Guidance

DWP procurement: security policies and standards

These apply to DWP suppliers and contractors where explicitly stated in the security schedule of the contract.

From:
Department for Work and Pensions
Published
9 April 2018
Last updated
28 April 2022 — See all updates

Documents

Acceptable Use policy

PDF, 220 KB, 9 pages

Request an accessible format of this document

Information Management policy

https://www.gov.uk/government/publications/dwp-information-management-policies/dwp-information-management-policy

Information Security policy

PDF, 236 KB, 8 pages

Request an accessible format of this document

Personnel Security policy

PDF, 171 KB, 5 pages

Request an accessible format of this document

Physical Security policy

PDF, 393 KB, 3 pages

Request an accessible format of this document

Cryptographic Key Management policy

PDF, 542 KB, 5 pages

Request an accessible format of this document

Email policy

PDF, 147 KB, 5 pages

Request an accessible format of this document

Forensic Readiness policy

PDF, 422 KB, 4 pages

Request an accessible format of this document

Microsoft Teams Recording and Transcription Policy

PDF, 396 KB, 3 pages

Request an accessible format of this document

Privileged Users Security policy

PDF, 472 KB, 3 pages

Request an accessible format of this document

Remote Working Security policy

PDF, 423 KB, 3 pages

Request an accessible format of this document

Security Classification policy

PDF, 406 KB, 3 pages

Request an accessible format of this document

SMS Text policy

PDF, 402 KB, 3 pages

Request an accessible format of this document

Social Media policy

PDF, 401 KB, 4 pages

Request an accessible format of this document

Technical Vulnerability Management policy

PDF, 405 KB, 5 pages

Request an accessible format of this document

User Access Control policy

PDF, 403 KB, 4 pages

Request an accessible format of this document

Placeholder: Common Standards for Identity Verification and Authentication (CSIVA) of DWP customers

PDF, 57.4 KB, 1 page

Request an accessible format of this document

Security standard SS-001 (part 1): Access and Authentication Controls

PDF, 627 KB, 15 pages

Request an accessible format of this document

Security standard SS-001 (part 2): Privileged User Access Controls

PDF, 589 KB, 10 pages

Request an accessible format of this document

Security standard SS-002: Public Key Infrastructure & Key Management

PDF, 623 KB, 9 pages

Request an accessible format of this document

Security standard SS-003: Software Development

PDF, 1.48 MB, 21 pages

Request an accessible format of this document

Security standard SS-005: Database Management System

PDF, 634 KB, 11 pages

Request an accessible format of this document

Security standard SS-006: Security Boundaries

PDF, 650 KB, 10 pages

Request an accessible format of this document

Security standard SS-007: Use of Cryptography

PDF, 857 KB, 12 pages

Request an accessible format of this document

Security standard SS-008: Server Operating System

PDF, 605 KB, 11 pages

Request an accessible format of this document

Security standard SS-009: Hypervisor

PDF, 548 KB, 9 pages

Request an accessible format of this document

Security standard SS-010: Desktop Operating System

PDF, 609 KB, 11 pages

Request an accessible format of this document

Security standard SS-011: Containerisation

PDF, 520 KB, 9 pages

Request an accessible format of this document

Security standard SS-012: Protective Monitoring Standard

PDF, 567 KB, 10 pages

Request an accessible format of this document

Security standard SS-013: Firewall Security

PDF, 788 KB, 15 pages

Request an accessible format of this document

Security standard SS-014: Security Incident Management

PDF, 629 KB, 10 pages

Request an accessible format of this document

Form: Security incident response team referral (for Security standard SS-014: Security Incident Management)

