Security Policy Framework Explained

The Security Policy Framework (or "SPF") is a set of high-level policies on security, mainly affecting the UK government and its suppliers.[1] [2]

The structure has changed over time. Version 11 was published in October 2013; it has 20 "Mandatory Requirements" grouped into four policy areas. Previously the SPF had as many as 70 Mandatory Requirements, which were more detailed, and which were grouped into 7 areas:[3]

1: Governance, Risk Management & Compliance

2: Protective Marking & Asset Control

3: Personnel Security

4: Information Security & Assurance

5: Physical Security

6: Counter-Terrorism

7: Business ContinuityThese mandatory requirements are a baseline which apply to all UK government departments; higher requirements may apply in some cases.[4] Public-sector bodies are responsible for managing their own technical security risks, but can draw on expertise and guidelines provided by CESG and the Cabinet Office. The Centre for Protection of National Infrastructure also helps protect critical infrastructure.[5] The Ministry of Defence has its own separate policies and systems.

The SPF superseded the Manual of Protective Security. Part of the SPF is produced by CESG, and part by the Cabinet Office's Security Policy Division.[6]

External links

Notes and References

  1. Web site: Government publishes new Security Policy Framework. https://archive.today/20120722190748/http://www.agenda-security.co.uk/security-policy.asp. dead. 22 July 2012. 14 August 2011. Agenda Security.
  2. Web site: Information Assurance Requirements for Transformational Government. 14 August 2011. January 2010. CESG.
  3. Web site: STREAM for the Security Policy Framework. Acuity Risk Management. 14 August 2011. dead. https://web.archive.org/web/20110723214145/http://www.infosec.co.uk/ExhibitorLibrary/526/STREAM_for_Security_Policy_Framework_23.pdf. 23 July 2011.
  4. Web site: Only one in five adults trust government to keep their personal details safe. 14 August 2011. Security Park. 16 June 2009. dead. https://web.archive.org/web/20110721160047/http://www.securitypark.co.uk/security_article263231.html. 21 July 2011.
  5. Web site: Cyber Security Strategy of the United Kingdom. 14 August 2011. 23. June 2009. dead. https://web.archive.org/web/20110813044650/http://www.computerweekly.com/blogs/read-all-about-it/Cabinet%20Office%20Cybersecurity%20review%2009.pdf. 13 August 2011.
  6. Web site: The Department of 'No' - The Privacy, Identity & Consent Blog. 14 August 2011. 17 February 2011.