Security Policy Framework (SPF)

Security Policy Framework - HMG Information Assurance

The Security Policy Framework (SPF) was published late in 2008 and replaces The Manual of Protective Security. The SPF is mandatory for all Government Departments and Agencies. It also states that it "should also be extended, where necessary, to any organisations working on behalf of, or handling HMG assets, such as Non-Departmental Public Bodies (NDPBs), contractors, Emergency Services, devolved administrations, Local Authorities or any regular suppliers of goods and/or services."

The SPF is composed of four tiers; tiers 1 to 3 are available publically but are often perceived as increasing in complexity and detail. These tiers are:
Tier 1: The Overarching Security Policy Statement.
Tier 2: The Five Core Security Principles.
Tier 3: The Seven Security Policies.

AUTOMATE IMPLEMENTATION OF SECURITY CONTROLS

Tripwire helps Government bodies to affordably achieve Security Policy Framework compliance with a single integrated solution. The Tripwire® VIA™ suite combines the power of Tripwire® Log Center—log and SIEM—and the intelligence of Tripwire® Enterprise—FIM and configuration control. The Tripwire VIA suite delivers an automated solution designed to support monitoring, change detection, reporting and investigation in real time to provide assurance of compliance with IT security policies.

Tripwire VIA solutions allow organisations to:

  • Meet the requirements of SPF for HMG ICT systems utilising the recommended configuration controls and log requirements.
  • Monitor in real-time and instantly detect any changes and events that may impact upon security.
  • Instantly alert on suspicious behaviour within the enterprise.
  • Remediate configurations; automate hardening of security controls.
  • Collect any readable audit, accounting or operational log and process it in to a scalable flat-file based forensic data store in accordance with the organisation’s Forecsic Readiness Policy.
  • Conform with standards such as the GCSX requirements, Data Protection Act and Community Security Policy (CSP).