1. Secure data handling principles

Core security principles

  • Principle 1: Security accountabilities are defined

  • Principle 2: Security is governed

  • Principle 3: Security is operated ethically

  • Principle 4: Security risks are identified

  • Principle 5: Security implementation is proportionate

  • Principle 6: Security is integrated

  • Principle 7: Staff are security aware

  • Principle 8: Security response is timely

Functional security principles

  • Security is based on policy

  • Security risks are identified and managed

  • Staff are educated and aware

  • Individuals are accountable for their use of information

  • Information asset are identified

  • Physical environments are secured and managed

  • Staff are security checked and vetted

  • Incident are identified and managed

  • Security is integrated into the information systems lifecycle

  • Access to services and data is based on a need to know

  • Operational continuity is planned and tested

  • Technical services and infrastructure are secured

  • Business requirements for security are addressed

Back to table of contents

2. Secure information handling model

Several management layers support the secure handling of information, as follows:

  • governance – where policy and process support the interaction and decision-making related to information and how it is securely handled across ONS

  • ownership – where individuals or teams have accountability for the information they create or manage to ensure that it is handled securely

  • classification – where different levels of sensitivity of information can be reflected in handling through marking, storage, access processing and sharing

  • risk – where the threat to information within the operational environment provides input into handling instructions to reduce risk

  • registration – where information of importance to ONS is catalogued, registered as an asset and has defined metadata recorded against it including classification and access requirements

  • access – where information is made available to those who require it for their role through secure access and handling

  • monitoring – where the use of information across ONS is captured and checked to ensure it is being handled securely

Secure information handling principles

There are seven security principles related to how information is handled across ONS:

  • Principle 1: Information has an owner

  • Principle 2: Information is classified

  • Principle 3: Information use is risk assessed

  • Principle 4: Information access is controlled

  • Principle 5: Information exchange is controlled

  • Principle 6: Information access is monitored

  • Principle 7: Information is used lawfully

Each principle has a definition that sets out the goals that is desired and implementation guidance to outline those elements that are required to achieve the goal.

Principle 1: Information has an owner

All information created by ONS or obtained from external sources has a clearly identified owner who takes personal responsibility for its security, with the support of the Chief Security Officer, and determines how this information is handled within the organisation.

Goals

  • Information has an identified owner who owns, understands, directs management of and addresses risk to information.

  • ONS has clear governance for the management of information that ensures lines of responsibility and accountability are transparent and recorded.

  • Information is registered as an asset for appropriate governance.

  • A hierarchy of roles support an information owner allowing for flexibility of oversight and delegated activity of management of information.

Implementation guidance

  • An overall ONS information governance framework is required to provide policy and management for the ownership and use of information.

  • Business areas must appoint accountable senior members of staff, which is recorded and published within ONS to aid business access to the information.

  • Owners of data must be trained and supported to ensure that they understand the content and use of the information they own.

  • Information ownership is reviewed each year to ensure that it is appropriate.

Principle 2: Information is classified

The data that ONS receive, store and process are not uniform. The content varies from very sensitive aggregated personally identifiable information to non-sensitive, anonymised and open source information. The secure handling of information is based on this classification and sensitivity.

Goals

  • All information is assessed to determine its classification.

  • Information assets are assessed by the owner to determine their level of sensitivity.

  • Information is marked to indicate its classification in accordance with government requirements.

  • Information is registered to ensure that appropriate management and the correct security handling is applied.

  • Security measures govern information handling through storage, access and processing, reflecting the classification and sensitivity of information.

Implementation guidance

  • Information classification and sensitivity methods are required with processes to support their use.

  • All information created within ONS or obtained from external sources must be classified and its sensitivity determined where this is a defined information asset.

  • An information asset register is required that records classification and sensitivity.

  • ONS-wide regular education is required that directs the appropriate handling of information based on its classification and sensitivity.

Principle 3: Information use is risk assessed

The information related to corporate and statistical work is varied and is managed through changing operational stages and activity where different staff access and processing is applied. At each of these stages threat may change, which should be assessed to determine the level of security risk to the information. This risk identification directs how information should be handled to reduce risk.

Goals

  • ONS has a defined and agreed information risk appetite.

  • Security threats and risks to the handling of information are identified within business processes and technical services.

