Proposed Information Security Policy for the Police Service of Northern Irlend (PSNI)

Context Establishment

The Police Service of Northern Ireland (PSNI) is the law enforcement agency responsible for policing in Northern Ireland. It was established in 2001 as part of the implementation of the Good Friday Agreement, replacing the Royal Ulster Constabulary (RUC). The PSNI has about 6,700 police officers and 2,600 police staff, who serve a population of about 1.9 million people. The PSNI's vision is to help build a safe, confident and peaceful Northern Ireland, and its mission is to prevent crime, detect offenders and protect the most vulnerable in society. The PSNI operates under the oversight of the Northern Ireland Policing Board, which appoints the Chief Constable and holds him or her to account. The PSNI also works in partnership with other agencies, such as the Police Ombudsman for Northern Ireland, the Public Prosecution Service, the Northern Ireland Prison Service, the Probation Board, the Department of Justice and the Northern Ireland Executive. The PSNI faces a range of challenges, threats and information breach. (A History of Policing in Ireland)

The Police Service of Northern Ireland (PSNI) is grappling with a significant data breach, prompting the launch of an independent review. Approximately 10,000 police employees had their surnames and initials accidentally exposed in a response to a freedom of information request. Chief Constable Simon Byrne, acknowledging the severity of the situation, announced the review following discussions with the Policing Board, which offered unanimous support. (BBC N. Ireland 2023)

The breach, coupled with two subsequent incidents, has sparked concerns among PSNI officers who operate in an environment life with threats from paramilitaries. The Policing Board, holding the power to appoint or dismiss the chief constable, emphasized the reputational damage suffered by the service. The forthcoming independent review, spearheaded by Peter O'Doherty, an assistant commissioner at City of London Police, is set to delve into the breach's processes, organizational oversights, and propose measures to prevent future breaches while enhancing systems and practices. (BBC N. Ireland 2023)

Scheduled to release an initial report within a month and a comprehensive report by November's end, the review aims to instill confidence in the PSNI's information security management. The PSNI promptly issued an apology for the breach, swiftly removing the disclosed information from its website. However, concerns linger as the list reportedly fell into the hands of dissident republicans. (BBC N. Ireland 2023)

Legal proceedings are underway in connection with the breach. Additionally, unrelated incidents, including the theft of a police laptop, radio, and a document containing names of over 200 staff in July, and the inadvertent loss of a PSNI laptop and a police officer's notebook on a Belfast motorway in August, further compound the anxieties. The notebook, containing details of 42 officers and staff, remains only partially recovered. (BBC N. Ireland 2023)

These incidents collectively underscore the urgent need to address information security concerns within the PSNI. The independent review is perceived as a critical step toward comprehending the root causes, implementing necessary improvements, and reinstating confidence in the organization's capability to safeguard sensitive information. To establish a contextual understanding, it is crucial to delve into the organization, its environment, and the threat landscape. (BBC N. Ireland 2023)

Environment and Threat Landscape:

1. Organizational Structure: PSNI's organizational structure is essential. It includes hierarchical levels, communication channels, and the distribution of responsibilities. The breach occurred due to vulnerabilities in this structure.
2. Operational Challenges: Policing in Northern Ireland comes with various risks, with officers and staff facing threats from paramilitaries. It adds an extra layer of complexity to information security, as personal safety concerns may influence the handling of sensitive data. (BBC N. Ireland 2023)
3. Technological Environment: The increasing reliance on digital systems and information technology exposes the PSNI to cyber threats and data breaches.

Assumptions:

1. Inadequate Information Security Measures:

• There may be inadequacies in the PSNI's information security infrastructure, contributing to the data breaches.

1. Potential External Threats:

• The leaked information might have reached unauthorized individuals, including dissident republicans, posing a potential threat to the safety of officers and staff.

Given these challenges and threats, the PSNI has to ensure that it has a robust and comprehensive policy for secure access and document management, in line with the ISO 27000 family of standards, which provide best practices for information security management. The policy should aim to protect the confidentiality, integrity and availability of the PSNI's information assets, and to comply with the General Data Protection Regulation (GDPR) and other relevant legal, statutory, regulatory and contractual requirements. The policy should also support the PSNI's overall organisational strategy and objectives, and align with its risk appetite and tolerance. (ISO 27000 Series of Standards)

Risk Assessment for the Police Service of Northern Ireland (PSNI)

According to NIST (National Institute of Standards), risk is the: “measure of the extent to which an entity is threatened by a potential circumstance or event”. (4.1 What is Risk?)

