HMG Information Assurance Standard No.1, usually abbreviated to IS1, was a

security Security is protection from, or resilience against, potential harm (or other unwanted coercion). Beneficiaries (technically referents) of security may be persons and social groups, objects and institutions, ecosystems, or any other entity or ...

standard applied to

government A government is the system or group of people governing an organized community, generally a State (polity), state. In the case of its broad associative definition, government normally consists of legislature, executive (government), execu ...

computer A computer is a machine that can be Computer programming, programmed to automatically Execution (computing), carry out sequences of arithmetic or logical operations (''computation''). Modern digital electronic computers can perform generic set ...

systems in the UK. The standard was used to assess – and suggest responses to – technical risks to the confidentiality, integrity and availability of government information. The modelling technique used in the standard was an adaptation of Domain Based Security. In confidentiality terms, IS1 did not apply to information which was not protectively marked, but it may still have been used to assess risks to the integrity and availability of such information. The UK Cabinet Office

Security Policy Framework The Security Policy Framework (or "SPF") is a set of high-level policies on security, mainly affecting the UK government and its suppliers. The structure has changed over time. Version 11 was published in October 2013; it has 20 "Mandatory Requirem ...

requires that all ICT systems that manage government information or that are interconnected to them are assessed to identify technical risks. IS1 was the standard method for doing this and was mandated by previous versions of the Security Policy Framework, but other methods may now be used. The results of an IS1 assessment, and the responses to risks, were recorded using HMG Information Assurance Standard No.2, usually abbreviated to IS2, which concerned risk management and was relevant to the

accreditation Accreditation is the independent, third-party evaluation of a conformity assessment body (such as certification body, inspection body or laboratory) against recognised standards, conveying formal demonstration of its impartiality and competence to ...

of government computer systems. CESG provided IS1 risk assessment tools.

Example

An HMG IS2 Full Accreditation Statement based on an HMG IS1 ITSHC (IT Security Health Check) by

Deloitte Deloitte is a multinational professional services network based in London, United Kingdom. It is the largest professional services network in the world by revenue and number of employees, and is one of the Big Four accounting firms, along wi ...

and subsequent remediation by Recipero of its interface between Recipero's NMPR and the UK government's PNC, which are systems used to track mobile devices for law enforcement purposes was posted publicly. A public HMG IS2 Full Accreditation Statement based on an actual ITSHC (by Deloitte in this case) puts the auditor's reputation on the line, in a way that a confidential statement does not.

References

{{DEFAULTSORT:Hmg Infosec Standard No.1 Classified information in the United Kingdom Computer security in the United Kingdom Information assurance standards IT risk management

Example

See also

References