Ministry of Justice
Cyber and Technical Security Guidance
Summary
This site lists the Ministry of Justice (MoJ) Information Security policies. It contains important guidance on how to keep MoJ information safe and secure.
Policies shown here are listed for technical users and non-technical users (referred to as all users).
Technical users include:
- Technical architects
- DevOps specialists
- IT service managers
- Software developers
The MoJ Technical Guidance covers technical decisions in the MoJ more widely.
Note: This guidance is dated: 22 March 2023.
Change log
A ‘change log’ is available. It details the most recent changes to this information.
The changes are also available as RSS or Atom feeds.
Popular links
Popular links for all users:
- Security threat level and emergency procedures
- Overseas travel and accessing MoJ IT systems from overseas
- General app guidance
- Minimum User Clearance Requirements Guide
- Government classification scheme
- Remote Working
Offline content
This guidance is available in PDF and EPUB formats.
All users. Contains general guidance with some technical information:
Group Security. Contains Group Security policy and guidance:
Technical users. Contains detailed technical information, together with all users and Group Security content:
The offline versions of this guidance are time-limited, and are not valid after 22 April 2023.
Security culture
In addition to the obvious security resources such as policies, controls, and software and hardware tools, all organisations need employees, suppliers and other colleagues to behave in a way that helps ensure good security at all times. A simple example is where someone will act in a way that maintains good security, even if they don’t know exactly what the formal process is. The extent to which an organisation has good security in indicated by its security culture.
Security culture refers to the set of values, shared by everyone in an organisation, that determines how people are expected to think about and approach security. Getting security culture right helps develop a security conscious workforce, and promotes the desired security behaviours expected from everyone working in or for the organisation.
The MoJ is creating a portfolio of security culture resources to help supplement the formal policy and guidance material. Initial security culture material is available for preview.
Information structure
MoJ policy documents are listed beneath the following headings:
- Information security policies
- Mobile devices and teleworking
- Human resource security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
- Compliance
- Risk Assessment
The documents have been developed and defined within this taxonomy, and are listed in the next section, together with their suggested target audiences.
Information security policies
Management direction for information security
These are the policies for all users:
- Avoiding too much security
- IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER
- IT Security All Users Policy
- IT Security Policy (Overview)
- Line Manager approval
These are the policies for technical users:
Mobile devices and teleworking
Mobile device policy
These policies are for all users:
Teleworking
These policies are for all users:
Human resource security
Prior to employment
These policies are for all users:
- Minimum User Clearance Levels Guide
- National Security Vetting contact
- National Security Vetting questions
- National Security Vetting for External Candidates FAQ
- Pre-employment screening
- Pre-Employment Screening and Vetting of External Candidates - FAQs
- Security clearance appeals policy
- Security clearance appeals procedures
- Security vetting assessment of need
During employment
These policies are for all users:
- Ongoing Personnel Security
- Personnel risk assessment
- Reporting personal circumstance changes
- Training and Education
- Voluntary drug testing policy
- Voluntary drug testing policy procedures
Termination and change of employment
These policies are for all users:
Asset management
Responsibility for assets
These policies are for all users:
- Acceptable use
- Acceptable use policy
- Guidance on IT Accounts and Assets for Long Term Leave
- Protect Yourself Online
- Web browsing security
Information classification
These policies are for all users:
- Government Classification Scheme
- Information Classification and Handling Guide
- Information Classification and Handling Policy
These policies are for technical users:
Media handling
These policies are for all users:
- Removable media
- Secure disposal of IT equipment
- Secure disposal of IT - physical and on-premise
- Working securely with paper documents and files
This policy is for technical users:
Access control
Business requirements of access control
These policies are for technical users:
- Access Control Guide
- Access Control Policy
- Enterprise Access Control Policy
- Privileged Account Management Guide
User access management
These policies are for technical users:
- Authentication
- Management access
- Managing User Access Guide
- Multi-Factor Authentication
- Privileged User Backups, Removable Media and Incident Management Guide
- Privileged User Configuration, Patching and Change Management Guide
- Privileged User Guide
- Privileged User Logging and Protective Monitoring Guide
User responsibilities
This policy is for all users:
System and application access control
These policies are for all users:
These policies are for technical users:
- Account management
- Authorisation
- Multi-user accounts and Public-Facing Service Accounts Guide
- Password Creation and Authentication Guide
- Password Management Guide
- Password Storage and Management Guide
- Policies for Google Apps administrators
- Policies for MacBook Administrators