Risk assessment is a fundamental component of information security management, providing insights into potential threats, vulnerabilities, and their impact on an organization. In the context of the Police Service of Northern Ireland (PSNI), a thorough risk assessment is paramount to safeguard personnel, operations, and maintain public trust. This assessment adheres to the principles of confidentiality, integrity, and availability (CIA), aligning with ISO 27000 and ISO 27002 standards. (4.3.2 Risk Assessment Process)

Methodology: (B. Chole 2020)

1. Asset Identification:

• Personnel Data: Surnames and initials of 10,000 police employees.
• Operational Data: Details of officers' roles, locations, and other operational information.
• Digital Infrastructure: Information systems, databases, application software and communication channels.

1. Threat Identification:

• Cyber Threats: Hacking, phishing, malware.
• Insider Threats: Accidental data disclosure, negligence.
• Political Influence: Threats from dissident groups affecting information security.
• Physical Security Incidents: Theft, loss of devices.

1. Vulnerability Assessment:

• Cyber Vulnerabilities: Outdated software, inadequate cybersecurity measures.
• Insider Vulnerabilities: Lack of awareness, insufficient training.
• Political Vulnerabilities: Influence from external actors.
• Physical Security Vulnerabilities: Inadequate measures to safeguard devices and sensitive information.

Risk Assessment:

Information security risk assessment matrix of PSNI data breach:

Table: Risk Assessment matrix for PSNI.

1. Impact Analysis:

• Personnel Safety (C): Potential harm to officers and staff due to data exposure.
• Operational Impact (I): Compromised operational effectiveness and security.
• Reputational Damage (A): Loss of public trust and confidence.
• Legal Consequences (C): Violation of data protection regulations, leading to legal actions.

1. Likelihood Assessment:

• Cyber Threats (C): High likelihood given the evolving nature of cyber threats.
• Insider Threats (I): Moderate likelihood, as accidental disclosures are common but can be mitigated with proper training.
• Political Influence (A): Low to moderate likelihood, depending on the region's political climate.
• Physical Security Incidents (C): Moderate likelihood, especially with recent theft incidents.

1. Risk Level Determination:

• High-Risk Areas: Cyber threats, personnel safety, reputational damage.
• Medium-Risk Areas: Insider threats, operational impact.
• Low-Risk Areas: Political influence, physical security incidents.

This risk assessment matrix reflects the critical nature of the data breach, considering the sensitivity of the information and the potential impact on the safety of police personnel. The other incidents, while significant, are rated with slightly lower priority levels based on the assumed likelihood and impact. The PSNI may use this matrix as a starting point for a more detailed and tailored risk assessment based on their internal processes and policies.

Risk Mitigation Strategies:

1. Cybersecurity Enhancement (CIA):

• Implement advanced cybersecurity measures, including regular software updates, firewalls, and intrusion detection systems to ensure data confidentiality.

1. Insider Threat Prevention (CIA):

• Conduct regular training programs to raise awareness about data handling policies and procedures, maintaining data integrity.

1. Political and Paramilitary Engagement (CIA):

• Collaborate with relevant authorities to mitigate political and paramilitary threats, ensuring operational availability.

1. Physical Security Measures (CIA):

• Enhance physical security protocols for devices containing sensitive information, preserving data availability.

1. Regulatory Compliance (ISO 27000 and ISO 27002):

• Ensure strict compliance with data protection regulations, including GDPR, aligning with ISO 27000 and ISO 27002 standards.

