Guidance on how organisations should secure their technology and services to protect UK government information classified as OFFICIAL.
The vast majority of UK government business is conducted at the OFFICIAL classification. This includes routine information supporting business operations and services, much of which would have damaging consequences if lost or stolen.
Security at OFFICIAL is achieved through following good commercial practices, using well configured commodity technologies and by people taking personal responsibility and using their judgement more actively.
Achieving Secure Technology
The Government Security Policy Framework describes government’s overall approach to protective security. Security is achieved through understanding your true security needs and matching these requirements to technology available. It should be focused on meeting outcomes that have been clearly defined, rather than applying prescriptive controls.
Whilst technology risks must always be effectively managed, there are opportunities for organisations to develop innovative solutions and use modern, commodity technologies and tools. Security must be considered when making decisions about technology, and it should be balanced against other needs of the service.
Risk management at OFFICIAL
The links below, and our wider portfolio of risk management products, provide guidance on developing an effective approach to the assessment and management of information risk within technology projects. We also highlight common characteristics that we have observed in technology projects where risk is managed well and enables effective decision making about security.
Our portfolio of risk management guidance can be found at https://www.gov.uk/government/collections/risk-management-guidance. Or the following highlights are the best places to start.
Securing data in transit at OFFICIAL
The items below should help with the design and implementation of controls to protect data as it transits across networks.
Published: 6 March 2015
Updated: 2 November 2015
- Added guidance on Google Apps for Work and Microsoft Office 365 that was commissioned by a government department
- Added links to the recently published Network Principles and TLS configuration guidance.
- First published.