Cyber and Technical Security Guidance

Summary

This site lists the Ministry of Justice (MoJ) Information Security policies. It contains important guidance on how to keep MoJ information safe and secure.

Policies shown here are listed for technical users and non-technical users (referred to as all users).

Technical users include:

• Technical architects
• DevOps specialists
• IT service managers
• Software developers

The MoJ Technical Guidance covers technical decisions in the MoJ more widely.

Note: This guidance is dated: 19 May 2023.

Change log

A ‘change log’ is available. It details the most recent changes to this information.

The changes are also available as RSS or Atom feeds.

Popular links

Popular links for all users:

• Accessing MoJ IT systems from overseas
• General app guidance
• Government classification scheme
• Remote Working

Offline content

This guidance is available in PDF and EPUB formats.

All users. Contains general guidance with some technical information:

• PDF
• EPUB

Technical users. Contains detailed technical information, together with all user content:

• PDF
• EPUB

The offline versions of this guidance are time-limited, and are not valid after 19 June 2023.

Security culture

In addition to the obvious security resources such as policies, controls, and software and hardware tools, all organisations need employees, suppliers and other colleagues to behave in a way that helps ensure good security at all times. A simple example is where someone will act in a way that maintains good security, even if they don’t know exactly what the formal process is. The extent to which an organisation has good security in indicated by its security culture.

Security culture refers to the set of values, shared by everyone in an organisation, that determines how people are expected to think about and approach security. Getting security culture right helps develop a security conscious workforce, and promotes the desired security behaviours expected from everyone working in or for the organisation.

The MoJ is creating a portfolio of security culture resources to help supplement the formal policy and guidance material. Initial security culture material is available for preview.

Information structure

MoJ policy documents are listed beneath the following headings:

• Information security policies
• Mobile devices and teleworking
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance
• Risk Assessment

The documents have been developed and defined within this taxonomy, and are listed in the next section, together with their suggested target audiences.

Information security policies

Management direction for information security

These are the policies for all users:

• Avoiding too much security
• IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER
• IT Security All Users Policy
• IT Security Policy (Overview)
• Line Manager approval

These are the policies for technical users:

• IT Security Technical Users Policy
• Shared Responsibility Models
• Technical Controls Policy

Mobile devices and teleworking

Mobile device policy

These policies are for all users:

• Mobile Device and Remote Working Policy
• Remote Working

Teleworking

These policies are for all users:

• Accessing MoJ IT systems from overseas
• General advice on taking equipment overseas
• Personal Devices

Human resource security

During employment

This policy is for all users:

• Training and Education

Termination and change of employment

This policy is for all users:

• End or change of employment

Asset management

Responsibility for assets

These policies are for all users:

• Acceptable use
• Acceptable use policy
• Guidance on IT Accounts and Assets for Long Term Leave
• Protect Yourself Online
• Web browsing security

Information classification

These policies are for all users:

• Government Classification Scheme
• Information Classification and Handling Guide
• Information Classification and Handling Policy

These policies are for technical users:

• Data Handling and Information Sharing Guide
• Secrets management

Media handling

These policies are for all users:

• Removable media
• Secure disposal of IT equipment
• Secure disposal of IT - physical and on-premise
• Working securely with paper documents and files

This policy is for technical users:

• Secure disposal of IT - public and private cloud

Access control

Business requirements of access control

These policies are for technical users:

• Access Control Guide
• Access Control Policy
• Enterprise Access Control Policy
• Privileged Account Management Guide

User access management

These policies are for technical users:

• Authentication
• Management access
• Managing User Access Guide
• Multi-Factor Authentication
• Privileged User Backups, Removable Media and Incident Management Guide
• Privileged User Configuration, Patching and Change Management Guide
• Privileged User Guide
• Privileged User Logging and Protective Monitoring Guide

User responsibilities

This policy is for all users:

• Protecting Social Media Accounts

System and application access control

These policies are for all users:

• Password Managers
• Passwords
• Using 1Password

These policies are for technical users:

• Account management
• Authorisation
• Multi-user accounts and Public-Facing Service Accounts Guide
• Password Creation and Authentication Guide
• Password Management Guide
• Password Storage and Management Guide
• Policies for Google Apps administrators
• Policies for MacBook Administrators
• System User and Application Administrators

Cryptography

Cryptographic controls

These policies are for technical users:

• Automated certificate renewal
• Cryptography
• HMG Cryptography Business Continuity Management Standard
• Public Key Infrastructure Policy
• Use of HMG Cryptography Policy

Physical and environmental security

Equipment

These policies are for all users:

• Clear Screen and Desk Policy
• Equipment Reassignment Guide
• Laptops
• Locking and shutdown
• Policies for MacBook Users

This policy is for technical users:

• System Lockdown and Hardening Standard

Operations security

Operational procedures and responsibilities

These policies are for technical users:

