Security Introduction: Security Information for Customer Organisations
It is a Customer Organisation’s decision to use Shared Workspace. The following information will help a Customer Organisation to make this decision.
Shared Workspace Security Management
All government departments are governed by the Security Policy Framework (SPF) which is published by the Cabinet Office.
The SPF contains the primary internal protective security policy and guidance on security and risk management for HM Government Departments and associated bodies. It is the source on which the HMRC security policy is based.
The Security Policy Framework, at the policies and mandatory requirements level, is available from the Cabinet Office website.
The Shared Workspace service is maintained to ensure that security risks to HMRC and customer information are managed effectively but it is not Government/HMRC policy to disclose any detail around the steps taken to manage those risks, as stated in the SPF on page 8.
However, in addition to the generic guidance held within the SPF the following information is available about the Shared Workspace service.
Identification & Authentication
The service operates within a regime of individual accountability using the Government Gateway Registration process. The regime involves the use of a unique username per user and with logging of activities taking place to ensure that actions taken by users can be attributed to them.
Password Management and Password Criteria
Controls are implemented to ensure adequate separation of data between customers.
Controls are implemented to ensure against penetration and intrusion.
HMRC operates a security incident reporting scheme for Shared Workspace so that members of the user community can bring to HMRC’s attention potential and actual security incidents. These will be investigated and remedial action taken where necessary.
Maintenance of effective security management
HMRC performs regular risk assessments to ensure that the protective measures in terms of the internal and external defences of the service are in line with changing threat profiles.
Learning modules (SW09130) are available to both HMRC staff and external staff. The learning modules are mandatory for HMRC service users.
The learning modules contain details of access control, accountability and membership management.
CNCs have member management responsibilities for their organisation (SW04600).
Effective control of Shared Workspace can only be maintained with the full co-operation of our Customers, as it also relies on the procedures that our Customers adopt to prevent misuse or abuse of this service within their own organisations.
It is a condition of being given access to the service that account credentials are not shared within an organisation. This will mean that any information shared with HMRC will remain safe, confidential and prevent the misuse of the service.
To prevent people who may use a Shared Workspace member’s computer at a later date from accessing Shared Workspace information stored on the computer, users must proactively manage any data downloaded while using Shared Workspace.