Security Policy Framework
Encyclopedia
The Security Policy Framework (or "SPF") is a set of high-level policies on security, mainly affecting the UK government
and its suppliers.
The SPF has 70 "mandatory requirements", which are grouped into 7 areas:
These mandatory requirements are a baseline which apply to all UK government departments; higher requirements may apply in some cases. Public-sector bodies are responsible for managing their own technical security risks, but can draw on expertise and guidelines provided by CESG
and the Cabinet Office
. The Centre for Protection of National Infrastructure also helps protect critical infrastructure. The Ministry of Defence
has its own separate policies and systems.
The SPF superseded the Manual of Protective Security. Part of the SPF is produced by CESG
, and part by the Cabinet Office
's Security Policy Division.
Government of the United Kingdom
Her Majesty's Government is the central government of the United Kingdom of Great Britain and Northern Ireland. The Government is led by the Prime Minister, who selects all the remaining Ministers...
and its suppliers.
The SPF has 70 "mandatory requirements", which are grouped into 7 areas:
- 1: Governance, Risk Management & Compliance
- 2: Protective MarkingClassified information in the United KingdomClassified information in the United Kingdom, now called Protectively Marked Information, is a system used to protect information from intentional or inadvertent release to unauthorised readers. The system is organised by the Cabinet Office and is implemented throughout central and local government...
& Asset Control - 3: Personnel Security
- 4: Information SecurityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
& Assurance - 5: Physical Security
- 6: Counter-Terrorism
- 7: Business ContinuityBusiness continuityBusiness continuity is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. These activities include many daily chores such as project management,...
These mandatory requirements are a baseline which apply to all UK government departments; higher requirements may apply in some cases. Public-sector bodies are responsible for managing their own technical security risks, but can draw on expertise and guidelines provided by CESG
CESG
CESG may refer to:* The Communications-Electronics Security Group, a group within the Government Communications Headquarters.* The Canada Education Savings Grant, a Government of Canada program....
and the Cabinet Office
Cabinet Office
The Cabinet Office is a department of the Government of the United Kingdom responsible for supporting the Prime Minister and Cabinet of the United Kingdom....
. The Centre for Protection of National Infrastructure also helps protect critical infrastructure. The Ministry of Defence
Ministry of Defence (United Kingdom)
The Ministry of Defence is the United Kingdom government department responsible for implementation of government defence policy and is the headquarters of the British Armed Forces....
has its own separate policies and systems.
The SPF superseded the Manual of Protective Security. Part of the SPF is produced by CESG
CESG
CESG may refer to:* The Communications-Electronics Security Group, a group within the Government Communications Headquarters.* The Canada Education Savings Grant, a Government of Canada program....
, and part by the Cabinet Office
Cabinet Office
The Cabinet Office is a department of the Government of the United Kingdom responsible for supporting the Prime Minister and Cabinet of the United Kingdom....
's Security Policy Division.