Guidance

Defence Security and Assurance Services: defence industry/list X

Details of the responsibilities and processes of the Defence Security & Assurance Services (DSAS).

DSAS defence industry IT accreditation

Until January 2007 the accreditation of defence industry IT systems was originally undertaken by the Security Services under the list X process. Since then, Defence Security and Assurance Services (DSAS) expanded to include the accreditation of defence industry and now work with over 150 defence partners.

DSAS defence industry accreditation request form

The main responsibilities are:

  • the formal ‘accreditation of defence industry IT systems’ which store, process or forward HMG Ministry of Defence (MOD) information
  • to provide general ‘information assurance’ advice
  • provide guidance in line with the Data Protection Act 1998 to adequately safeguard MOD personal data held in industry

Accreditation is defined in HMG Information Assurance Standard No 2 (IAS2) as ‘…an independent assessment that an information system meets its IA requirements and that the residual risks, in the context of the business requirement, are acceptable to the business’.

Information assurance is delivered through the assessment of information in relation to:

  • confidentiality: the property that information is not made available or disclosed to unauthorised individuals, entities, or processes
  • integrity: the property of safeguarding the accuracy and completeness of assets, this may include the ability to prove an action or event has taken place, such that it cannot be repudiated later
  • availability: the property of being accessible and usable upon demand by an authorised entity

The process involves the formal assessment of residual risk to the information culminating in the creation and approval of a risk management and accreditation document set (RMADS) as described in IAS2.

Systems should be developed based on the guidance and good practice offered by Communications-Electronics Security Group (CESG), the UK’s National Technical Authority for ‘information assurance’. CESG produce information assurance standards, memoranda, manuals and security procedures which underpin the security policy framework (SPF) based upon identified threats and vulnerabilities across a range of technologies.

The DSAS industry team have an accreditation responsibility for all systems storing, processing or forwarding information at ‘CONFIDENTIAL’ and above (list X) and all those systems at ‘RESTRICTED’ which connect to other government networks.

Where Defence Equipment and Support (DE&S) and Industry Security Services (ISS) provide the physical assurances to the ‘list X’ process by assessing the global and local security environments (GSE and LSE), we are responsible for the security of the data within the electronic security environment (ESE).

Despite having a defined scope of responsibility, DSAS will always offer guidance and support to defence industry in relation to ‘information security and assurance’ on all IT systems storing HMG (MOD) information.

Contact details

You can contact DSAS using the details below:

Defence Security Assurance Services
X008 Bazalgette Pavilion
RAF Wyton
Huntingdon
Cambs, PE28 2EA

Tel: 01480 52451 (ext 4564) or 01480 446311

Email: cio-dsas-industrycontactpoint@mod.uk unclassified only

Joint Security Co-ordination Centre (JSyCC)

The JSyCC enables ‘Defence information assurance’ assessment through the conduct and coordination of MOD information security incident management and related risk analysis activity. Additionally, it is a focal point for ‘information security alerts’ and associated ‘warning and response’ activities.

JSyCC responsibilities:

  • operational co-ordination and management of the immediate response, warning and reporting, including the investigative oversight and follow-up actions, for all reported Defence information assurance/information security incidents involving the loss, compromise or leakage of protectively marked official information and/or equipment
  • operational information security risk management, trend analysis and related policy. This includes the management of the MOD Information Security Incident Reporting Scheme (MISIRS) and supporting database, together with the drafting of responses to Parliamentary Questions, Freedom of Information (FOI) requests etc
  • the provision of the Defence industry warning and reporting point (WARP) responsible for the coordination of the response and management of all Defence industry information security incidents, including List X
  • the coordination of all law enforcement and counter intelligence for information security incidents

Contact details

If you want to know more about JSyCC, use the contact details below:

JSyCC
X017, Bazelgette Pavilion
RAF Wyton
Huntingdon
Cambs, PE28 2EA

Point of Contact: JSyCC Ops 0306 770 2187

JSyCC Duty Officer (out of hours) 07768 558 863

Email: CIO-DSAS-JSyCCOperations@mod.uk

Help us improve GOV.UK

Please don't include any personal or financial information, for example your National Insurance or credit card numbers.