Guidance

Rule 13: ICT shall be compliant with information management policy

Updated 16 October 2023

The rules are under review and subject to change.

1. Rule requirement

1. Information Management

1.1 Defence Data must be sourced from authoritative data sources where they exist.

1.2 All ICT that processes and stores data and Information shall apply information attributes in accordance with MOD Metadata Standards as defined in JSP 441 (MOD Metadata Standards v6.0). MOD Metadata standards account for Multinational Metadata Standards where applicable e.g. NATO.

1.3 All ICT that processes and stores data and information shall have an attribute that defines the Security Classification of that data and /or information in accordance with Government Security Classifications and shall afford it the appropriate level of protection and control in accordance with JSP 440 Part 4.

1.4 All ICT that processes and stores data and information shall have mechanisms to verify that the data and/or information has not been altered by unauthorised entities, thus enabling confidence in its integrity.

1.5 Agreed Defence definitions must be adopted and not modified to suit single business/system requirements.

1.6 MOD must have access and availability of its data managed by external companies and/or Industry Partners. Timings and frequency of access and availability must be agreed to suit the further exploitation of that data by MOD.

1.7 Projects must provide detailed plans describing how data being processed or exploited by the project will be managed from creation/point of entry through to disposal.

2. Who to contact

For all queries, email ISSDes-APM@mod.gov.uk

3. Rule rationale

The objective is to ensure that any information used to make decisions upon meets the following requirements:

• captured once, mastered once and used many times

• is drawn from authoritative sources

• quality issues are addressed at source

• allow interoperability and interchange of data to enable information to be shared with users across systems, is labelled so it can be readily identified and can be accessed by those who are authorised and have a need to know

• is collected and made available via standard processes

• is assured through Defence-wide strategies, policies and standards

• clear data ownership

• management information (MI) architecture is consistent with the enterprise approach

• coherent MI solutions across Defence

• business-led MI

• relevant, timely and appropriate accuracy/format

1.1. Authoritative data sources

• Projects shall identify data sources and obtain acceptance that they are authoritative for their purpose from the Defence Digital DES DAMI Team

• Projects shall manage data source requirements and obtain acceptance of any changes from the Defence Digital DES DAMI Team

1.2 & 1.3. Attribute Management

• Projects shall engage with Defence Digital DES Arch to determine the requirements for attribute definition controls

• Projects shall have identified the requirement to implement attribute definition and association controls within their draft SRD

• Projects shall have identified the need for an Information Asset Owner

• Projects shall identify the requirement to test attribute definition control operation in their ITEAP

• Projects shall provide evidence of the development of attribute definition controls within project documentation. Projects shall have identified the requirement to implement attribute definition and association controls within their SRD

• Projects shall have included the role of Information Asset Owner within the target organisation

1.4. Data Integrity verification Mechanisms

• Projects shall engage with Defence Digital DES Arch to determine the requirements for Data Integrity verification mechanisms

• Projects shall have identified the requirement to implement Data Integrity verification mechanisms within their draft SRD

• Projects shall provide evidence of the development of Data Integrity verification mechanisms

• Projects shall have identified the requirement to implement Data Integrity verification mechanisms within their SRD

• Projects shall show in their PDR that Data Integrity verification mechanisms are to be implemented

• Projects shall show in their CDR that Data Integrity verification mechanisms are to be implemented

• Projects shall have demonstrated through testing that Data Integrity verification mechanisms operate as approved by Defence Digital DES Arch

• Projects shall identify the requirement to test attribute definition control operation in their ITEAP

• Projects shall show in their PDR that attribute definition controls are to be implemented

• Projects shall identify the requirement to test attribute definition control operation in their ITEAP

• Projects shall show in their CDR that attribute definition controls are to be implemented and they have been approved by Defence Digital DES Arch

• Projects shall identify the requirement to test attribute definition control operation in their ITEAP

• Projects shall have demonstrated through testing that attribute definition controls operate as approved by Defence Digital DES Arch

1.5. Defence Data Definitions

• Projects shall ensure that any data definitions used are aligned to the Reference Data Manual (RDM)

• Projects shall ensure that any data definitions used are aligned to the Reference Data Manual (RDM)

• Projects shall show in their PDR that Defence Data definitions are to be implemented

• Projects shall show in their CDR that Defence Data definitions are to be implemented