beta This part of GOV.UK is being rebuilt – find out what beta means

HMRC internal manual

Shared Workspace Business Manual

Security Introduction: Security Information for Customer Organisations

It is a Customer Organisation’s decision to use Shared Workspace. The following information will help a Customer Organisation to make this decision.


Shared Workspace Security Management

All government departments are governed by the Security Policy Framework (SPF) which is published by the Cabinet Office.

The SPF contains the primary internal protective security policy and guidance on security and risk management for HM Government Departments and associated bodies. It is the source on which the HMRC security policy is based.

The Security Policy Framework, at the policies and mandatory requirements level, is available from the Cabinet Office website.

The Shared Workspace service is maintained to ensure that security risks to HMRC and customer information are managed effectively but it is not Government/HMRC policy to disclose any detail around the steps taken to manage those risks, as stated in the SPF on page 8.

However, in addition to the generic guidance held within the SPF the following information is available about the Shared Workspace service.


Identification & Authentication

The service operates within a regime of individual accountability using the Government Gateway Registration process. The regime involves the use of a unique username per user and with logging of activities taking place to ensure that actions taken by users can be attributed to them.


Password Management and Password Criteria

Customers access Shared Workspace through HM Government Gateway and Password Management (SW03230) follows those Gateway standards.


Data separation

Controls are implemented to ensure adequate separation of data between customers.


Network management

Controls are implemented to ensure against penetration and intrusion.


Security incidents

HMRC operates a security incident reporting scheme for Shared Workspace so that members of the user community can bring to HMRC’s attention potential and actual security incidents. These will be investigated and remedial action taken where necessary.


Maintenance of effective security management

HMRC performs regular risk assessments to ensure that the protective measures in terms of the internal and external defences of the service are in line with changing threat profiles.


Learning Material

Learning modules (SW09130) are available to both HMRC staff and external staff. The learning modules are mandatory for HMRC service users.

The learning modules contain details of access control, accountability and membership management.


Customer responsibilities

CNCs have member management responsibilities for their organisation (SW04600).

Effective control of Shared Workspace can only be maintained with the full co-operation of our Customers, as it also relies on the procedures that our Customers adopt to prevent misuse or abuse of this service within their own organisations.

It is a condition of being given access to the service that account credentials are not shared within an organisation. This will mean that any information shared with HMRC will remain safe, confidential and prevent the misuse of the service.

To prevent people who may use a Shared Workspace member’s computer at a later date from accessing Shared Workspace information stored on the computer, users must proactively manage any data downloaded while using Shared Workspace.