The PSNI employs the CIA triad and maintain to ISO/IEC 27000/27002 standards for risk identification, analysis, and mitigation. High-risk areas, including cybersecurity, personnel safety, and reputational damage, necessitate robust measures. They need to follow some strategies such as advanced cybersecurity practices, enhanced insider threat prevention, and addressing physical security vulnerabilities align with CIA principles and ISO standards. Collaboration with political entities and strict regulatory compliance adds an additional layer of protection. This comprehensive risk management approach ensures the PSNI's resilience against multifaceted threats, safeguarding the confidentiality, integrity, and availability of critical information assets. (I. Luke 2023)

Secure Access and Document Management Policy

Police Service of Northern Ireland (PSNI)

The policy ensures consistent management of digital devices, records and documents, encompassing their entire life cycle from creation to disposal. Records, serving as evidence or business transactions, include various media like microfiche, audio, video, and digital formats. Documents, whether written, printed, or electronic, are treated as official records. Compliance with legal obligations and maintain to the best practice standards are crucial. The policy aims to achieve effective management of all records, provide trustworthy evidence for decision-making, support efficient service delivery, protect the interests of Police Service of Northern Ireland (PSNI) digital and its staff, and ensure accessible information when needed. (Records and document management policy 2022).

Developed in accordance with the ISO/IEC 27001:2013 standard for Information Security Management Systems (ISMS), this policy aims to mitigate risks associated with unauthorized access, data breaches, and other security threats while aligning with legislative obligations and best practice standards. (ISO/IEC 27001 – Information Security Management)

Scope:

This policy applies to all PSNI personnel, including officers, staff, contractors, and any other third party or individuals granted access to PSNI's information systems and documents.

Statements:

1. Access Control: Access control is a crucial part of security, determining who has permission to access specific data, apps, and resources, and in what situations. Similar to how keys and approved guest lists secure physical spaces, access control policies play the same protective role in digital environments. Essentially, they permit the right individuals to enter while preventing unauthorized access. These policies heavily depend on authentication and authorization techniques, ensuring that users are genuinely who they claim to be and that they are granted the appropriate access level based on factors like the device used, location, and role. (Access control defined)

By employing access control, organizations safeguard confidential information, including customer data and intellectual property, from theft by unauthorized users. It also lowers the risk of employees mishandling data and protects against online threats. Instead of manually managing permissions, security-focused organizations often turn to identity and access management solutions to effectively enforce access control policies. PSNI may follow some steps. (Access control defined)

• Access to PSNI's information systems will maintain to ISO/IEC 27001 principles, implementing the least privilege approach. Users will be granted access only to resources necessary for their specific job duties.
• Regular access reviews will be conducted, and adjustments made promptly to align with changes in job roles or responsibilities, as per ISO/IEC 27001 recommendations.

1. User Authentication:

• All users must utilize unique login credentials (username and password) in line with ISO/IEC 27001 standards. Passwords must comply with the organization's password policy, including regular updates.
• Multi-factor authentication (MFA) will be implemented for accessing sensitive systems and data, adhering to ISO/IEC 27001 guidelines. (J. Kyle 2023)

1. Document Classification:

• All documents within PSNI will be classified based on ISO/IEC 27001 sensitivity and confidentiality levels.
• Classification labels will be visibly displayed on documents and associated systems, following ISO/IEC 27001 guidelines.
• PSNI may can use following document classification policy:

Use a table to simplify the data handling documentation process. (I. Luke 2022)

1. Data Encryption:

• Sensitive and confidential information, both in transit and at rest, will be encrypted using ISO/IEC 27001 compliant encryption algorithms.
• Encryption keys will be securely managed and regularly updated in accordance with ISO/IEC 27001 standards.

1. Document Lifecycle Management:

• Documents within PSNI will undergo a systematic lifecycle management process, following ISO/IEC 27001 guidelines, including creation, storage, retrieval, modification, and secure destruction.
• Outdated or irrelevant documents will be securely and permanently deleted from PSNI's systems and hard copy will be destroyed by the organization, aligning with ISO/IEC 27001 principles.

1. Access Monitoring and Logging:

• Access to sensitive information within PSNI will be actively monitored, logged, and regularly audited as required by ISO/IEC 27001.
• Any suspicious or unauthorized access attempts will be immediately investigated, and corrective action taken following ISO/IEC 27001 principles.

