Changes to the Security Policy Framework


Changes to the Security Policy Framework

A new, radically slimmed down version of the Security Policy Framework was published on 3rd June 2014. In this blog post I summarise the changes and consider what it means in practical terms.

The HMG Security Policy Framework (SPF) describes the standards, best practice guidelines and approaches that are required to protect UK government ICT assets. It is published by the Cabinet Office and available from the web site. All UK Government departments are obliged to comply with this policy and, where appropriate, to extend its requirements to their third-party suppliers in both public and private sectors.

On 3rd June 2014 a new version of the SPF was published, dated April 2014 with no identifying version number. The policy document has been considerably slimmed down, being reduced in size from 52 pages to 11 pages, and there is a major shift in emphasis from the previous version 11.0.

What does this mean for Departments, Agencies and third-party suppliers?

The new SPF is much less bureaucratic and prescriptive than the previous version. It is aligned with the Government Classification Scheme. Much of the former content is gone: Security Policy areas 1 – 4 have been removed from the document, as have the 20 Mandatory Requirements. Also missing are the detailed discussions of security controls which were present throughout the previous version and the use of Business Impact Levels (BILs) to denote levels of security has been withdrawn.

Instead, a new set of “Overarching Principles” stresses the need to support HMG’s objectives to work transparently and openly and reinforces the message that digital services are the preferred method for service delivery. Strong emphasis is placed on risk management and it is noted that people and behaviours are fundamental to good security. OFFICIAL information can be managed with good commercial solutions that mitigate the risks faced by any large corporate organisation.

The Mandatory Requirements have been replaced with a set of eight  ‘Security Outcomes’ covering the policy areas  of Good Governance, Culture and Awareness, Risk Management, Security of Information, Technology and Services, Personnel Security, Physical Security, and Preparing and Responding to Security Incidents.

For each of these areas, there are a small number of detailed policy statements setting out the outcomes that the Cabinet Office expects Departments to be able to achieve.

The Security Outcomes are supported by Policy Priorities, which contain additional guidance for the areas of Information Security, Physical Security and Personnel Security.

Compliance with the new SPF will be asserted by Departments through an annual reporting process, the Security Risk Management Overview (SRMO). The exact form of these SRMO statements is not yet established, but it moves the emphasis away from the checklist approach and instead will require Departments to consider the risks to their assets and protect them appropriately.

Departments can also be expected to pass these outcomes down to their suppliers. The policy requires Government organisations to have arrangements to determine and satisfy themselves that Delivery Partners, service providers and third party suppliers, apply proper security controls too (including List X Accreditation for companies handling SECRET assets.)



DRIP Bill concession aims for UK / US agreement on cloud data storage.


DRIP Bill concession aims for UK / US agreement on cloud data storage.

The Data Retention and Investigation Powers (DRIP) bill has recently been fast tracked by the UK Government through the legislation process. Since April 2014, when the European Court declared the previous Data Retention Act illegal, telecommunications companies and internet service providers have continued to collect communications metadata. Some are now at risk of being threatened with legal action by campaigners who wish to stop the collection.

The purpose of DRIP is to restore the legal basis for collecting communications  metadata and to encourage the telecommunications companies to continue to collect it.

The almost unprecedented speed of the introduction of this legislation has required the Government to make a number of concessions to ensure cross-party support. Some of these have been well-publicised, such as the expiry of the bill in 2016, the requirement for a new Government to properly debate the replacement legislation in the next Parliament and the creation of a new Privacy and Civil Liberties Oversight Board.

Less well reported is the appointment of ‘a senior former diplomat’ to open talks with the US Government and Internet Service Providers to reach agreement on sharing of data between legal jurisdictions.

The scope of these discussions, or the identity of the diplomat, is yet to be established.  There may be significant consequences for cloud computing and data storage.

Understanding the legal implications of the jurisdictions where data is stored and processed has been identified as a fundamental security requirement for cloud systems by both the UK Government Cloud Computing Principles and the Cloud Security Alliance Cloud Control Matrix.  

Data exchange between the EU and the US is governed by two pieces of legislation. The Safe Harbor Principles extends EU data protection to companies registered with the scheme. In practice, the Safe Harbor legislation has been the subject of much criticism. Only a small proportion of US companies are registered with the scheme and there are issues around compliance.

There are also concerns that the US Patriot Act, may give the US Government access to data stored in the cloud servers of companies with a presence in the US, even though the data may be located in the EU or elsewhere. Microsoft recently lost the first round in a legal battle with the US Justice Department over the applicability of a US warrant for data stored on servers located in Dublin.

There are no apparent requirements for this initiative to report back to Parliament or anyone else on the progress it may achieve, and it may be forgotten about altogether in the run up to the election. But if talks do take place, and if they lead to a better agreement than the current Safe Harbor Principles, then this concession may have a significant and long-lasting impact on cloud computing security.