Table of contents

IT Security All Users Policy

Parent topic: IT Security Policy (Overview)

Introduction

This policy provides more information on the actions expected of all Ministry of Justice (MoJ) users when using MoJ equipment and infrastructure. It is a sub-page to the IT Security Policy Overview.

Note: In this document, the terms “data” and “information” are used interchangeably.

Audience

This policy is aimed at three audiences:

  • Technical users

    These are in-house MoJ Digital and Technology staff who are responsible for implementing controls throughout technical design, development, system integration, and operation. This includes DevOps, Software Developers, Technical Architects, and Service Owners. It also includes Incident Managers from the Event, Problem, Incident, CSI and Knowledge (EPICK) Team.

  • Service Providers

    Defined as any other MoJ business group, agency, contractor, IT supplier and partner who in any way designs, develops or supplies services (including processing, transmitting and storing data) for, or on behalf of, the MoJ.

  • General users

    All other staff working for the MoJ.

Within this policy, “all MoJ users” refers to General users, Technical users, and Service Providers as defined previously.

Approach

The MoJ ensures that IT security controls are designed and implemented to protect MoJ data, IT Assets, and reputation, based around the following requirements:

  • Confidentiality

    Knowing and ensuring that data can only be accessed by those authorised to do so.

  • Integrity

    Knowing and ensuring the accuracy and completeness of data, and that it has not been deliberately or inadvertently modified from a previous version.

  • Availability

    Knowing and ensuring that IT systems and data can always be accessed when required and authorised.

Assets

This policy applies to all premises, physical equipment, software and data owned or managed by the MoJ. This includes IT systems, whether developed by the MoJ or managed by IT service providers. It covers the use of IT equipment and the data processed on those IT systems, irrespective of location. It provides direction and support to preserve the confidentiality, integrity, and availability of MoJ resources.

Security classification

All MoJ Staff are responsible for ensuring data is:

  • Classified correctly as detailed in the Information Classification, Handling and Security Guide
  • Distributed only in accordance with the statements of this policy and related guides.
  • Protected by the appropriate security controls to ensure its confidentiality, integrity and availability.

Access to classified information shall be controlled in accordance with the requirements set out within the MoJ Access Control Guide.

Physical and personnel security

The Physical Security Policy defines how physical access to assets must be controlled within the MoJ to prevent unauthorised access, use, modification, loss, or damage. All MoJ users must understand that:

  • All MoJ IT systems and services must be assessed against environmental risks, for example flood or fire, to maintain the asset’s confidentiality, integrity, and availability.
  • The MoJ’s IT Teams are not directly responsible for the physical security and environment of the MoJ sites.
  • Physical security controls and the environment in which the MoJ IT systems operate form part of a system’s overall risk landscape. All MoJ users shall ensure they adhere to the security controls and requirements set out in this policy.
  • Unless otherwise formally agreed by the MoJ, all MoJ users, including agency staff and contractors who have access to MoJ data, require Baseline Personnel Security Standard (BPSS) assessment, as a minimum.
  • National Security Vetting should only be applied for where it is necessary, proportionate, and adds real value.
  • The MoJ does not have a standing requirement for system administrators or application developers to maintain Security Check (SC) clearance.

Further information on physical and personnel security is available from Security team and CPNI Guidance.

Identity and access control

The MoJ Access Control Guide ensures that information and IT assets can be accessed only by authorised personnel, and that each individual is accountable for their actions.

The guide outlines the controls and processes designed to limit access based on a “need to know” basis, and according to defined roles and responsibilities.

The MoJ Access Control Guide addresses access control principles such as identification, authentication, authorisation, and accounting.

Password management

The MoJ Password Management Guide sets out the requirements for strong password implementation and management, to help prevent unauthorised access to MoJ systems. Examples include password creation, authentication, storage and management.

Email security

The MoJ Email guidance tells you about safe and secure use of email within the MoJ.

