扒哥吃瓜

15 December 2025

This听Information听Security Policy is part of a suite of policies designed to promote consistency across the Department for Work and Pensions (DWP) and supplier base with regards to the implementation and management of security controls. For the purposes of this听policy, the term DWP and Department are used interchangeably.鈥�听

Security policies considered听appropriate for听public viewing published on 扒哥吃瓜听

Security policies cross-refer to each other where needed, so can be confidently used together. They听contain听both mandatory and advisory elements, described in consistent language 鈥� see table.

Term	Intention
must	denotes a requirement: a mandatory element
should	should denotes a recommendation: an advisory element
may	denotes approval
might	denotes a possibility
can	denotes both capability and possibility
is/are	is/are denotes a description

Overview听

The DWP听Information听Security Policy sets out听the DWP鈥檚 鈥痗ommitment to safeguarding its information assets, the privacy of its claimants, citizens, staff, and the integrity of its services. It听establishes听the framework for managing information security risks effectively and proportionately across the department and its supply chain.听

The DWP Security Strategy envisions supporting our customers through a culture of business-focused, risk-informed, and proactive security that enables resilient public services. This policy is a cornerstone in achieving that vision, embedding the principle of 鈥楽ecurity by Design鈥� throughout the system lifecycle, ensuring systems are secure by build and听operated听effectively.听

This policy provides the high-level principles and mandatory requirements for securing DWP鈥檚 information and information systems. To ensure a comprehensive, risk based, and universally understood structure, this policy is organised to align with the core functions of the鈥�, the鈥痯rinciples of the鈥�, and supports DWP鈥檚 adherence to mandatory UK Government standards, including the Cabinet Office鈥�鈥痑nd the鈥�鈥痯rocess.鈥疶his provides the strategic framework under which more detailed operational control sets, such as the CIS Top 18 Controls, are utilised to meet policy requirements.

Purpose听

• This policy is to听Protect the Confidentiality, Integrity, and Availability of all DWP information assets.听

• Ensure compliance with all relevant legal, regulatory, and contractual obligations, including but not limited to听the鈥�听UK听GDPR,听鈥痑苍诲鈥�.听

• Manage information security risks in line with the department鈥檚 risk appetite.听

• Contribute to fostering a security-aware culture where all听users听understand their security responsibilities.听

• Enable the secure delivery of DWP鈥檚 services and strategic听objectives.听

• Adhere to DWP鈥檚 core security assurance principles: Lawful, Necessary, Proportionate, Effective, and Efficient.听

Scope听

This policy听must听be adhered听to by:听

补)鈥�舛寞舛寞舛寞A濒濒 DWP personnel (employees, contractors, and temporary staff), business partners, suppliers, and Arm鈥檚 Length Bodies (ALBs) who access, process,听store听or听transmit听DWP information or connect to DWP systems. From this point forward, referred to collectively as 鈥渦sers鈥�.听

This policy applies to:听

b)鈥�鈥�鈥�鈥疉ll information assets, regardless of form, media, or location (for example, electronic data, paper documents, and spoken information)听

肠)鈥�舛寞舛寞舛寞A濒濒 DWP information technology (IT) and operational technology (OT) systems, networks, applications, services, and devices, whether owned, leased, or managed by DWP or by third parties on DWP鈥檚 behalf.听

This policy forms the baseline for those requirements and does not replace any legal or regulatory requirements but aims to ensure DWP meets and, where听appropriate, exceeds them.

Definitions听

Cyber Assessment Framework (CAF):听

A framework developed by the NCSC to guide organisations in assessing their cyber resilience.听

Chief Security Officer (CSO):听

The senior executive accountable for the organisation鈥檚 overall security.听

Encryption:听

The process of converting data into a code to prevent unauthorised access. While other data protection techniques such as anonymisation and pseudo听anonymisation are also used to protect data, they are distinct processes from encryption.听

Information Asset Owner (IAO):听

This is mandated UK Government role. In line with DWP鈥檚 Data Governance model these听responsibilities are formally discharged by roles such as Data Owners, Data Stewards, or Data Custodians.听听

Senior Information Risk Owner听(SIRO):听

A senior individual, typically at Director General level, accountable for the organisation鈥檚 overall information risk posture and for formally accepting听significant听residual information risk on behalf听of the Accounting Officer. This is a key functional requirement of government security standards.听(Note: The specific DWP assignment for this role is currently subject to departmental review).听

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF):听

Provides the structure for the policy statements below.听

Policy Exception:听

A formal, documented, and approved deviation from a policy requirement.听

Risk Appetite:听

The amount and type of risk that an organisation is willing to pursue or听retain.听

Sensitive Information:听

Information whose compromise, unauthorised access, loss, or disclosure would cause harm to DWP, its staff, citizens, or services. This includes all Special Category Data (as defined by UK data protection law) and other critical assets such as financial data, commercial information, and security material.

