DWP procurement: security policies and standards
These apply to DWP suppliers and contractors where explicitly stated in the security schedule of the contract.
Documents
Details
The Common Standards for Identity Verification and Authentication (CSIVA) of DWP customers is under review. You should refer to Good Practice Guides 45 and 44 instead.
Note, the Department for Work and Pensions (DWP) is unable to reply to general enquiries or questions about these security standards and policies.
These security standards and policies apply to DWP suppliers and contractors only. They do not apply to other government departments, their agencies or arm’s length bodies.
They have been published to help inform DWP Invitations to Tender and other contracting processes.
DWP may choose in an Invitation to Tender or the bid process to reference the standards and policies published here. Questions about a specific standard or policy should be sent to the DWP team managing responses to bids. This team is the only DWP authorised responder on any question about a bid and a standard or policy.
A new or changed policy or standard does not mean a new requirement for any existing contract. DWP will notify contract holders or partners of any changes to a contract.
Suppliers and contractors should contact their DWP contract managers with any questions about:
- varying contracts
- changing the agreed delivery of contracted services
- the applicability of a standard or policy for their contracts
Last updated 7 March 2024 + show all updates
-
Published updated DWP Security Classification Policy.
-
The email policy has been updated to the latest version.
-
Acceptable Use policy updated to include amendments around use of public Vs Private AI and also amendments around use of Non-Corporate Communication Channels.
-
Replaced the User Access Control Policy. Updated guidance on password management to advise users must change their passwords on indication or suspicion of compromise.
-
Removed Security standard SS-030: Oracle Database Security because it is out of date. The guidance is now included in Security standard SS-005: Database Management Systems.
-
Updated Security standard SS-018: Network Security Design and removed out of date Security standard SS-027: Application Security Testing.
-
Updated DWP Security standard SS-013: Firewall Security, Security standard SS-023: Cloud Computing and Security standard SS-028: Microservices Architecture (version 2).
-
Published updated security standards: SS-001 (part 1): Access and Authentication Controls; SS-001 (part 2): Privileged User Access Controls; SS-014: Security Incident Management; SS-029: Securely Serving Web Content; SS-036: Secure Sanitisation and Destruction.
-
Updated the DWP Email policy.
-
Security Standard SS-035: Backup and Recovery attachment published in error, replaced with correct version.
-
Updated 'Security Standard SS-035: Backup and Recovery' attachment.
-
Added revised versions of Security standard SS-003: Software Development and SS-005: Database Management Systems.
-
Added Security standard SS-014: Security Incident Management.
-
Added revised version of Security Standard SS-033: Security Patching.
-
New 'Security Standard (SS-035): Backup and Recovery' added. Updated 'Security standard SS-008: Server Operating System'. Deleted 'Security standard SS-014: Security Incident Management' and 'Form: Security incident response team referral (for Security standard SS-014: Security Incident Management)'.
-
Updated Security standards SS-009 Hypervisor, SS-022: Voice and Video Communication and SS-025: Virtualisation (the new versions are labelled version 2.0 and dated 27/04/2023).
-
Updated the Technical Vulnerability Management policy.
-
Updated Security standard SS-002: Public Key Infrastructure & Key Management, SS-010: Desktop Operating System and SS-031: Domain Management.
-
Updated Security standards SS-017: Mobile Device and SS-019: Wireless Network.
-
Updated security standard SS-15: Malware protection.
-
Added a new version of the Remote Working Security policy. Updated paragraph 3.3 and 7.5 of the Acceptable Use policy.
-
Published a revised version of the DWP Acceptable Use Policy (the new version is still labelled version 3). Published a revised version of DWP Security standard SS-006: Security Boundaries (the new version is labelled version 2 and dated 16/01/2023), and a revised version of Security standard SS-016: Remote Access (the new version is labelled version 2 and dated 16/01/2023).
-
Published a revised version of DWP Security Standard SS-007: Use of Cryptography (the new version is labelled version 2.0, dated 07/12/2022) and DWP Security Standard SS-033: Security Patching (the new version is labelled version 2.0, dated 07/12/2022).
-
Published a revised version of the Security standard: Physical and Electronic Security (part 1) - the new version is labelled version 1.1, dated 16/11/2022.
-
Added the DWP policy for Protective Monitoring Security (version 1). This is for the use of DWP suppliers and contractors only.
-
Published a revised version of the Security Standard SS-012: Protective Monitoring Standard (the new version is labelled version 2.0, dated 11/10/2022). Also published a new standard - Security Standard SS-036: Secure Sanitisation and Destruction (this new standard is labelled version 1, dated 11/10/2022).
-
Published a revised version of the DWP Security Standard – Containerisation (SS-011) (the new version is labelled version 2.0, dated 22/08/2022).
-
Revised version of the DWP Microsoft Teams recording and transcription policy (the new version is labelled version 1.5, dated 22/09/22).
-
Revised version of DWP Physical Security Policy (new version is labelled version 2.1). Also published a new standard - Security standard: Physical and Electronic Security (part 1) (this new standard is labelled version 1).
-
Revised version of DWP Acceptable Use Policy (new version is labelled version 3).
-
Revised version of DWP Personnel Security Policy (new version is labelled version 2).
-
Revised version of Security Standard SS-031: Domain Management (new version is labelled version 1.2 and dated December 2021).
-
Added the DWP policy for Microsoft Teams Recording and Transcription. This is for DWP suppliers and contractors only.
-
Revised version of Social Media policy (new version is labelled version 2).
-
Added Personnel Security policy for DWP suppliers and contractors.
-
Revised version of Security Standard SS-033: Security Patching (new version is labelled version 1.3 and dated January 2021).
-
Revised version of Security Standard SS-033: Security Patching (now labelled version 1.2).
-
Revised version of Security standard SS-016: Remote Access (now labelled version 1.2). Typo correction in entry 10.3.2, from ‘Authority’ to ‘Contractor’.
-
Published revised version of Security incident response team referral form for Security standard SS-014. The revised form is dated 3 June 2020.
-
Added the following 10 DWP policies: Cryptographic Key Management Policy, Email Policy, Forensic Readiness Policy, Privileged Users Security Policy, Remote Working Security Policy, Security Classification Policy, SMS Text Policy, Social Media Policy, Technical Vulnerability Management Policy and User Access Control Policy.
-
Published updated versions of the DWP security standards. All are now dated March 2020, except standard SS-014 which is dated 4/3/2020. These have been revised to reflect changes in DWP processes, laws, and national and international security standards and practices.
-
Added DWP Security Standard SS-033: Security Patching.
-
Removed the Common Standards for Identity Verification and Authentication (CSIVA) of DWP customers document. This document is currently under review.
-
Revised versions of the Acceptable Use (version 2.5) and Physical Security (version 2) policies.
-
Revised versions of 'Security Standard - Firewall Security (SS-013)' and 'Security Standard - Network Security Design (SS-018)'. Both are now dated 9 April 2019.
-
Added 'Common Standards for Identity Verification and Authentication (CSIVA) of DWP customers' (version 1.7).
-
Published revised version of Security standard SS-003: Software Development (now version 1.1, dated 07/10/2018).
-
Published revised versions of Acceptable Use (version 2.5), Information Security (version 1) and Physical Security (version 1) policies.
-
Added 'Security standard SS-012: Protective Monitoring Standard'.
-
Added 'Security standard SS-001 (part 2): Privileged User Access Controls'.
-
First published.