ODT, 73.2 KB

This file is in an OpenDocument format

Request an accessible format of this document

Security standard SS-015: Malware Protection

PDF, 682 KB, 15 pages

Request an accessible format of this document

Security standard SS-016: Remote Access

PDF, 625 KB, 7 pages

Request an accessible format of this document

Security standard SS-017: Mobile Device

PDF, 639 KB, 8 pages

Request an accessible format of this document

Security standard SS-018: Network Security Design

PDF, 1.44 MB, 28 pages

Request an accessible format of this document

Security standard SS-019: Wireless Network

PDF, 677 KB, 12 pages

Request an accessible format of this document

Security standard SS-022: Voice & Video Communications

PDF, 630 KB, 13 pages

Request an accessible format of this document

Security standard SS-023: Cloud Computing

PDF, 1.59 MB, 28 pages

Request an accessible format of this document

Security standard SS-025: Virtualisation

PDF, 559 KB, 9 pages

Request an accessible format of this document

Security standard SS-027: Application Security Testing

PDF, 793 KB, 15 pages

Request an accessible format of this document

Security standard SS-028: Microservices Architecture

PDF, 512 KB, 10 pages

Request an accessible format of this document

Security standard SS-029: Securely Serving Web Content

PDF, 765 KB, 13 pages

Request an accessible format of this document

Security Standard SS-030: Oracle Database Security

PDF, 1.61 MB, 26 pages

Request an accessible format of this document

Security Standard SS-031: Domain Management

PDF, 314 KB, 9 pages

Request an accessible format of this document

Security Standard SS-033: Security Patching

PDF, 639 KB, 11 pages

Request an accessible format of this document

Details

The Common Standards for Identity Verification and Authentication (CSIVA) of DWP customers is under review. You should refer to Good Practice Guides 45 and 44 instead.

Note, the Department for Work and Pensions (DWP) is unable to reply to general enquiries or questions about these security standards and policies.

These security standards and policies apply to DWP suppliers and contractors only. They do not apply to other government departments, their agencies or arm’s length bodies.

They have been published to help inform DWP Invitations to Tender and other contracting processes.

DWP may choose in an Invitation to Tender or the bid process to reference the standards and policies published here. Questions about a specific standard or policy should be sent to the DWP team managing responses to bids. This team is the only DWP authorised responder on any question about a bid and a standard or policy.

A new or changed policy or standard does not mean a new requirement for any existing contract. DWP will notify contract holders or partners of any changes to a contract.

Suppliers and contractors should contact their DWP contract managers with any questions about:

  • varying contracts
  • changing the agreed delivery of contracted services
  • the applicability of a standard or policy for their contracts
Published 9 April 2018
Last updated 28 April 2022 + show all updates

  1. Revised version of DWP Acceptable Use Policy (new version is labelled version 3).

  2. Revised version of DWP Personnel Security Policy (new version is labelled version 2).

  3. Revised version of Security Standard SS-031: Domain Management (new version is labelled version 1.2 and dated December 2021).

  4. Added the DWP policy for Microsoft Teams Recording and Transcription. This is for DWP suppliers and contractors only.

  5. Revised version of Social Media policy (new version is labelled version 2).

  6. Added Personnel Security policy for DWP suppliers and contractors.

  7. Revised version of Security Standard SS-033: Security Patching (new version is labelled version 1.3 and dated January 2021).

  8. Revised version of Security Standard SS-033: Security Patching (now labelled version 1.2).

  9. Revised version of Security standard SS-016: Remote Access (now labelled version 1.2). Typo correction in entry 10.3.2, from ‘Authority’ to ‘Contractor’.

  10. Published revised version of Security incident response team referral form for Security standard SS-014. The revised form is dated 3 June 2020.

  11. Added the following 10 DWP policies: Cryptographic Key Management Policy, Email Policy, Forensic Readiness Policy, Privileged Users Security Policy, Remote Working Security Policy, Security Classification Policy, SMS Text Policy, Social Media Policy, Technical Vulnerability Management Policy and User Access Control Policy.

  12. Published updated versions of the DWP security standards. All are now dated March 2020, except standard SS-014 which is dated 4/3/2020. These have been revised to reflect changes in DWP processes, laws, and national and international security standards and practices.

  13. Added DWP Security Standard SS-033: Security Patching.

  14. Removed the Common Standards for Identity Verification and Authentication (CSIVA) of DWP customers document. This document is currently under review.

  15. Revised versions of the Acceptable Use (version 2.5) and Physical Security (version 2) policies.

  16. Revised versions of 'Security Standard - Firewall Security (SS-013)' and 'Security Standard - Network Security Design (SS-018)'. Both are now dated 9 April 2019.

  17. Added 'Common Standards for Identity Verification and Authentication (CSIVA) of DWP customers' (version 1.7).

  18. Published revised version of Security standard SS-003: Software Development (now version 1.1, dated 07/10/2018).

  19. Published revised versions of Acceptable Use (version 2.5), Information Security (version 1) and Physical Security (version 1) policies.

  20. Added 'Security standard SS-012: Protective Monitoring Standard'.

  21. Added 'Security standard SS-001 (part 2): Privileged User Access Controls'.

  22. First published.