Compliance with Legislative Obligations:

This policy is developed in adherence to ISO/IEC 27001:2013 Information technology Security techniques, Information security management systems, Requirements. Additionally, it aligns with relevant legislative obligations and frameworks governing information security in the law enforcement sector. (S. Andre 2022)

Best Practice Standards:

The policy integrates best practice standards as outlined in ISO/IEC 27001, emphasizing the principles of confidentiality, integrity, and availability (CIA). Access controls, encryption measures, and document lifecycle management are all implemented in accordance with the guidance provided by ISO/IEC standards.

Information Security Management System (ISMS):

ISO/IEC 27001 provides a systematic approach to managing sensitive company information, ensuring the confidentiality, integrity, and availability of that information. This policy aligns with the principles of ISMS, ensuring that PSNI's information assets are appropriately protected.

Policy Outcome:

This Secure Access and Document Management Policy aim to achieve several critical outcomes:

1. Effective Management: This policy ensures the effective management of all records and documents within PSNI. By following ISO/IEC 27001 principles, it establishes a robust framework for controlling access and systematically managing documents throughout their lifecycle. (Our Strategies and Vision)
2. Trustworthy Evidence: PSNI requires trustworthy evidence for decision-making at all levels. The policy, by implementing secure access controls and document management practices, ensures the integrity and reliability of the information used in decision-making processes.
3. Underpin Delivery of Efficient Services: By securing access to information and implementing efficient document management practices, this policy underpins the delivery of efficient services within PSNI. Access controls and encryption measures contribute to the seamless functioning of critical services.
4. Protection of Interests: The policy is designed to protect the interests of PSNI, its staff members, and its information. By following ISO/IEC standards, it establishes a comprehensive security framework that safeguards against potential risks and threats.
5. Accessibility of Information: Accessibility of information wherever and whenever needed is crucial. This policy, by maintained to ISO/IEC 27001 guidelines, ensures that authorized personnel have secure and timely access to information, contributing to effective decision-making and operational efficiency.

In conclusion, the Secure Access and Document Management Policy for PSNI provides a robust framework for securing access to information and managing documents in line with ISO/IEC 27001 standards. By maintaining to legislative obligations and best practice standards, this policy aims to mitigate risks, ensure confidentiality, integrity, and availability of information, and support the efficient delivery of services within PSNI. It establishes a foundation for information security that aligns with industry standards and regulatory requirements, contributing to the overall resilience and effectiveness of PSNI's operations.

References:

A History of Policing in Ireland, Police Service of Northern Ireland, viewed 01 November 2023, < https://www.psni.police.uk/about-us/our-history/history-policing-ireland >

BBC N. Ireland 2023, PSNI data breach: Independent review to be launched, BBC News, viewed 15 November 2023 < https://www.bbc.co.uk/news/uk-northern-ireland-66578582>

4.3.2 Risk Assessment Process, UH Canvas, viewed 10 November 2023,  

Chole 2020, 7 Steps to a Successful ISO 27001 Risk Assessment, viewed 11 Nov 2023

4.1 What is Risk?, UH Canvas, viewed 05 November 20223 

I.Luke 2023, Demystifying the CIA Triad: Why It’s Crucial for Cyber Security, IT governance, viewed 16 November 2023

Records and document management policy 2022, NHS Digital, viewed 17 November 2023  

Access control defined, Microsoft, viewed 10 November 2023 < https://www.microsoft.com/en-gb/security/business/security-101/what-is-access-control>

Kyle 2023, Use these 6 user authentication types to secure networks, TechTarget, viewed 17 November 2023 < https://www.techtarget.com/searchsecurity/tip/Use-these-6-user-authentication-types-to-secure-networks>

I.Luke 2022, what is ISO 27001 Information Classification? IT governance, viewed 16 November 2023 < https://www.itgovernance.co.uk/blog/what-is-information-classification-and-how-is-it-relevant-to-iso-27001>

Our Strategies and Vision, Police Service of Northern Ireland, viewed 13 November 2023

I.Andre 2022, Information security protection goals and their significance, DQS, viewed 08 November 2023

ISO 27000 Series of Standards, it governance, viewed 16 November 2023 < https://www.itgovernance.co.uk/iso27000-family>

ISO/IEC 27001 – Information Security Management, it governance, viewed 16 November 2023

Link