  • Appropriate handling of information is based on risk that also incorporates the value of information through its classification and sensitivity.

Implementation guidance

  • Security threat and risk methods are required to enable objective and repeatable assessments with processes to support their use.

  • Information classification and sensitivity methods are required with processes to support their use.

  • ONS business stakeholders have mechanisms to determine and publish organisational risk appetite.

  • Risk mitigations are briefed to business stakeholders that then result in appropriate handling controls being developed, revised and implemented.

Principle 4: Information access is controlled

Access to information that is controlled reflects its handling requirements, its classification, sensitivity and the needs of staff to perform their role. This enables information to be handled appropriately as it is moved and processed within the organisation through good physical, infrastructure, application and business process operations.

Goals

  • Information owners determine the access arrangements for information and monitor its access and appropriate handling, with the support of ONS business functions.

  • Process and technical mechanisms exist to manage information access and flow across ONS business services and systems including storage, processing and sharing.

  • Records exist to demonstrate access to information.

  • Information is safe, accurate and current and has not been deliberately or inadvertently modified from a previously approved version.

  • Information access is monitored throughout its lifecycle to ensure appropriate handling measures are maintained.

Implementation guidance

  • Information classification and sensitivity methods are required with processes to support their use.

  • All information created within ONS or obtained from external sources should be classified and its sensitivity determined.

  • An information asset register is required that records classification and sensitivity.

  • ONS-wide regular education is required that directs the appropriate handling of information based on its classification and sensitivity.

Principle 5: Information exchange is controlled

Information obtained from external data partners and shared with partners and citizens is protected during exchange preparation, transmission, and data loading and unloading activities, through “secure-by-design” and “private-by-design” technology and business processes.

Goals

  • Information for exchange is classified, has a sensitivity determination, is risk assessed and concerns are understood and authorised by the information owner.

  • Information for exchange has appropriate legal agreements or memorandum of understanding that specify how the information is handled.

  • Process and technical mechanisms exist to manage information exchange within and without ONS, using tested and trusted mechanisms suitable for the classification and sensitivity of the information.

  • Information exchange systems and processes are highly secured and monitored to ensure effective and assured operation.

  • Information for publication is performed on a staged basis, content is independently checked and the release is authorised by the information owner as part of the publication process.

  • Information exchanged is safe, accurate and has not been deliberately or inadvertently modified during the exchange activity.

Implementation guidance

  • Information classification and sensitivity methods are required with processes to support their use.

  • Processes to negotiate data exchange agreements are operated.

  • Information exchange authorisation governance exists to provide accountability of information ownership and approvals.

  • Information exchange processes and technical infrastructure exist to package, transmit and acknowledge the secure delivery of information to data partners.

  • Information exchange processes and technical infrastructure exist to receive, scan, store and acknowledge the secure reception of information from data partners.

Principle 6: Information access is monitored

Information use that reflects secure handling is supported by business processes and services that effectively monitor for misuse and attack, so that successful and unsuccessful incidents are detected. As a result, incidents involving information will be identified quickly with the appropriate response actioned.

Goals

  • Business processes and supporting technology services that manage information generate adequate audit events to support effective identification of suspicious activity.

  • Audit events are analysed to identify potential compromises or inappropriate use of information.

  • Prompt and appropriate action is taken to address incidents identified from audit analysis.

Implementation guidance

  • Software tools and applications require an audit capability that can generate appropriate event information in a logging format.

  • A monitoring capability is required to process event logs and highlight incidents of importance that are impacting information.

  • A response capability is required to address highlighted incidents.

  • Mechanisms to evaluate information handling measures is required based on review of incidents that impact information.

Principle 7: Information is used lawfully

Information obtained, processed and shared by ONS is handled in accordance with prevailing laws and regulations relating to information.

Goals

  • Information is registered as an asset for appropriate treatment under the law.

  • Business and technology operations are designed in ways that demonstrate the handling of information is lawful.

  • Only staff with approved business need access and process information.

  • Information is deleted or put beyond use when it is no longer required.

  • Compliance activity determines the effectiveness on lawful information handling.

Implementation guidance

  • Information access processes are required to assess access requests and provide approvals.

  • An information asset register is required that records information that is subject to the law.

  • Information deletion governance and processes are designed and operated securely.