Policy Statements听

The following policy statements are structured according to the NIST CSF. Each section explicitly听states听its alignment with the principles of the鈥�鈥�(NCSC) Cyber Assessment Framework (CAF) to ensure DWP鈥檚 efforts are focused on achieving measurable cyber resilience outcomes.听

1. Govern听

1.1 DWP鈥檚 Executive Team and senior leadership鈥痬ust鈥痙emonstrate听a clear and visible commitment to information security. This commitment is assured as听adequate and听appropriate at听a strategic level by the鈥�DWP Departmental Audit and Risk Assurance Committee (DARAC).听听

1.2 Clear information security roles, responsibilities, and accountabilities鈥痬ust鈥痓e defined, documented, assigned, and communicated. Key roles are detailed in Accountabilities and Responsibilities (below).听

1.3 The Permanent Secretary is accountable for听determining听the department鈥檚 risk appetite and tolerance for information security risk.听

1.4 This Information Security Policy鈥痬ust鈥痓e reviewed at least biennially, or more听frequently听if triggered by significant changes. The review process鈥痬ust鈥痠nclude the identification and assessment of new and updated government legislation, regulations, information and cyber security policies and standards. The review is managed through the DWP Policy and Standards Review Group (PSRG).听

1.5 Any deviation from this policy鈥痬ust鈥痓e managed through the formal, documented exception process, requiring a business justification, risk assessment, and approval via the established governance procedures. A deviation from a mandatory supporting DWP Security Standard is considered a deviation from this policy and must follow the formal exception process.听

2. Identify听

2.1 DWP鈥痬ust鈥痵ystematically听identify, inventory, and听maintain听a comprehensive register of all its information assets,听recorded on the DWP Information Asset Register (IAR).听

2.2 All assets鈥痬ust鈥痓e classified according to the鈥�DWP Security Classification Policy, which is based on the HM鈥�Government Security Classifications Policy鈥痑nd an Information Asset Owner (IAO)鈥痬ust鈥痓e assigned to each.听

2.3 DWP鈥痬ust鈥痚stablish, document, and听maintain听a formal enterprise-wide information security risk management framework, aligned with the DWP Risk Management Framework and鈥�HM Treasury鈥檚 Orange Book.听

2.4 Identified听risks鈥痬ust鈥痓e documented on a risk register, be assigned a risk owner, and be subject to regular review.听

2.5 DWP鈥痬ust鈥痠mplement a comprehensive,鈥痳isk-based鈥疌ontract Supply Chain Security Assurance process, in alignment with the鈥�Government supplier听assurance framework.听All new contracts must be assessed to听determine听the need for a specific Security Schedule. Specific security requirements鈥痬ust鈥痓e addressed and flowed down to suppliers, proportionate to the risk, within all contractual agreements. Where听appropriate听and听possible, this will be via a DWP Security Schedule.听

3. Protect听

3.1 DWP鈥痬ust鈥痠mplement robust听personnel听security measures throughout the employment lifecycle, including security screening (for example, BPSS or National Security鈥疺etting) and secure joiner, mover, and leaver processes as detailed in the鈥�DWP Personnel Security Policy鈥痑nd in alignment with the鈥�HMG Security Standard.听

3.2 DWP鈥痬ust鈥痙eliver a continuous and role-based security awareness, education, and training programme for all听users.听All users in scope of this policy,鈥痬ust鈥痗omplete all mandatory annual security and data protection awareness training relevant to their role. Users鈥痬ust鈥痑dhere to the鈥�DWP Acceptable Use Policy.听

3.3 Secure procedures鈥痬ust鈥痓e followed for the sanitisation or destruction of information and media, in alignment with the鈥�DWP Hardware Lifecycle Management Security Policy. Data Loss Prevention (DLP) technologies and processes鈥痬ust鈥痓e implemented where听appropriate to听detect and prevent unauthorised exfiltration of sensitive information.听

