Change log for Ministry of Justice (MoJ) Security Guidance

This document summarises what changes were made, and when, to MoJ Security policy and guidance. The most recent changes appear at the beginning of the list.

• 2023-09-11 17:45 BST Update ITHC details

  Updates to information about IT Health Checks.

• 2023-08-30 17:45 BST Clearance requirements

  Added details about minimum user clearance requirements.

• 2023-08-09 17:35 BST Build tooling updates

  Updates to build tooling for security and performance improvements.

• 2023-07-13 17:00 BST Accessing MoJ IT systems from overseas

  Removed topic on accessing MoJ IT systems from overseas.

• 2023-07-07 16:45 BST Taking equipment overseas

  Removed general advice topic on taking equipment overseas.

• 2023-06-22 17:35 BST Formatting and terminology updates

  Minor improvements to formatting, and updates to terminology.

• 2023-06-05 18:13 BST Updates to incident management policy

  Refresh and add extra detail about managing security incidents.

• 2023-04-29 13:54 BST Add 1Password guidance

  Add information about using the 1Password tool.

• 2023-04-18 17:10 BST Revise content

  Updates to personnel and related information.

• 2023-03-21 17:35 GMT Restructure landing page, and added service owners responsibilities guidance

  New material on service owner responsibilities.

• 2023-02-28 17:35 GMT Corrected policy reference number

  Policy number POL.ITAUP.022 in the Acceptable Use Policy was incorrectly listed as number 021.

• 2023-02-16 17:35 GMT Corrected typo in template

  Fixed minor typo in Asset template.

• 2023-02-08 17:35 GMT Updated remote working guidance

  Clarification on using hotel or other public wifi spots.

• 2023-01-22 17:41 GMT Updated authorisation information

  More details on implementing defensive depth and dealing with external IP addresses.

• 2023-01-10 18:04 GMT Updated contact details for secure disposal

  When seeking help for secure disposal, contact IT Service Desk in the first instance.

• 2022-10-19 14:34 BST Updated project README

  An update to the README and refresh of the content.

• 2022-08-31 09:50 BST Overseas travel

  Clarification regarding transit or destination locations.

• 2022-08-30 10:43 BST Added guidance on protecting WhatsApp accounts

  Extra information on how WhatsApp accounts might be attacked, and how to protect your accounts.

• 2022-08-09 12:17 BST Remove links to download leaflets

  Remove links to leaflet downloads, ready for later updates.

• 2022-08-05 12:08 BST Add guidance on video conferencing hardware

  Provide more details on the use of dedicated hardware for video and conference calls.

• 2022-08-04 16:22 BST Add connected vehicle reference in bluetooth guidance

  Connected vehicles are discussed in personal devices, but the information also applies in the bluetooth guidance.

• 2022-07-22 13:14 BST Use of personal devices to receive MFA codes

  Added clarification that personal devices may be used to receive MFA authentication codes if an MoJ-issued device is not available.

• 2022-07-21 13:45 BST Guidance on use of personal devices

  Added clarification and emphasis that personal devices must not be used for work purposes. This includes accessing MoJ Slack channels using personal devices.

• 2022-07-04 14:23 BST Correct broken links

  Internal links on a page were broken; now fixed.

• 2022-06-23 12:02 BST Accessibility updates

  Improved the content tagging following guidance on accessibility improvements. Affects all pages, the link in this notification is to an example page.

• 2022-06-01 13:36 BST Reporting phishing

  Clarified process for reporting phishing attempts.

• 2022-05-27 16:09 BST Add IASME certification information and templates.

  Added material to assist suppliers in seeking security certification, particularly regarding the IASME Governance standard.

• 2022-05-20 15:37 BST Updates to overseas travel information.

  More information about applying with sufficient advance notice, and a reminder about passport validity dates.

• 2022-05-06 12:30 BST Minor restructure to Phishing information.

  The section on Out Of Band Checks has been slightly reordered, to improve readability.

• 2022-05-06 12:18 BST Added link to Password Poster.

  An information poster about how to make strong passwords is now available for download.

• 2022-04-19 17:45 BST Update links for contacting security team.

  Standardise on security@justice.gov.uk email address for contacting security team.

• 2022-04-08 10:09 BST Add guidance on secure disposal of cloud materials.

  New guidance to ensure the confidentiality of MoJ data remains when a cloud service is decommissioned.

• 2022-04-06 15:53 BST Update security.txt link.

  Corrected link to the standard security.txt file.

• 2022-04-04 10:50 BST Add password manager guidance.

  Added extra information on the use of password manager apps in the MoJ.

• 2022-03-21 10:35 GMT Add guidance on sharing information.

  Added extra information on sharing information internally and externally.

• 2022-03-21 10:22 GMT Add guidance on QR codes.

  Added information on QR codes; currently considered low risk.

• 2022-03-11 15:31 GMT Updates to ransomware information leaflet.

  Updates to correct typos and improve style.

• 2022-03-10 17:01 GMT Updates to LastPass guidance.

  More information about when and how LastPass may be used.

• 2022-03-10 13:09 GMT Various minor corrections.

  Fixing broken links and updating references to standards.

• 2022-03-04 09:16 GMT Updated email security guide.

  Clarification that phishing or spoofing of MoJ colleagues, by MoJ colleagues, is not permitted other than with formal approval in advance, justified by a good business case.

• 2022-02-18 18:35 GMT Added phishing guide.

  New topic, providing advice on dealing with phishing threats.

• 2022-02-16 11:19 GMT Updated security.txt file.

  Provided new expiry date for security.txt file.

• 2022-02-15 12:18 GMT Various minor corrections.