  • ONS-wide regular education is required that directs the appropriate handling of information that includes legal requirements.

Back to table of contents

3. Data processing security principles introduction

Office for National Statistics (ONS) is the executive office of the UK Statistics Authority. It is the UK’s National Statistical Institute and largest producer of official statistics. ONS produces statistics on a range of important economic, social and demographic topics. Official statistics are for the benefit of society and the economy generally and help Britain make better decisions. They allow the formulation of better public policy and the effective measurement of those policies; they inform the direction of economic and commercial activities; they provide valuable information for analysts, researchers, public and voluntary bodies; and they enable the public to hold to account all organisations that spend public money, thus informing democratic debate.

Advances in technology and statistical methods create enormous opportunities to exploit data for this pubic benefit. Under the Digital Economy Act, the legal framework is enabled for ONS to increase its data sources from external organisations within government and the commercial sector. To support this data transformation, ONS provides a data service for colleagues that allows them to access all necessary support, data and technology services. As part of this, there is a single environment – the Data Access Platform (DAP) – to host data and analytical applications. This facilitates the processing and analysis of more data in richer and more complex forms, integrating administrative and commercial data sources supported by appropriate methods and standards.

Security of data has always been a priority for ONS. The concentration of data into a single platform requires a robust approach to security that is risk-based and is holistic in nature, covering people, process and technology. DAP security is based on two main security governance and management layers: a set of security principles to inform design and operation, which are then distilled into specific security controls within the platform. These controls are developed from appropriate recognised security standards and guidance from within government (Cabinet Office, National Cyber Security Centre (NCSC), Centre for Protection of National Infrastructure (CPNI)) and international standards and best practice (for example, the ISO 27001 information security management system, the international Information Security Forum (ISF) and the United States National Institute for Standards and Technology (NIST)).

Back to table of contents

4. ONS data sensitivity assessment

ONS is designed with a set of security requirements implemented based on the ONS security framework that incorporates and references appropriate recognised security standards and guidance from within government and international standards and best practice.

Each dataset that ONS receives, processes, generates and exports has a designated owner called the Information Asset Owner (IAO). They are the custodians of these data and are responsible for its management throughout its usage and life within ONS.

The data that ONS receive, store and process are not uniform. The data vary from very sensitive containing aggregated personal data, sensitive non-public company information, time sensitive economic information to non-sensitive aggregated or anonymised information and open source. To ensure that this sensitivity is understood by the IAO and the appropriate security protection is applied, an assessment is performed on each specific dataset received. This sensitivity assessment also extends to the further aggregation of multiple datasets for analysis.

The sensitivity model recognises that data have a “value” based on their content and provides a consistent and repeatable method to describe this content to enable its appropriate management.

The sensitivity assessment uses a set of descriptive criteria and characteristics to define the content of a dataset in sensitivity terms. Each descriptive criterion has a range of characteristics that represent sensitive to non-sensitive. Selecting the appropriate options to reflect the content of the dataset generates a simple high (red), medium (amber) or low (green) rating. The management and use of the dataset within DAP is then based on its rating.

Security control approaches within DAP are linked to the generated sensitivity assessment.

Green equals low sensitivity

This applies to open source, anonymised aggregated and non-disclosive data that can be shared across ONS for statistical research purposes. The supplier agreement typically associated with this allows full access by ONS employees with an approved business need. No national security vetting is required for access and the baseline DAP security control and monitoring applies.

Amber equals medium sensitivity

This applies to data that are commercially sensitive, market sensitive or contain attributes that could be used to identify sensitive information relating to individuals or groups of individuals. The supplier agreement typically associated with this allows for some access by ONS employees with an approved business need. A minimum national security vetting of Counter Terrorist Check is required for access and the baseline DAP security control and monitoring applies.

Red equals high sensitivity

This applies to data that contain significant aggregate information relating to individuals, groups or enterprises. The supplier agreement typically associated with this provides conditions for access by ONS employees with an approved business need. A minimum national security vetting of Security Check is required for access and additional security measures and monitoring above the baseline DAP security control applies. As each specific dataset is assessed, an overall data sensitivity matrix is generated as a guide to what datasets can be combined for statistical purposes within DAP. The assessment also applies to any new datasets that are created from a merge of multiple datasets. This matrix is managed and access and restrictions that are inherited from supplier agreements are factored in.

