobile devices and teleworking
Mobile device policy
Teleworking
Human resource security
Prior to employment
During employment
Termination and change of employment
Asset management
Responsibility for assets
Access control
Business requirements of access control
Access Control Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Access Control Policy |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Enterprise Access Control Policy |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Privileged Account Management Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
User access management
Authentication |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Management access |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Managing User Access Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Multi-Factor Authentication |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Privileged User Backups, Removable Media and Incident Management Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Privileged User Configuration, Patching and Change Management Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Privileged User Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Privileged User Logging and Protective Monitoring Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
User responsibilities
System and application access control
Account management |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Authorisation |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Multi-user accounts and Public-Facing Service Accounts Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Password Creation and Authentication Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Password Management Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Password Managers |
All users |
Passwords |
All users |
Password Storage and Management Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Policies for Google Apps administrators |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Policies for MacBook Administrators |
Technical Architect, DevOps, IT Service Manager, Software Developer |
System User and Application Administrators |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Using LastPass Enterprise |
All users |
Cryptography
Cryptographic controls
Automated certificate renewal |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Cryptography |
Technical Architect, DevOps, IT Service Manager, Software Developer |
HMG Cryptography Business Continuity Management Standard |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Public Key Infrastructure Policy |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Use of HMG Cryptography Policy |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Physical and environmental security
Secure areas
Equipment
Operations security
Operational procedures and responsibilities
Active Cyber Defence: Mail Check |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Active Cyber Defence: Public Sector DNS |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Active Cyber Defence: Web Check |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Offshoring Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Protection from malware
Malware Protection Guide (Overview) |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Malware Protection Guide: Defensive Layer 1 |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Malware Protection Guide: Defensive Layer 2 |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Malware Protection Guide: Defensive Layer 3 |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Ransomware |
All users |
Backup
Logging and monitoring
Accounting |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Commercial off-the-shelf applications |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Custom Applications |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Logging and monitoring |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Online identifiers in security logging and monitoring |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Protective Monitoring |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Security Log Collection |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Security Log Collection: Enterprise IT - Infrastructure |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Security Log Collection: Enterprise IT - Mobile Devices |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Security Log Collection: Hosting Platforms |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Security Log Collection: Log entry metadata |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Security Log Collection: Maturity Tiers |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Control of operational software
Technical vulnerability management
Patch management guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Vulnerability Disclosure |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Vulnerability Disclosure: Implementing security.txt |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Vulnerability scanning and patch management guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Vulnerability scanning guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Communications security
Network security management
Code of Connection Standard |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Defensive domain registrations |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Domain names and Domain Name System (DNS) security policy |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Internet v. PSN |
Technical Architect, DevOps, IT Service Manager, Software Developer |
IP DNS Diagram Handling |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Multiple Back-to-back Consecutive Firewalls |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Networks are just bearers |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Bluetooth |
All users |
Criminal Justice Secure Mail (CJSM) |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Data Sovereignty |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Email |
All users |
Email Authentication Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Email Blocklist Policy |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Email Blocklist Process |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Email Security Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
General Apps Guidance |
All users |
Phishing Guide |
All users |
Protecting WhatsApp accounts |
All users |
Secure Data Transfer Guide |
All users |
Secure Email Transfer Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Sending information securely |
All users |
Spam and Phishing Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Web browsing security policy profiles |
All users (Policy) |
Wifi security policy |
All users (Policy) |
System acquisition, development and maintenance
Security in development and support processes
Maintained by Default |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Secure by Default |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Source Code Publishing |
Technical Architect, DevOps, IT Service Manager, Software Developer |
System Test Standard |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Test data
Supplier relationships
Suppliers to MoJ: Assessing Suppliers |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Suppliers to MoJ: Contracts |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Suppliers to MoJ: Security Aspect Letters |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Suppliers to MoJ: Supplier Corporate IT |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Supplier service delivery management
Forensic Principles |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Forensic Readiness Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Forensic Readiness Policy |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Incident Management Plan and Process Guide |
Technical Architect, DevOps, IT Service Manager, Software Developer |
IT Incident Management Policy |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Lost devices or other IT security incidents |
All users |
Reporting an incident |
All users |
Compliance
Compliance with legal and contractual requirements
Data Destruction |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Data Destruction: Contract Clauses - Definitions |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Data Destruction: Contract Clauses - Long Format |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Data Destruction: Contract Clauses - Long Format (Appendix) |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Data Destruction: Contract Clauses - Short Format |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Data Destruction: Instruction and Confirmation Letter |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Data Security and Privacy |
All users |
Data Security & Privacy Lifecycle Expectations |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Data Security & Privacy Triage Standards |
Technical Architect, DevOps, IT Service Manager, Software Developer |
Risk Assessment
Risk Management
Risk Assessment Process
Other Guidance
The Government Functional Standard - GovS 007: Security provides the base material for all security guidance in the MoJ.
Glossary
A glossary of some terms used in this guidance is available here.
Acronyms
A more extensive list of acronyms is available here.
Technical Guidance
The MoJ Technical Guidance should be read together with this security-focused guidance.
Feedback
If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.