Table of contents

Cyber and Technical Security Guidance

Summary

This site lists the Ministry of Justice (MoJ) Information Security policies. It contains important guidance on how to keep MoJ information safe and secure.

Policies shown here are listed for technical users and non-technical users (referred to as all users).

Technical users include:

  • Technical architects
  • DevOps specialists
  • IT service managers
  • Software developers

The MoJ Technical Guidance covers technical decisions in the MoJ more widely.

Note: This guidance is dated: 11 March 2024.

Change log

A ‘change log’ is available. It details the most recent changes to this information.

The changes are also available as RSS or Atom feeds.

Popular links for all users:

Offline content

This guidance is available in PDF and EPUB formats.

All users. Contains general guidance with some technical information:

Technical users. Contains detailed technical information, together with all users and Group Security content:

The offline versions of this guidance are time-limited, and are not valid after 11 April 2024.

Security culture

In addition to the obvious security resources such as policies, controls, and software and hardware tools, all organisations need employees, suppliers and other colleagues to behave in a way that helps ensure good security at all times. A simple example is where someone will act in a way that maintains good security, even if they don’t know exactly what the formal process is. The extent to which an organisation has good security in indicated by its security culture.

Security culture refers to the set of values, shared by everyone in an organisation, that determines how people are expected to think about and approach security. Getting security culture right helps develop a security conscious workforce, and promotes the desired security behaviours expected from everyone working in or for the organisation.

The MoJ is creating a portfolio of security culture resources to help supplement the formal policy and guidance material. Initial security culture material is available for preview.

Information structure

MoJ policy documents are listed beneath the following headings:

The documents have been developed and defined within this taxonomy, and are listed in the next section, together with their suggested target audiences.

Information security policies

Management direction for information security

These are the policies for all users:

These are the policies for technical users:

Mobile devices and teleworking

Mobile device policy

These policies are for all users:

Teleworking

This policy is for all users:

Human resource security

Prior to employment

This policy is for all users:

During employment

This policy is for all users:

Termination and change of employment

This policy is for all users:

Asset management

Responsibility for assets

These policies are for all users:

Information classification

These policies are for all users:

These policies are for technical users:

Media handling

These policies are for all users:

This policy is for technical users:

Access control

Business requirements of access control

These policies are for technical users:

User access management

These policies are for technical users:

User responsibilities

This policy is for all users:

System and application access control

These policies are for all users:

These policies are for technical users:

Cryptography

Cryptographic controls

These policies are for technical users:

Physical and environmental security

Equipment

These policies are for all users:

This policy is for technical users:

Operations security

Operational procedures and responsibilities

These policies are for technical users:

Protection from malware

This policy is for all users:

These policies are for technical users:

Backup

These policies are for technical users:

Logging and monitoring

These policies are for technical users:

Control of operational software

This policy is for all users:

Technical vulnerability management

These policies are for technical users:

Communications security

Network security management

These policies are for technical users:

Information transfer

These policies are for all users:

These policies are for technical users:

System acquisition, development and maintenance

Security requirements of information systems

These policies are for technical users:

Security in development and support processes

These policies are for technical users:

Test data

This policy is for technical users:

Supplier relationships

Information security in supplier relationships

These policies are for technical users:

Supplier service delivery management

These policies are for technical users:

Information security incident management

Management of information security incidents

These policies are for all users:

These policies are for technical users:

Compliance

This policy is for all users:

These policies are for technical users:

Information security reviews

This policy is for technical users:

Risk Assessment

Risk Management

These policies are for technical users:

Risk Assessment Process

This policy is for all users:

Other Guidance

The Government Functional Standard - GovS 007: Security provides the base material for all security guidance in the MoJ.

Glossary

A glossary of some terms used in this guidance is available here.

Acronyms

A more extensive list of acronyms is available here.

Technical Guidance

The MoJ Technical Guidance should be read together with this security-focused guidance.

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.