Information Security Policy

Security is central to everything we do at the Ministry of Justice (MoJ) - without it we cannot effectively deliver our priorities and ensure protection for staff and the public.

This policy sets out the formal senior management commitment to information security across the MoJ. This ensures that information is processed in a manner that preserves the confidentiality and integrity of information and meets the security requirements and obligations set out under legislation, regulations, and agreements we have entered.

This policy and the associated Information Security Framework support the protection of the MoJ’s IT systems against accidental or malicious breaches, identifying a risk-based approach to information security, and ensuring we have the right people, processes, and technology controls to counter threats faced by the department.

Scope

This policy provides the context for the information security policies and standards that are used across the MoJ and the government standards under which it operates. It applies to all staff, contractors, executive agencies, and third parties who provide services to, for, or on behalf of the department.

Responsibilities

As a government department, the Cabinet Office hold the MoJ accountable for meeting the requirements of the Government Functional Standard for Security: GovS007 and the underpinning technical standard for cyber security. In line with the Government Functional Security Standard (GovS007), the MoJ has a board member with the security remit (Director General Chief Operating Officer Group) and an MoJ senior officer accountable for security (Chief Security Officer).

All MoJ Public bodies with their own accounting officers (accountable to the MoJ’s principal accounting officer) must also appoint their own board members with responsibility for information security.

Information Security Framework

The department’s information security is managed via:

1. This strategic policy
2. Information security policies
3. Standards, procedures, and governing arrangements
4. Guidance to help apply the policies, standards, procedures, and governing arrangements
5. System and process-specific security policies and guidance

MoJ-wide security policies are all outcome-focussed and avoid being specific, to allow a range of methods to be used to achieve them, tailored to local circumstances. This permits agencies and teams within the department flexibility and autonomy in interpreting them given their particular operations.

The policies and standards set out the minimum baseline that areas need to achieve. In many circumstances, additional controls may be required to meet specific regulations or contractual obligations, or to counter specific threats.

Policy Statements

The identified responsible officials SHALL comply with the following high level policy statements, as well as the lower-level policies in the Information Security Framework:

1. Staff SHALL properly identify, classify, and protect data in accordance with the MoJ’s security policies and standards and with security controls proportionate to the risk to that data.
2. Staff, third parties and contractors SHALL identify, manage, and learn from information security incidents in accordance with the relevant policies.
3. Staff, third parties and contractors SHALL take all reasonable steps to safeguard the MoJ’s information against unauthorised or accidental disclosure.
4. Senior Responsible Officers SHALL ensure that Information security be embedded into all projects and formal approval from an appropriate security representative SHALL be mandatory.
5. Senior Responsible Officers SHALL ensure that all information is assigned an Information Asset Owner, whose responsibilities are defined in Guidance on the Information Asset Owner role.
6. Senior Responsible Officers SHALL ensure effective and proportionate security controls are in place to manage any identified risks.
7. Senior Business Owners SHALL ensure the compliance of suppliers and partners with relevant MoJ security policies and understand the risk of any deviations.
8. Technology Service Owners SHALL protect technology services through security controls as detailed in MoJ policies and standards.
9. Technology Service Owners SHALL ensure that disaster recovery, and business continuity plans are implemented and tested in accordance with relevant MoJ standards.

Compliance

The Security and Information Directorate (SID) will regularly review this policy and associated framework documents to ensure they remain suitable. SID will undertake routine compliance activities - such as reviews of security controls - against this policy and the Information Security Framework.

Where requirements in this policy and the Information Security Framework have not been met and no formal risk has been escalated in-line with the relevant policies, individuals may be subject to disciplinary processes as per MoJ HR Policies. For external parties and contractors this may constitute a breach of contract. If any person is identified to have committed a criminal offence it may lead to prosecution.

Exceptions

Anyone requesting a policy exemption should contact the relevant Senior Information Risk Owner (SIRO), with support and guidance from the MoJ Information Security Team. In the first instance, please contact the MoJ Security Team security@justice.gov.uk to discuss mitigation options.

Related Information

• GoVS007
• HMG Cyber Security Standard
• Government Cyber Security Policy Handbook

Contact and Feedback

For any further questions or advice relating to security, or for any feedback or suggestions for improvement, contact: security@justice.gov.uk.