vetting and clearance policy
Vetting and Clearance Policy
Information Security - HMCTS
Version 1.0 – 2nd June 2021
Contents
5 Roles and Responsibilities 4
6.2 Access to OFFICIAL-SENSITIVE Information 4
6.3 National Security Vetting 4
Document Management
Authorisation
Version | Name | 17 | Approval Date |
---|---|---|---|
1.0 | Mahbubul Islam | HMCTS CISO | 02/06/2021 |
Distribution & Review
Name | Role |
---|---|
Michael Hanley | HMCTS Deputy SIRO |
Naveed Saeed | HMCTS Secure Design Lead |
Mahbubul Islam | HMCTS CISO |
Adrian Warman | MOJ Principal Cyber Security Consultant |
Samantha Besau | HMCTS Secure Design 2nd Line Risk |
Kris Long | HMCTS Secure Design 2nd Line Risk |
Mat Mills | HMCTS IA Security Governance Lead |
Helen Bells | HMCTS Secure Design 1st Line Risk |
Revision History
Version | Date | Author | Reason for issue |
---|---|---|---|
0.1 | 29/10/2020 | Ian Fish | Initial draft policy |
0.2 | 05/11/2020 | Ian Fish | Amended to incorporate NS review changes |
0.3 | 16/11/2020 | Ian Fish | Incorporating MOJ guidance material |
0.4 | 18/11/2020 | Ian Fish | Final draft incorporating Helen Bells’ comments |
1.0 | 02/06/2021 | Ian Fish | Published following CISO approval |
Introduction
This Policy details the responsibilities and obligations placed upon HMCTS staff, contractors, and sub-contractors with respect to vetting and clearance.
HMCTS deals with information the vast bulk of which is classified as OFFICIAL with some information assets given the additional caveat of OFFICIAL-SENSITIVE.
Purpose
This document defines requirements governing the vetting and clearance of all persons working in or for HMCTS.
Scope
This Policy applies to all parties accessing HMCTS data, information or systems.
Roles and Responsibilities
The Senior Information Risk Owner (SIRO) is responsible for issuing waivers to these requirements where necessary; this can only be done by accepting the residual risk as determined in a risk balance case.
HMCTS line managers or contract managers are responsible for determining the need for any role to require national security vetting (NSV).
Individual members of HMCTS staff, contractors and sub-contractors are responsible for notifying their line management of any relevant change of circumstance.
HMCTS Security staff are responsible for the continual monitoring and enforcement of this policy
Policy Statements
Basic Vetting
All persons working in or for HMCTS must have successfully completed Baseline Personnel Security Standard (BPSS) vetting before being granted access to HMCTS information.
Access to OFFICIAL-SENSITIVE Information
Access to OFFICIAL-SENSITIVE does not require vetting to above BPSS as a rule.
Where individuals are required to access and/or work with OFFICIAL-SENSITIVE information strict need to know controls must be enforced and the persons concerned should receive extra awareness training.
National Security Vetting
Certain activities involving information classified OFFICIAL present an enhanced information security threat and it has been determined that one of the security controls applicable in these cases is that NSV to Security Check (SC) status is required.
Personnel undertaking the following activities must be cleared to SC:
-
Crafting or modifying code for applications which are crucial to the work of the department.
-
Accessing personal data in bulk.
-
Possessing administrative privileges with the ability to adversely impact the confidentiality, integrity or availability of services.
-
Influencing any aspect of the design or implementation of security enforcing functions.
-
Has long term, regular, unsupervised access to data centres or communications rooms.
-
Has regular privileged unsupervised and unconstrained access to systems which contain data for multiple MoJ systems, for example backups, or console access to multiple cloud services.
-
Has cryptography responsibilities and handling, under advice from the Crypto Custodian.
-
Has access to multiple system security testing outcomes which reveal vulnerabilities in live services.
-
Has a role such as system support or IT investigation role, such that without further authority or authorisation, an individual might:
-
Act as another user.
-
Elevate the privileges of a user.
-
Obtain credentials for another user.
-
Directly access other users’ data.
-
SC is also required if there is access to information classified SECRET which is long-term, frequent and uncontrolled, or sufficient to form a comprehensive picture of a policy, plan or project.
Direct Vetting (DV) is required if there is access to information classified TOP SECRET which is long-term, frequent and uncontrolled, or sufficient to form a comprehensive picture of a policy, plan or project.
SC is not routinely available to non-UK nationals and DV is only available to UK nationals.
Waivers
If a waiver to any of the requirements of this policy is needed for operational reasons, then the individual requiring the waiver must make a risk balance case. For the waiver to be granted the risk balance case must be signed off by the SIRO or by someone to whom the SIRO has delegated the authority.
Review and Maintenance
Policies are subject to annual review with approval and authorisation from the HMCTS deputy SIRO. HMCTS Security and Information Assurance teams are responsible for on-going policy maintenance.
Definitions
Term | Explanation |
---|---|
MoJ | The Ministry of Justice is a major government department, at the heart of the justice system. MoJ works to protect and advance the principles of justice. Its vision is to deliver a world-class justice system that works for everyone in society. |
More here https://www.gov.uk/government/organisations/ministry-of-justice/about
HMCTS | HM Courts & Tribunals Service is responsible for the administration of criminal, civil and family courts and tribunals in England and Wales. |
HMCTS is an executive agency, sponsored by the Ministry of Justice
Need-to-know | A principle ensuring data or information is only accessible or shared with those who have a genuine business need to view or access it and have the required levels of security approval. |