3.4 Access to DWP information and systems鈥痬ust鈥痓e controlled based on the principles of Least Privilege and Role-Based Access Control (RBAC). Strong authentication鈥痬ust鈥痓e implemented, including the use of Multi-Factor Authentication (MFA) for remote access to the DWP corporate network, for all privileged user accounts, unless a specific, documented, and approved risk-based exception is in place for specialist accounts (for example, emergency break-glass accounts). For third-party services used for official DWP business where DWP information is processed, stored, or transmitted and DWP cannot enforce MFA, a risk assessment鈥痬ust鈥痓e conducted and documented to听determine听if alternative or compensating controls are听required.听

3.5 DWP鈥痬ust鈥痠mplement听appropriate physical听and environmental security controls to protect its premises, assets, and infrastructure, as mandated by the鈥�DWP Physical鈥疭ecurity Policy.听

3.6 DWP鈥痬ust鈥痠mplement Mobile Device Management (MDM) controls for all corporate mobile devices, aligned with the鈥�鈥�听

3.7 Information security requirements鈥痬ust鈥痓e integrated into all phases of the System Development Lifecycle (SDLC). All new systems鈥痬ust鈥痷ndergo security testing before deployment. A robust vulnerability management process鈥痬ust鈥痓e implemented to remediate vulnerabilities听in a timely manner, in compliance with the鈥�DWP Technical Vulnerability Management Policy. All new systems鈥痬ust鈥痷ndergo a formal assurance process to be defined by the DWP Security Assurance strategy before entering service, and all live systems鈥痬ust鈥痟ave documented Security Operating Procedures (SyOps).听

3.8 DWP鈥痬ust鈥痠mplement measures to protect data throughout its lifecycle; sensitive information鈥痬ust鈥痓e encrypted both at rest and in transit. DWP鈥痬ust鈥痷se approved cryptographic controls to protect the confidentiality, integrity, and authenticity of sensitive information,听in accordance with听the听DWP Information Management Policy, the鈥�DWP Use of Cryptography Security Standard,鈥痑nd the鈥�DWP Cryptographic Key Management Policy 鈥� DWP Intranet听

3.9 The development and use of Artificial Intelligence (AI) and Machine Learning (ML) systems鈥痬ust鈥痓e subject to a specific risk assessment and adhere to the principles of the鈥�DWP Artificial Intelligence Security Policy.听

4. Detect听

4.1 DWP鈥痬ust鈥痠mplement comprehensive security monitoring and logging capabilities across its IT environment, in line with the鈥�DWP Protective Monitoring Security Policy. Sufficient audit logs鈥痬ust鈥痓e generated, collected, protected, and securely stored from critical systems and reviewed for indicators of compromise.听

4.2 DWP鈥痬ust鈥痙eploy and听maintain听appropriate threat听detection technologies (for example, Security Information and Event Management (SIEM), Intrusion听Detection/Prevention Systems (ID/IPS), and Endpoint Detection and Response (EDR)) to听identify听and alert on potential security events in near real-time in alignment with the鈥�DWP Technical Vulnerability Management Policy.听

4.3 DWP鈥痬ust鈥痚stablish听and maintain processes for consuming relevant cyber threat intelligence to inform its security posture and detection capabilities.鈥�听

5. Respond听

5.1 DWP鈥痬ust鈥痚stablish, document, and听maintain听a formal, DWP-wide security incident management capability and plan, in compliance with the鈥�DWP Security Incident Management Standard (SS-014).听

5.2 The Security Incident Response Team (SIRT)听is responsible for听coordinating the response to security incidents. All actual or suspected security incidents鈥痬ust鈥痓e reported听immediately听via approved channels.听

5.3 A mandatory post-incident review process (鈥榣essons learned鈥�) must be conducted for security incidents; the priority and scale of this review must be proportionate to the incident鈥檚 impact, as defined in the DWP Security Incident Management Standard. The鈥�DWP Security Forensic Readiness Policy鈥痙etails the requirements for evidence preservation to support these reviews.听

5.4 The incident management plan鈥痬ust鈥痠nclude procedures for听timely听and听appropriate internal听and external communication during and after security incidents.听

