Principle: B1 Service Protection Policies and Processes

The organisation defines, implements, communicates and enforces appropriate policies and processes that direct its overall approach to securing systems and data that support the operation of essential functions.

This means ensuring that an organisation’s approach to securing network and information systems that support essential functions is defined in a set of comprehensive security policies with associated processes. Policies and processes should be written with the intended recipient community in mind and, ideally, with their direct involvement. You should ensure that your policies are unambiguous, do not contradict one another and that new policies are not unnecessarily published where existing ones may be amended.

An organisational security or service protection policy should be endorsed by senior management and should include the organisation’s overarching approach to governing security and managing risks. Supporting policies and processes should then provide contextual lower-level definitions controlling, directing and communicating organisational security practice. Although user-facing policies should be used to inform your staff of their responsibilities under your organisational security requirements, they are not a mechanism for transferring the burden of risk mitigation onto the user.

Mechanisms should be in place to validate the implementation and effectiveness of policies in ensuring the security of the essential function and balancing this appropriately with business delivery. Both qualitative and quantitative methods should be utilised to measure policy engagement and obtain actionable feedback. Policies should be reviewed annually for their effectiveness and updated accordingly.

Policy

The following requirements are placed on government departments:

1. Government organisations shall meet the CAF requirements of the relevant Government Profile under this principle.

2. Departments shall ensure that individuals authorised to access networks and information systems supporting the operation of essential functions have been appropriately vetted to reduce insider risk. See the Baseline Personnel Security Standard and the clearance levels webpage for more information on vetting requirements. You should ensure human risk is defined, understood and managed proportionately to the criticality of your system and its respective data.

Guidance

1. The NCSC’s You Shape Security offers guidance on how organisations should use multiple channels of communication to engage with an organisation's people, discuss existing security policies and ensure they are resilient, practical and meet people’s human and job-based needs. Organisations should regularly review their policies and processes in light of any recorded security breaches so that these documents and the organisation’s security can be continually improved. Feedback should be continually gathered from users on the effectiveness of policies, ensuring that these meet user needs and remain up to date. Legacy policies and processes should be effectively retired when replaced or updated.

Further information

Further guidance and information on related industry security standards can be found on the NCSC’s CAF Guidance webpage.