Security considerations

One of the priorities in any move of records and other information following a transfer of functions is information security.

Security provision should be proportionate to the nature, contents and sensitivity level of the information and should conform to the principles of the Security Policy Framework (SPF), ensuring that confidentiality, integrity and availability of information is appropriately maintained.

Any transferring organisation should satisfy itself that the receiving organisation has the necessary accreditation, infrastructure, procedures and policies in place, that is the capacity to hold and protect the material, and the organisational culture to treat it appropriately. Commercial and other partners who may be involved in handling the move of records should follow the same principles and practice.

Step one

Identify what material should be transferred to the receiving organisation and the nature of any risks associated, for example, with regards sensitivity or personal data.

Step two

Assess whether the receiving organisation meets appropriate security requirements or if existing information communications technology (ICT) infrastructure, policies and procedures will need to be revised or upgraded. This should be done by or under the auspices of the Departmental Security Officer (DSO)s concerned and guidance on accreditation and the implementation of information assurance (IA) and risk management should be sought from CESG, who are the UK’s National Technical Authority for IA. Organisations should also follow Office of the Government Senior Information Risk Owner (OGSIRO)’s guidance on managing information risk.

 Step three

Only when any necessary upgrading or implementation of appropriate security measures has taken place should the material be moved. The method of transit and the security measures employed to protect the information during the move should conform to the principles of the SPF and relevant CESG IA Standards and Guidance.