  Corrected contact details, fixed an incorrect link, and updated secure disposal information.

• 2022-02-07 15:49 GMT Updated glossary.

  Expanded list of glossary definitions, and explanation of out-of-band-checks.

• 2022-02-01 11:51 GMT Update to passwords guidance.

  A reminder not to share passwords or other account details.

• 2022-01-25 10:37 GMT Publication of ransomware information leaflet.

  Useful leaflet explaining what Ransomware is, and tips on protecting your work and your systems.

• 2022-01-18 17:06 GMT Updated guidance for hosting platforms.

  Updated baseline guidance for AWS and Azure platforms.

• 2022-01-07 14:36 GMT Contact details for AWS

  Updated contact details for Baseline AWS accounts.

• 2022-01-06 09:36 GMT System lockdown and hardening

  Guidance added to prevent outbound connections to random internet systems, unless this is a core part of their design. Firewall rules and other network configuration must prevent this.

• 2022-01-04 16:27 GMT IT Health Check

  Updated guidance with a new section on Cloud platforms.

• 2022-01-04 16:10 GMT Update Slack channel for privacy team

  Provide revised channel details for contact privacy team through Slack IM.

• 2021-12-23 13:50 GMT Update overseas travel guidance

  Updates to information on overseas travel and accessing MoJ IT systems from overseas.

• 2021-12-21 13:18 GMT Provide seasonal SMS scam advice

  Material to help improve awareness and best practices for security.

• 2021-12-15 15:09 GMT Use DuckDuckGo search engine

  Default to using DDG for content search.

• 2021-12-13 11:44 GMT Security threat level guidance

  New security threat Level guidance, and associated procedures.

• 2021-12-13 11:27 GMT Debrief on return from travel

  Added description of a security debrief that is mandatory after some travel or where other security conditions apply.

• 2021-12-13 11:24 GMT Accessing MoJ systems from overseas

  Added link to supplementary information on the MoJ Intranet.

• 2021-12-08 09:15 GMT Email access

  Added clarification regarding when access is permitted to a user’s business email account.

• 2021-12-07 15:18 GMT Email Authentication

  Added guidance requiring the use of MTA-SLS and TLS-RPT in MoJ email systems.

• 2021-11-30 13:54 GMT Personal Devices

  Clarified guidance on connecting personal devices using Bluetooth, and added new section on connected vehicles.

• 2021-11-22 16:23 GMT MFA

  Clarified guidance on sending one-time MFA codes only to individual devices or accounts, not to shared devices or accounts.

• 2021-11-22 14:14 GMT Government Classification Scheme

  Updated and consolidated guidance on classification of Government information.

• 2021-11-19 15:22 GMT Other guidance and security.txt

  Improved structure for other guidance information, and added security.txt file.

• 2021-11-19 10:09 GMT Sending information securely

  Guidance on working securely with paper documents and files.

• 2021-11-17 17:07 GMT Personal devices

  Updated guidance about using a personal device to connect to a business Teams meeting as a Guest.

• 2021-11-09 15:37 GMT Acceptable use policy

  Provide more detail on monitoring of systems and information, and to clarify the situation regarding Data Protection and the storage or processing of information outside the UK.

• 2021-11-08 17:30 GMT System backup policy

  Corrected broken links within the content, also some structural changes for easier cross-referencing with related topics.

• 2021-11-04 09:05 GMT Working securely with paper documents and files

  This guidance helps you understand the risks involved in working with, sharing, and moving paper documents both inside and outside the office.

• 2021-11-03 17:12 GMT Email blocking

  The policy and processes for blocking emails, and deleting emails through administrative processes, across email services across the MoJ.

• 2021-11-03 17:00 GMT Domain names

  An overview of domain name registration and monitoring principles and responsibilities within the MoJ.

• 2021-10-29 11:52 BST Logging retention

  Information about keeping logging information.

• 2021-10-19 13:06 BST Remote working

  Simplified the guidance regarding remote working.

• 2021-10-15 16:27 BST Email best practices

  Added guidance regarding attachments and the use of ‘cc’ and ‘bcc’ fields in emails.

• 2021-10-14 13:47 BST Azure subscription baselines

  Added guidance on baselines and templates for Azure subscriptions.

• 2021-10-13 15:50 BST IT Health Checks

  Added guidance on requesting and managing IT Health Checks.

• 2021-10-08 09:56 BST Wifi policy

  Added policy information about wifi.

• 2021-10-05 14:28 BST Client certificates

  Added notes about obtaining client certificates.

• 2021-10-01 15:24 BST Connection to public wifi

  Clarification about connecting to public wifi spots, such as hotels or coffee shops, or home broadband. Also extra details for remote working securely.

• 2021-10-01 15:07 BST Personal device attachment

  Clarifying the connection of personal peripherals, and the charging of personal devices from USB ports.

• 2021-09-13 17:21 BST Government Security Standard 007 V2

  Updates following the release of V2 of the Gov007 security standard.

• 2021-09-02 15:16:00 BST Extra guidance on remote working.

  Additional best practices for keeping safe and secure when working away from the office.

• 2021-08-20 14:14:00 BST Update to general apps guidance.

  Add Trello guidance, and clarification over Official and Official Sensitive material in apps.

• 2021-08-18 15:17:00 BST Add change log page.

  Created a change log page, and associated RSS and Atom feeds, to describe new or changed content.

• 2021-08-16 17:04:00 BST Clarification for accessing MoJ IT systems overseas.

  Additional information describing the process.

• 2021-08-16 17:03:00 BST Data Movement Form updated.

  Data Movement Form updated.

Contact details

For any further questions or advice relating to security, contact: security@justice.gov.uk.

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.