Back to table of contents

5. Data processing security principles

As part of the data service that Office for National Statistics (ONS) provides, there are seven security principles that support the design, operation and revision. These principles are:

  • Principle 1: Security governance

  • Principle 2: Risk assessed

  • Principle 3: Technically secured by design

  • Principle 4: Access controlled

  • Principle 5: Activity is monitored

  • Principle 6: Information import and export is controlled

  • Principle 7: Audited and assured

Each principle has a definition, the goal that is desired and implementation guidance to outline those elements that are required to achieve the goal.

Principle 1: Security governance

All infrastructure, operations and data processed within DAP has a set of support policies and processes that govern security operations and data management. This governance is aligned to organisational risk appetite and government security requirements.

Goals

  • Data within DAP have an identified owner who owns, understands, directs management of and addresses risk to information.

  • Clear security policies, processes and support procedures enable the secure operation and management of infrastructure and information within DAP that ensures lines of responsibility and accountability are transparent and recorded.

  • Information stored within DAP is assessed and registered as an asset for appropriate governance.

Implementation guidance

  • The ONS information governance framework applies to DAP to provide policy and management for the ownership and use of information.

  • Business areas must appoint accountable senior members of staff for DAP operations and information.

  • Owners of data must be trained and supported to ensure that they understand the content and use of the information they own and have authorised access.

Principle 2: Risk assessed

The information stored and processed within DAP is varied and is managed through changing operational stages and activity where different staff, access and processing is applied. At each of these stages threat also changes, which should be assessed to determine levels of security risk to information. This risk identification directs the application of security controls to reduce risk.

Goals

  • The DAP risk approach aligns to the defined and agreed information risk appetite.

  • Security threats and risks to DAP and the data within it are identified within business processes and technical services.

  • Appropriate handling of information within DAP is based on risk that also incorporates the value of information through its classification and sensitivity.

Implementation guidance

  • Security threat and risk methods are required to enable objective and repeatable assessments with processes to support their use.

  • Information classification and sensitivity methods are required with processes to support their use.

  • DAP business stakeholders have mechanisms to incorporate organisational risk appetite into their operations.

  • Risk mitigations are briefed to business stakeholders, which then result in the appropriate application of security control measures.

Principle 3: Technically secured by design

The design and implementation of DAP is based on government and industry best practice, which follows a security by design approach. This blends system and security development activity within the development lifecycle for risk-based security control selection. These controls reflect government security standards and prevailing guidelines where appropriate, such as issued for bulk data and cloud services.

Goal

  • Technical and security practitioners understand business goals for DAP operations and information processing from an end-to-end perspective.

  • Security advice to support business and operational services are embedded within business development mechanisms to develop security requirements alongside business requirements to ensure controls are based on business need and risk.

  • Security defence in depth is applied across DAP technical designs and operations through multiple layers of security control.

  • Technical segmentation and operational segregation is implemented for business operations and technical management.

  • Security applications, tools and technologies are tried, tested and fully supported by vendors.

  • Business and system applications, components and tools have a defined need and are implemented with hardened builds to reduce attack surfaces.

  • Least privilege, combined with appropriate anonymisation, tokenisation, encryption or removal techniques, are employed to protect information at rest and obtainable by business and technical users.

  • Designs account for ongoing assurance requirements that demonstrate the operational state and effectiveness of DAP security controls.

Implementation guidance

  • A risk assessment method is established and implemented that aligns and embeds within agile development.

  • Security engagement mechanisms exist that enable informed discussion with business stakeholders.

  • Organisational security baselines, government and industry security standards and guidance are available to enable input into design choices for security recommendation and business stakeholder selection.

  • Information classification and sensitivity methods are required with processes to support their use within DAP.

  • Security tools assessment and selection processes are established in accordance with commercial processes.

Principle 4: Access controlled

User access to DAP and the information within it is controlled and reflects its handling requirements, classification, sensitivity and the needs of staff to perform their role. Access is only granted to IT and business users who have valid business reasons, and the “need to know” based on role and privilege requirements.

Goals

  • DAP system owners determine the access arrangements for DAP IT support staff to enable administration and management of the platform, with the support of Security.