6. Recover听

6.1 Information security requirements鈥痬ust鈥痓e integrated into DWP鈥檚 Business Continuity Management (BCM) framework and plans and鈥痬ust鈥痗omply with听the鈥�DWP Business Continuity, Readiness and Response (BCRR) Policy.听

6.2 DWP鈥痬ust听develop, document, and regularly test a strategic Disaster Recovery (DR) framework. This framework鈥痬ust鈥痓e supported by specific plans for different environments (for example,听on-premises听data centres, cloud services, and networks) and inform detailed operational recovery procedures that define the sequence and steps for restoring critical services.听

6.3 Security incident response, business continuity, and disaster recovery plans鈥痬ust鈥痓e regularly tested and exercised to听validate听their effectiveness.

Accountabilities and Responsibilities听

The DWP Chief Security Officer (CSO) is accountable owner of the DWP Information Security Policy and听is responsible for听its maintenance and review, through the DWP Deputy Director for Security Policy and Data Protection.听

Key roles include, but are not limited to:听

• Accounting Officer (AO):听Ultimately accountable听for security within DWP.听

• Chief Security Officer (CSO): Accountable owner of this policy; responsible for its implementation, maintenance, and review.听

• Senior Information Risk Owner (SIRO): Accountable for the department鈥檚 overall information risk strategy, the acceptance of significant residual risk, and providing assurance over the information risk management framework.听

• Information Asset Owners (IAOs) / Data Owners: Responsible for the听appropriate management听and protection of specific information assets, in line with DWP鈥檚 Data听Governance听Model听(often fulfilled by roles such as Data Owners, Data Stewards, or Data Custodians).听

• Head of Digital Security: Leads programmes to improve cyber security controls.听

• Line Managers: Responsible for ensuring their staff understand and听comply with听this policy.听

• All DWP听Users: Responsible for听complying with听this policy, reporting security incidents, and completing mandatory training.

Compliance听

a) This policy applies to all DWP听users听and relevant third parties (including but not limited to suppliers and contractors). All have security responsibilities and must be aware of, and听comply with, DWP鈥檚 security policies and standards.听

b) Many of DWP鈥檚 employees and contractors handle sensitive information daily and so need to be enacting听minimum听baseline behaviours appropriate to the sensitivity of the information. Most security incidents and breaches relate to information security. A security incident is defined as the attempted or actual unauthorised access, use, disclosure, modification,听loss听or destruction of an Authority asset in violation of security policy. This includes both deliberate and accidental events.听

c) Information security is important, and breaches can, in the most severe circumstances, result in dismissal for employees or termination of contract for suppliers,听in accordance with听the鈥�DWP Discipline Policy. All security incidents鈥痬ust鈥痓e reported听in accordance with听the鈥�DWP Security Incident Management Standard (SS-014). DWP users鈥痬ust鈥痷se the鈥�DWP Security Incident Referral Form听as their primary reporting mechanism.听

d) DWP鈥檚 Security and Data Protection Team will regularly assess for compliance with this policy and may need to inspect physical locations, technology systems,听design听and processes and speak to people to听facilitate听this. All DWP employees, agents, contractors, consultants, business听partners听and service providers will听be required听to听facilitate, support, and when necessary,听participate听in any such inspection.听

e) Failure to听comply with听this policy by DWP听users听may result in disciplinary action, up to and including dismissal,听in accordance with听DWP鈥檚鈥疍iscipline Procedures.听

f) If for any reason users are unable to听comply with听this policy or require use of technology which is outside its scope, they鈥痬ust鈥痙iscuss this with their line manager in the first instance and then the Security Advice Centre (SAC) who can provide advice on escalation/exception routes. An exception to policy may be requested in instances where a business case can be made to undertake an activity that is non-compliant with DWP鈥檚 Security Policies. This helps to reduce the risk of non-compliant activity and security incidents. If an individual is aware of an activity that falls into this category, they鈥痵hould鈥痭otify the security policy team听immediately.听

g) A鈥疭ecurity Policy Exception鈥痬ay be requested in instances where a business case can be made to undertake an activity that is non-compliant with DWP鈥檚 Security Policies. This helps to reduce the risk of non-compliant activity and security incidents. If an individual is aware of an activity that falls into this category, they鈥痵hould鈥痭otify the Security Policy and Standards Team听immediately.