Views:

Cyber Security Protection at the UKHO

UKHO protect its commercial websites and products from Cyber crime by design, ensuring its customers can feel safe in the knowledge that UKHO hosts a stable and innovative cyberspace presence which the public can use safely.

This statement is validated by independent testing inline with UK Government Policy.

UKHO systems are accredited in line with UK Government Security Policy Framework (SPF).

The UK Hydrographic Office is ISO27001 certified and operates a compliant Information Security Management System (ISMS). The scope of our certification includes the design, development, hosting and provision of software & services in support of the UKHO as a maritime geospatial agency including processes and locations in support of the UKHO commercial business. Our ongoing certification is subject to independent, bi-annual audits from our certification body.

In addition to our ISO27001 certification, and as a requirement of the UKHO being a MoD organisation, our Information Systems are formally accredited by the Cyber Defence and Risk Directorate (CyDR). In this context, accreditation is defined as a formal, independent assessment of technology or service against its Information Assurance (IA) requirements, resulting in the acceptance of residual risk in the context of the business requirements and information risk appetite.

The UKHO as a dedicated team responsible for Information Security, led by a Head of Information Security and supported by IT Security Officers. In addition, there exist several roles associated with Information Security.  These include a Senior Information Risk Owner (SIRO), Chief Technical Officer (CTO), Deputy Chief Information Officer (DCIO) and Information Asset Owners (IAO) and Custodians (IAC).

The following high-level information security principles provide overarching governance for the security and management of information at the UKHO.
 

  1. Information will be classified according to an appropriate level of confidentiality, integrity and availability and in accordance with relevant legislative, regulatory and contractual requirements.
  2. Staff with responsibilities for information security must understand their responsibilities and must abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.
  3. All users must handle information appropriately and in accordance with its classification level.
  4. Information should be both secure and available to those with a legitimate need for access in accordance with its classification level. To that end, access to information will be based on the following principles:
    1. Least privilege
    2. Need to know
  5. Information will be protected against unauthorised access and processing in accordance with its classification level.
  6. All information security breaches must be reported and investigated in accordance with the UKHO incident management policy
  7. Information security and the policies that guide it will be regularly reviewed, including using annual internal audits and penetration testing.


Additional Guidance on Cyber Security on board ships is available from the International Chamber of Shipping (ICS) http://www.ics-shipping.org/free-resources/safety-and-operations

Keywords: crime, protect, ISO27001, BIMCO, ICS, OCIMF, virus, hack, hacking, crime, policy