- System User and Application Administrators
Cryptography
Cryptographic controls
These policies are for technical users:
- Automated certificate renewal
- Cryptography
- HMG Cryptography Business Continuity Management Standard
- Public Key Infrastructure Policy
- Use of HMG Cryptography Policy
Physical and environmental security
Secure areas
These policies are for all users:
- CCTV policy
- Entry and exit search policy
- Personal mail and parcel delivery policy and procedure
- Physical security policy
- Public protest and demonstrations policy
- Security in the office
- Security threat level and emergency procedures
- Visitor access policy
Equipment
These policies are for all users:
- Clear Screen and Desk Policy
- Equipment Reassignment Guide
- Laptops
- Locking and shutdown
- Policies for MacBook Users
This policy is for technical users:
Operations security
Operational procedures and responsibilities
These policies are for technical users:
- Active Cyber Defence: Mail Check
- Active Cyber Defence: Public Sector DNS
- Active Cyber Defence: Web Check
- Offshoring Guide
Protection from malware
This policy is for all users:
These policies are for technical users:
- Malware Protection Guide (Overview)
- Malware Protection Guide: Defensive Layer 1
- Malware Protection Guide: Defensive Layer 2
- Malware Protection Guide: Defensive Layer 3
Backup
These policies are for technical users:
Logging and monitoring
These policies are for technical users:
- Accounting
- Commercial off-the-shelf applications
- Custom Applications
- Logging and monitoring
- Online identifiers in security logging and monitoring
- Protective Monitoring
- Security Log Collection
- Security Log Collection: Enterprise IT - Infrastructure
- Security Log Collection: Enterprise IT - Mobile Devices
- Security Log Collection: Hosting Platforms
- Security Log Collection: Log entry metadata
- Security Log Collection: Maturity Tiers
Control of operational software
This policy is for all users:
Technical vulnerability management
These policies are for technical users:
- Patch management guide
- Vulnerability Disclosure
- Vulnerability Disclosure: Implementing
security.txt - Vulnerability scanning and patch management guide
- Vulnerability scanning guide
Communications security
Network security management
These policies are for technical users:
- Code of Connection Standard
- Defensive domain registrations
- Domain names and Domain Name System (DNS) security policy
- Internet v. PSN
- IP DNS Diagram Handling
- Multiple Back-to-back Consecutive Firewalls
- Networks are just bearers
Information transfer
These policies are for all users:
- Bluetooth
- General Apps Guidance
- Phishing Guide
- Protecting WhatsApp accounts
- Secure Data Transfer Guide
- Sending information securely
- Web browsing security policy profiles
- Wifi security policy
These policies are for technical users:
- Criminal Justice Secure Mail (CJSM)
- Data Sovereignty
- Email Authentication Guide
- Email Blocklist Policy
- Email Blocklist Process
- Email Security Guide
- Secure Email Transfer Guide
- Spam and Phishing Guide
System acquisition, development and maintenance
Security requirements of information systems
These policies are for technical users:
- Technical Security Controls Guide
- Technical Security Controls Guide: Defensive Layer 1
- Technical Security Controls Guide: Defensive Layer 2
Security in development and support processes
These policies are for technical users:
- Maintained by Default
- Secure by Default
- Service Owners Responsibilities
- Source Code Publishing
- System Test Standard
Test data
This policy is for technical users:
Supplier relationships
Information security in supplier relationships
These policies are for technical users:
- Suppliers to MoJ: Assessing Suppliers
- Suppliers to MoJ: Contracts
- Suppliers to MoJ: Security Aspect Letters
- Suppliers to MoJ: Supplier Corporate IT
Supplier service delivery management
These policies are for technical users:
- Azure Account Baseline Templates
- Baseline for Amazon Web Services accounts
- Baseline for Azure Subscriptions
Information security incident management
Management of information security incidents and lost devices
These policies are for all users:
These policies are for technical users:
- Forensic Principles
- Forensic Readiness Guide
- Forensic Readiness Policy
- Incident Management Plan and Process Guide
- Lost devices or other IT security incidents
Information security aspects of business continuity management
Information security continuity
These policies are for technical users:
Compliance
Compliance with legal and contractual requirements
This policy is for all users:
These policies are for technical users:
- Data Destruction
- Data Destruction: Contract Clauses - Definitions
- Data Destruction: Contract Clauses - Long Format
- Data Destruction: Contract Clauses - Long Format (Appendix)
- Data Destruction: Contract Clauses - Short Format
- Data Destruction: Instruction and Confirmation Letter
- Data Security & Privacy Lifecycle Expectations
- Data Security & Privacy Triage Standards
Information security reviews
This policy is for technical users:
Risk Assessment
Risk Management
These policies are for technical users:
- Infrastructure and system accreditation
- IT Health Checks
- IT Health Check - Test cancellations and delays
Risk Assessment Process
This policy is for all users:
Other Guidance
The Government Functional Standard - GovS 007: Security provides the base material for all security guidance in the MoJ.
Glossary
A glossary of some terms used in this guidance is available here.
Acronyms
A more extensive list of acronyms is available here.
Technical Guidance
The MoJ Technical Guidance should be read together with this security-focused guidance.
Feedback
If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.