  • Information owners determine the access arrangements for business users to information stored within DAP and regularly review this access with the support of DaaS and Security.

  • All staff who access DAP accept conditions of access as specified within Security Operating Procedures.

  • Process and technical mechanisms exist to add, manage and remove access to DAP, the information and its business services and systems including storage, processing and sharing.

  • Access to DAP services and information is logged and analysed to provide for monitoring and alerting of unauthorised access.

  • DAP access processes and control mechanisms are regularly assessed to determine their security effectiveness.

Implementation guidance

  • Business and technical processes are required to manage, apply and remove access requests.

  • Access privileges and control mechanisms are required to align to the outcomes of information classification and sensitivity assessments including those provided through defined user roles.

  • The capture of appropriate events related to access is required to record, log and monitor user activity.

  • Regular education is required that highlights the appropriate use of DAP and the information within it, based on its classification and sensitivity.

Principle 5: Activity is monitored

The use of DAP by business and technical users and the information within it is monitored for misuse and attack so that successful and unsuccessful incidents are detected. As a result, incidents involving information will be identified quickly with the appropriate response actioned.

Goals

  • Business processes and supporting technology services that manage DAP and its information generate adequate audit events to support effective identification of suspicious activity.

  • Audit events are analysed to identify potential compromises or inappropriate use of information.

  • Prompt and appropriate action is taken to address incidents identified from audit analysis.

Implementation guidance

  • Software tools and applications require an audit capability that can generate appropriate event information in a logging format.

  • A monitoring capability is required to process event logs and highlight incidents of importance that are impacting information.

  • A response capability is required to address highlighted incidents.

  • Mechanisms to evaluate information handling measures are required based on review of incidents that impact information.

Principle 6: Information import and export is controlled

Information transferred into DAP and exported from it is assessed and then tightly controlled to ensure its protection through transmission, data loading and unloading activities, exchange preparation and export. Conceptual single routes for import and export exist and full authorisation and checking is required for both.

Goals

  • Information for import into DAP has the necessary authorisations and a designated information owner.

  • Information for import is classified, has a sensitivity determination, is risk assessed and security concerns are understood and authorised by the information owner.

  • Information for import is checked for malicious content prior to ingest into DAP.

  • Imported source files are archived in their submitted format.

  • Information for import or export has appropriate legal agreements or memorandum of understanding that specify how the information is to be secured.

  • Process and technical mechanisms exist to manage information import or export within DAP using tested and trusted mechanisms suitable for the classification and sensitivity of the information.

  • Information import and mechanisms and processes are highly secured and monitored to ensure effective and assured operation.

  • Information for export has its content checked and the release is authorised by the information owner as part of the export process.

  • Information exported is safe, accurate and has not been deliberately or inadvertently modified during the export process.

Implementation guidance

  • Information classification and sensitivity methods are required with processes to support their use for information import and export.

  • Processes to negotiate data agreements for exchange of data in DAP are operated.

  • Import and export authorisation governance exists to provide accountability of information ownership and approvals.

  • DAP import processes and technical infrastructure exist to receive, scan, store and acknowledge the secure reception of information from data partners.

  • DAP export processes and technical infrastructure exist to package, transmit and acknowledge the secure delivery of information to external sources and data partners.

Principle 7: Audited and assured

DAP governance and security controls are assessed to determine their effective operation. Audits of security control application through business and technical processes are performed to assess the level of compliance and security outcomes achieved. Outcomes from audits are reported to internal and external stakeholders.

Goals

  • Implemented technical and business security controls are assessed to determine their operation and the security outcomes expected.

  • Risk-based approaches provide focus for audits that reflect areas of greatest risk and organisational risk appetite.

  • The effectiveness of the DAP security control environment is demonstrated to internal and external stakeholders.

  • Security control and processes improvement is a regular and ongoing activity that supports ONS internal audit and legal compliance functions.

Implementation guidance

  • A security function exists to develop and implement an audit programme that covers the DAP security environment and end-to-end business activity.

  • Audit and assurance requirements are inputs into DAP design and development processes.

  • Mechanisms to report the effectiveness of the DAP security environment are established to provide external stakeholders with appropriate risk and status information.

Security principles as of January 2019.

For further details please contact data.architecture@ons.gov.uk

Back to table of contents