The more detailed MoJ Email Security Guide specifies the controls and processes required to protect the MoJ’s email systems from unauthorised access or misuse, that may compromise the confidentiality, integrity or availability of the data stored and shared within them.

The guide outlines the various security levels required to transfer information from the MoJ’s email servers to organisations outside the MoJ and other government departments. It covers topics such as the threats to email security (phishing) and secure email transfer.

Remote working and portable devices

The MoJ has in place Remote Working guidance that sets out the requirements for safely accessing and using the MoJ’s systems and applications when working remotely, for example from home, another government office, or while travelling.

Mobile computing is the use of portable equipment such as mobile phone, laptop or tablet, and which supports remote working. Mobile computing equipment provided by the MoJ must be used in line with the Acceptable Use Policy.

Any request to take MoJ IT equipment overseas must follow the guidance provided in the Acceptable Use Policy and the information on accessing IT systems from overseas.

Malware protection

The MoJ Malware Protection Guide specifies the controls and processes that shall be used to protect all systems against malware. Malware might enter the MoJ by employee email, through the internet, mobile computers, or removable media devices.

The MoJ Malware Protection Guide addresses the following relevant domains:

  • Implementation controls to stop malware entering MoJ devices and systems.
  • Preventing malicious code from executing on MoJ devices and systems.
  • Mitigating the impact of malware when entering MoJ devices and systems.

Roles and responsibilities

All MoJ users are responsible for ensuring the confidentiality, integrity, and availability of data within the MoJ. This includes all MoJ data and assets. These responsibilities extend to all assets referenced in this policy.

All MoJ users shall comply with the roles and responsibilities outlined in the Information Assurance Framework Process.

Specific roles and responsibilities are described within each sub-page. All MoJ users shall comply with these roles and responsibilities, and understand these as being a part of their ultimate responsibility for information security within the MoJ.

For the purpose of this Information Security Policy, the following roles are described. They have specific responsibilities in the implementation and monitoring of different provisions of the policy.

Role Responsibility Which includes…
Senior Information Risk Owners (SIROs) The MoJ SIRO is responsible for the overall MoJ information risk policy and guidance, and ensures that the policy and guidance material continues to provide appropriate risk appetite and a suitable risk framework. Implementing and managing information risk management in their respective business groups.
    Regularly reviewing the application of policy and guidance to ensure it remains appropriate to their business objectives and risk environment.
    Authorising any exceptions and deviations from the IT Security Policy with consideration of the impact any changes might have to other users.
Delegated Agency SIROs The delegated agency SIRO is responsible for the information risk policy and guidance as it applies to their systems and personnel, and ensures the agency adheres to the MoJ’s risk appetite and risk framework. In line with the MoJ SIRO, but for Agency systems and personnel.
Information Asset Owners (IAO) IAOs must be satisfied that all required technical, personnel, physical and procedural security controls are in place and followed. IAOs are responsible for ensuring the management and security of their information asset over the whole asset lifecycle. Logging and monitoring.
    Reviewing access permissions.
    Understanding and addressing risks associated to their information assets.
    Ensuring secure disposal of information when it is no longer required.
System Owners System Owners are responsible for managing access control rules for their particular system. Verifying access rights in order to assist a scheduled review audit of User accounts and permissions.
Contract Owners Contract Owners are responsible for ensuring contractors adhere to the IT Security Policy set out here and in associated documentation. Verify that contracts are written to reflect the MoJ’s IT Security Policy.
    Ensure contractors comply with the requirements set out by this policy and associated documentation.
    Being responsible for escalating the risk of non-compliance by a supplier, and seeking guidance on suspected non-compliance with security requirements in a contract.
    Ensure that the contractor is responsible for any sub-contractors that they employ directly or indirectly, and that the contractor, not the MoJ, is responsible for ensuring that those sub-contractors comply with this policy and associated documentation.

Incidents

Note: If you work for an agency or ALB, refer to your local incident reporting guidance.

Security Team

Contact details

For any further questions or advice relating to security, contact: security@justice.gov.uk.

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.