Name	Role
Michael Hanley	HMCTS Deputy SIRO
Naveed Saeed	HMCTS Secure Design Lead
Mahbubul Islam	HMCTS CISO
Adrian Warman	MOJ Principal Cyber Security Consultant
Samantha Besau	HMCTS Secure Design 2nd Line Risk
Kris Long	HMCTS Secure Design 2nd Line Risk
Mat Mills	HMCTS IA Security Governance Lead
Helen Bells	HMCTS Secure Design 1st Line Risk

Revision History

Version	Date	Author	Reason for issue
0.1	29/10/2020	Ian Fish	Initial draft policy
0.2	05/11/2020	Ian Fish	Amended to incorporate NS review changes
0.3	16/11/2020	Ian Fish	Incorporating MOJ guidance material
0.4	18/11/2020	Ian Fish	Final draft incorporating Helen Bells’ comments
1.0	02/06/2021	Ian Fish	Published following CISO approval

Introduction

This Policy details the responsibilities and obligations placed upon HMCTS staff, contractors, and sub-contractors with respect to vetting and clearance.

HMCTS deals with information the vast bulk of which is classified as OFFICIAL with some information assets given the additional caveat of OFFICIAL-SENSITIVE.

Purpose

This document defines requirements governing the vetting and clearance of all persons working in or for HMCTS.

Scope

This Policy applies to all parties accessing HMCTS data, information or systems.

Roles and Responsibilities

The Senior Information Risk Owner (SIRO) is responsible for issuing waivers to these requirements where necessary; this can only be done by accepting the residual risk as determined in a risk balance case.

HMCTS line managers or contract managers are responsible for determining the need for any role to require national security vetting (NSV).

Individual members of HMCTS staff, contractors and sub-contractors are responsible for notifying their line management of any relevant change of circumstance.

HMCTS Security staff are responsible for the continual monitoring and enforcement of this policy

Policy Statements

Basic Vetting

All persons working in or for HMCTS must have successfully completed Baseline Personnel Security Standard (BPSS) vetting before being granted access to HMCTS information.

Access to OFFICIAL-SENSITIVE Information

Access to OFFICIAL-SENSITIVE does not require vetting to above BPSS as a rule.

Where individuals are required to access and/or work with OFFICIAL-SENSITIVE information strict need to know controls must be enforced and the persons concerned should receive extra awareness training.

National Security Vetting

Certain activities involving information classified OFFICIAL present an enhanced information security threat and it has been determined that one of the security controls applicable in these cases is that NSV to Security Check (SC) status is required.

Personnel undertaking the following activities must be cleared to SC:

Crafting or modifying code for applications which are crucial to the work of the department.
Accessing personal data in bulk.
Possessing administrative privileges with the ability to adversely impact the confidentiality, integrity or availability of services.
Influencing any aspect of the design or implementation of security enforcing functions.
Has long term, regular, unsupervised access to data centres or communications rooms.
Has regular privileged unsupervised and unconstrained access to systems which contain data for multiple MoJ systems, for example backups, or console access to multiple cloud services.
Has cryptography responsibilities and handling, under advice from the Crypto Custodian.
Has access to multiple system security testing outcomes which reveal vulnerabilities in live services.
Has a role such as system support or IT investigation role, such that without further authority or authorisation, an individual might:
- Act as another user.
- Elevate the privileges of a user.
- Obtain credentials for another user.
- Directly access other users’ data.

SC is also required if there is access to information classified SECRET which is long-term, frequent and uncontrolled, or sufficient to form a comprehensive picture of a policy, plan or project.

Direct Vetting (DV) is required if there is access to information classified TOP SECRET which is long-term, frequent and uncontrolled, or sufficient to form a comprehensive picture of a policy, plan or project.

SC is not routinely available to non-UK nationals and DV is only available to UK nationals.

Waivers

If a waiver to any of the requirements of this policy is needed for operational reasons, then the individual requiring the waiver must make a risk balance case. For the waiver to be granted the risk balance case must be signed off by the SIRO or by someone to whom the SIRO has delegated the authority.

Review and Maintenance

Policies are subject to annual review with approval and authorisation from the HMCTS deputy SIRO. HMCTS Security and Information Assurance teams are responsible for on-going policy maintenance.

Definitions

Term	Explanation
MoJ	The Ministry of Justice is a major government department, at the heart of the justice system. MoJ works to protect and advance the principles of justice. Its vision is to deliver a world-class justice system that works for everyone in society.

More here https://www.gov.uk/government/organisations/ministry-of-justice/about


HMCTS	HM Courts & Tribunals Service is responsible for the administration of criminal, civil and family courts and tribunals in England and Wales.

HMCTS is an executive agency, sponsored by the Ministry of Justice


Need-to-know	A principle ensuring data or information is only accessible or shared with those who have a genuine business need to view or access it and have the required levels of security approval.

vetting and clearance policy

Contents

Document Management

Authorisation

Distribution & Review