HMG Infosec Standard No.1
HMG Information Assurance Standard No.1, usually abbreviated to IS1, was a security standard applied to government computer systems in the UK.
The standard was used to assess – and suggest responses to – technical risks to the confidentiality, integrity and availability of government information.
|url = http://www.cesg.gov.uk/publications/Documents/is1_risk_assessment.pdf
|title = HMG IA Standard No. 1 Technical Risk Assessment Issue 3.51
|date = October 2009
|accessdate = 2014-08-15
|url-status = dead
|archiveurl = https://web.archive.org/web/20120526213309/http://www.cesg.gov.uk/publications/Documents/is1_risk_assessment.pdf
|archivedate = 2012-05-26
}}
The modelling technique used in the standard was an adaptation of Domain Based Security.
In confidentiality terms, IS1 did not apply to information which was not protectively marked, but it may still have been used to assess risks to the integrity and availability of such information.
|url = http://www.cabinetoffice.gov.uk/media/252544/assurance_v2.pdf
|archive-url = https://web.archive.org/web/20091111151311/http://www.cabinetoffice.gov.uk/media/252544/assurance_v2.pdf
|url-status = dead
|archive-date = 2009-11-11
|title = e-Government Strategy Framework Policy and Guidelines
|accessdate = 2010-10-24
|date = 2009-08-24
}}
The UK Cabinet Office Security Policy Framework requires that all ICT systems that manage government information or that are interconnected to them are assessed to identify technical risks. IS1 was the standard method for doing this and was mandated by previous versions of the Security Policy Framework, but other methods may now be used.{{cite web|url=https://www.gov.uk/government/publications/security-policy-framework
|title=HMG Security Policy Framework
|accessdate= 28 August 2014
|date= April 2014
|publisher=Cabinet Office
}}
The results of an IS1 assessment, and the responses to risks, were recorded using HMG Information Assurance Standard No.2, usually abbreviated to IS2, which concerned risk management and was relevant to the accreditation of government computer systems.
{{cite web
|url=http://www.platinumsquared.co.uk/IAStandardsPages/IS1part1.aspx
|accessdate=14 August 2011
|title=IS1 Part 1
|publisher=Platinum Squared
|archive-url=https://web.archive.org/web/20120314052310/http://www.platinumsquared.co.uk/IAStandardsPages/IS1part1.aspx
|archive-date=14 March 2012
|url-status=dead
|df=dmy-all
}}
CESG provided IS1 risk assessment tools.{{cite web
|url = http://govcertuk.cesg.gov.uk/policy_technologies/policy/risk-tool.shtml
|accessdate = 14 August 2011
|date = July 2010
|publisher = CESG
|title = IS1 Risk Assessment Tools
|url-status = dead
|archiveurl = https://archive.today/20121223154528/http://govcertuk.cesg.gov.uk/policy_technologies/policy/risk-tool.shtml
|archivedate = 23 December 2012
}}
Example
An HMG IS2 Full Accreditation Statement based on an HMG IS1 ITSHC (IT Security Health Check) by Deloitte and subsequent remediation by Recipero of its interface between Recipero's NMPR and the UK government's PNC, which are systems used to track mobile devices for law enforcement purposes was posted publicly.{{cite web|title=Accreditation Statement|url=https://caringaboutsecurity.files.wordpress.com/2010/03/avpageview-05042011-100856-bmp.jpg}} A public HMG IS2 Full Accreditation Statement based on an actual ITSHC (by Deloitte in this case) puts the auditor's reputation on the line, in a way that a confidential statement does not.
See also
References
{{reflist}}
{{DEFAULTSORT:Hmg Infosec Standard No.1}}
Category:Classified information in the United Kingdom
Category:Computer security in the United Kingdom