• Active Cyber Defence: Mail Check
• Active Cyber Defence: Public Sector DNS
• Active Cyber Defence: Web Check
• Offshoring Guide

Protection from malware

This policy is for all users:

• Ransomware

These policies are for technical users:

• Malware Protection Guide (Overview)
• Malware Protection Guide: Defensive Layer 1
• Malware Protection Guide: Defensive Layer 2
• Malware Protection Guide: Defensive Layer 3

Backup

These policies are for technical users:

• System backup guidance
• System backup policy
• System backup standard

Logging and monitoring

These policies are for technical users:

• Accounting
• Commercial off-the-shelf applications
• Custom Applications
• Logging and monitoring
• Online identifiers in security logging and monitoring
• Protective Monitoring
• Security Log Collection
• Security Log Collection: Enterprise IT - Infrastructure
• Security Log Collection: Enterprise IT - Mobile Devices
• Security Log Collection: Hosting Platforms
• Security Log Collection: Log entry metadata
• Security Log Collection: Maturity Tiers

Control of operational software

This policy is for all users:

• Guidance for using Open Internet Tools

Technical vulnerability management

These policies are for technical users:

• Patch management guide
• Vulnerability Disclosure
• Vulnerability Disclosure: Implementing security.txt
• Vulnerability scanning and patch management guide
• Vulnerability scanning guide

Communications security

Network security management

These policies are for technical users:

• Code of Connection Standard
• Defensive domain registrations
• Domain names and Domain Name System (DNS) security policy
• Internet v. PSN
• IP DNS Diagram Handling
• Multiple Back-to-back Consecutive Firewalls
• Networks are just bearers

Information transfer

These policies are for all users:

• Bluetooth
• Email
• General Apps Guidance
• Phishing Guide
• Protecting WhatsApp accounts
• Secure Data Transfer Guide
• Sending information securely
• Web browsing security policy profiles
• Wifi security policy

These policies are for technical users:

• Criminal Justice Secure Mail (CJSM)
• Data Sovereignty
• Email Authentication Guide
• Email Blocklist Policy
• Email Blocklist Process
• Email Security Guide
• Secure Email Transfer Guide
• Spam and Phishing Guide

System acquisition, development and maintenance

Security requirements of information systems

These policies are for technical users:

• Technical Security Controls Guide
• Technical Security Controls Guide: Defensive Layer 1
• Technical Security Controls Guide: Defensive Layer 2

Security in development and support processes

These policies are for technical users:

• Maintained by Default
• Secure by Default
• Service Owners Responsibilities
• Source Code Publishing
• System Test Standard

Test data

This policy is for technical users:

• Using Live Data for Testing purposes

Supplier relationships

Information security in supplier relationships

These policies are for technical users:

• Suppliers to MoJ: Assessing Suppliers
• Suppliers to MoJ: Contracts
• Suppliers to MoJ: Security Aspect Letters
• Suppliers to MoJ: Supplier Corporate IT

Supplier service delivery management

These policies are for technical users:

• Azure Account Baseline Templates
• Baseline for Amazon Web Services accounts
• Baseline for Azure Subscriptions

Information security incident management

Management of information security incidents and lost devices

These policies are for all users:

• Lost devices or other IT security incidents
• Reporting an incident

These policies are for technical users:

• Forensic Principles
• Forensic Readiness Guide
• Forensic Readiness Policy
• Incident Management Plan and Process Guide
• Lost devices or other IT security incidents

Information security aspects of business continuity management

Information security continuity

These policies are for technical users:

• IT Disaster Recovery Plan and Process Guide
• IT Disaster Recovery Policy

Compliance

Compliance with legal and contractual requirements

This policy is for all users:

• Data Security and Privacy

These policies are for technical users:

• Data Destruction
• Data Destruction: Contract Clauses - Definitions
• Data Destruction: Contract Clauses - Long Format
• Data Destruction: Contract Clauses - Long Format (Appendix)
• Data Destruction: Contract Clauses - Short Format
• Data Destruction: Instruction and Confirmation Letter
• Data Security & Privacy Lifecycle Expectations
• Data Security & Privacy Triage Standards

Information security reviews

This policy is for technical users:

• Standards Assurance Tables

Risk Assessment

Risk Management

These policies are for technical users:

• Infrastructure and system accreditation
• IT Health Checks
• IT Health Check - Test cancellations and delays

Risk Assessment Process

This policy is for all users:

• Risk reviews

Other Guidance

The Government Functional Standard - GovS 007: Security provides the base material for all security guidance in the MoJ.

Glossary

A glossary of some terms used in this guidance is available here.

Acronyms

A more extensive list of acronyms is available here.

Technical Guidance

The MoJ Technical Guidance should be read together with this security-focused guidance.

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.