Minimum security controls – third party information sharing and processing policy

Annex A – minimum security controls

General

A security policy must be in place which:

  • sets out management commitment to information security
  • defines information security responsibilities
  • ensures appropriate governance

All staff must complete data protection and information security training commensurate with their role. 

We will apply pre-employment checks to all staff that consider relevant employment legislation.  This will include verification of identity and right to work. 

IT infrastructure

Boundary firewall and internet gateways

Information, applications, and devices must be protected against unauthorised access and disclosure from the internet.  This will be done by the use of:

  • boundary firewalls
  • internet gateways
  • equivalent network devices

Secure configuration

Information and communications technology (ICT) systems and devices must be configured to reduce the level of inherent vulnerabilities.  They will only provide the services required to fulfil their role.

User access control

User accounts must:

  • be assigned to authorised individuals only
  • managed effectively
  • provide the minimum level of access to:
    • applications
    • devices
    • networks
    • data

Access control (such as username and password, two-factor authentication) must be in place.  

A password policy must be in place which includes:

  • avoiding the use of weak or predictable passwords
  • ensuring all default passwords are changed
  • ensuring robust measures are in place to protect administrator passwords
  • ensuring account lock out or throttling is in place to defend against automated guessing attacks

End user activity must be auditable and include the identity of end-users who have accessed systems. 

Malware protection

Mechanisms to identify detect and respond to malware on ICT networks, systems and devices must be in place.  It must be fully licensed, supported, and have all available updates applied.

Patch management and vulnerability assessment

Updates and software patches must be applied in a controlled and timely manner. They must be supported by patch management policies. 

You must adopt a method for gaining assurance in your organisation's vulnerability assessment and management processes, for example by undertaking regular penetration tests.

Software that is no longer supported must be removed from ICT systems and devices.

Backups and recovery

ICT systems processing our data must be subject to operational procedures which support effective and secure backup. Backup arrangements must be regularly tested to ensure the process is successful and meets the requirements of the Backup Policy.

Cloud services

Controls applied to the use of cloud services must satisfactorily support the relevant security principles set out in the National Cyber Security Centre Cloud Security Principles

Protecting data

International transfers of personal data

In accordance with data protection legislation a transfer of personal data must be within the UK unless:

  • the rights of the individuals in respect of their personal data is protected in another way (subject to our approval), or 
  • one of a limited number of exceptions applies.  We must be made aware of any exceptions and the location of data transfers

Electronic data

In addition to physical security controls all physical media must be encrypted, using well-configured appropriate algorithms, to protect against unauthorised access. This can be achieved using full-disk encryption, or application-layer encryption, or both.

An encrypted communication protocol must be used for example Transport Layer Security (TLS) when transmitting data

  • over the internet
  • over a wireless communication network such as Wi-Fi
  • over an untrusted network 

You must only use ICT which is under your governance and subject to the controls set out in this policy.

Hard copy data

Hard copy data must be stored securely when not in use.  Access to the data must be controlled. 

It must be transported in a secure manner:

  • commensurate with the impact a compromise or loss of information would have
  • which reduces the risk of loss or theft

Secure deletion of data

Electronic copies of data must be securely deleted when no longer required.  This includes data stored on:

  • servers
  • desktops
  • laptops
  • other hardware and media 

Hard copy data must be securely destroyed when no longer required. 

Secure destruction and deletion means the removal of data so it cannot be recovered or reconstituted.

Evidence of secure deletion or destruction may be required to provide the necessary assurance.

Security incidents or personal data breach

You must notify us without undue delay of any fact or event which results in, or has the potential to result in, the compromise, misuse, or loss of our:

  • information
  • ICT services
  • assets

You must notify us without undue delay of any personal data breach if it relates to personal data processed on our behalf. 

You must fully co-operate with any investigation we require as a result of such a security incident or personal data breach.

Compliance 

We must be informed of any non-compliance with these controls.  Any deficiencies in controls must be subject to a documented risk management process. Where appropriate a remedial action plan is to be implemented with the aim of reducing, where possible, those deficiencies.  

Independent validation which has been used as evidence of appropriate security controls must be maintained throughout the life of the contract or agreement.  

We must be made aware of any expired or revoked evidence used as independent validation.