IMPORTANT.

DWP Security Policies and Standards apply to DWP suppliers and contractors
where explicitly stated in the Security Schedule of the contract. DWP Standards are not a
cross government requirement.

Security Standard – Network Security

Design (SS-018)

Chief Security Office

Date: 9 April 2019

Version 1.3 Page 1 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors
where explicitly stated in the Security Schedule of the contract. DWP Standards are not a
cross government requirement.

Version Control Table

Version Date Major Change

Updating policy
This Standard will be reviewed for continued completeness, relevancy and accuracy within 1
year of being granted “final” status, and at yearly intervals thereafter.

The version control table will show the published update date and provide a thumbnail of the
major change. CAUTION: the thumbnail is not intended to summarise the change and not a
substitute for reading the full text.

Version 1.3 Page 2 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors
where explicitly stated in the Security Schedule of the contract. DWP Standards are not a
cross government requirement.

Contents

1. Introduction ............................................................................................................... 4
2. Purpose .................................................................................................................... 4
3. Exceptions ................................................................................................................ 4
4. Audience .................................................................................................................. 5
5. Scope ....................................................................................................................... 5
6. Security Controls Assurance .................................................................................... 5
7. Technical Security Control Requirements ................................................................ 5
8. Generic Network Security Requirements ................................................................. 5
Policy................................................................................................................................. 6
Risk Management ............................................................................................................. 6
Network Security Architecture........................................................................................... 7
Network Perimeter Requirements ................................................................................... 10
Protecting data ................................................................................................................ 12
Protecting the enterprise network ................................................................................... 13
Segmentation .................................................................................................................. 14
Securing Network Services and Devices ........................................................................ 15
Maintaining Network Security ......................................................................................... 16
Access Control ................................................................................................................ 17
Patching & Testing .......................................................................................................... 18
Redundancy .................................................................................................................... 19
Administration & Management ........................................................................................ 19
Protective Monitoring ...................................................................................................... 20
Users Instructions and Training ...................................................................................... 22
Roles and Responsibilities .............................................................................................. 22
Incident management ..................................................................................................... 23
Physical Security............................................................................................................. 23
9. Office Local Area Network (LAN) ........................................................................... 23
Additional LAN Requirements ......................................................................................... 23
Wireless Networking ....................................................................................................... 24
10. Wide Area Network (WAN) .................................................................................... 24
Core WAN Requirements ............................................................................................... 24
Internet Access ............................................................................................................... 25
Routing Security .............................................................................................................. 25
Service Resilience .......................................................................................................... 25
11. Datacentre .............................................................................................................. 26
General Requirements .................................................................................................... 26
Network and Boundary Controls ..................................................................................... 27
Network Storage Devices ............................................................................................... 28
Physical Security............................................................................................................. 28
12. Virtual Private Networks (VPNs) ............................................................................ 29
VPN Core Requirements ................................................................................................ 29
VPN Gateway ................................................................................................................. 30
VPN Endpoint Devices .................................................................................................... 31
13. Compliance ............................................................................................................ 31
14. Accessibility ............................................................................................................ 31
15. Security Standards Reference List ......................................................................... 32
16. Reference Documents ........................................................................................... 32
17. Definition of Terms ................................................................................................. 33
18. Glossary ................................................................................................................. 34

Version 1.3 Page 3 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

1. Introduction
1.1. This Network Design Security Standard provides the list of controls that are
required to secure networks to a Department for Work and Pensions (DWP)
approved level of security. This standard provides a list of security controls to
protect citizen and operational data. It is to minimise the risk from known
threats both physical and logical to an acceptable level for operations.

1.2. For further clarity and relevance, this standard is aligned to the DWP Digital
Blueprint, which defines the direction for all departmental technology.

1.3. Furthermore, the security controls presented in this standard are taken from
the international best practice for network security and have been tailored for
Departmental suitability.

2. Purpose
2.1. The purpose of this document is to enable teams to work to a defined set of
security requirements which enable solutions to be developed, deployed and
managed to Departmental security standards, which are based upon
international best practice for network deployments.

2.2. Secondly, this standard provides a baseline requirement to inform compliance

based technical security audits.

3. Exceptions
3.1. In this document the term MUST in upper case is used to indicate an absolute
requirement. Failure to meet these requirements will require a formal
exemption as detailed below.

3.2. Any exceptions to the application of this standard or where controls cannot be
adhered to MUST be presented to an assigned Security Architect and
considered for submission to the DWP Design Authority (DA) advisory or
governance board, where appropriate. This MUST be carried out prior to
deployment and managed through the design caveats or exception process.

3.3. Such exception requests may invoke the Risk Management process in order
to clarify the potential impact of any deviation to the configuration detailed in
this standard.

3.4. Exceptions to this standard MUST be maintained on a risk register for

accountability, traceability and security governance reporting to senior
management.

Version 1.3 Page 4 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

4. Audience
4.1. This standard is intended for Security and Technical Architects, Suppliers,
Database Administrators, Security Operations, Network Designers and
Administrators, Developers, Security Groups and also IT staff such as
Security Compliance Teams involved in securing environments for DWP
systems and applications.

5. Scope
5.1. This standard relates to the network infrastructure and components that
provide connectivity for internal users of the DWP information systems within
the OFFICIAL tier of the Government Security Classification Policy (GSCP).
This standard covers office LAN infrastructure supporting desktops and
mobile devices that have a wired connection to the DWP network. This
includes services that support the office LAN but are located within DWP
datacenters. This standard also covers wide area infrastructure which
provides connectivity between these office locations and business
applications hosted within or externally to the DWP Hosted infrastructure. The
requirements will be applied to new and existing installations.

5.2. The security control requirements laid out in this standard are product
agnostic and applicable for all network systems that are provisioned for
departmental use.

5.3. In the event of uncertainty on the controls laid out in this standard please
contact the Security Front Door for guidance and support on items which
require clarification.

6. Security Controls Assurance

6.1. Controls presented in this standard or referred to via this standard may be the
subject of a formalised IT Health Check or Penetration Test to provide
evidence of adequacy and effectiveness.

7. Technical Security Control Requirements

In this document the term MUST in upper case is used to indicate an absolute
requirement. Failure to meet these requirements will require a formal exemption (see
section [6. Exceptions] above).

Any reference to sensitive data in the security requirements refers to data that has
been classified at the OFFICIAL or OFFICIAL-SENSITIVE tier or otherwise data that
could be useful for malicious actors intending to attack the network.

8. Generic Network Security Requirements

Version 1.3 Page 5 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Policy
Reference Security Control Requirement DWP Control
Reference
8.1.1. There MUST be a DWP information security SC9-1.1
policy that considers network
connections/network security (it MUST cover
use of all DWP network services and system
operating procedures for admins).
8.1.2. DWP will use ISO27033 as its framework for SC9-1.1
Network Security Design.

Risk Management

Reference Security Control Requirement DWP Control

Reference
11.2.1 Documentation MUST be available to SC8-1.2
describe the current network and planned SC9-1.1
changes to the network. This MUST be
sufficiently detailed to describe connections
and services and form a basis for
consideration of network-related risks.
11.2.3 Characterise the network on the basis of the SC5-1.1
community of users: SC9-1.1
- Unknown community of users SC10-1.2
- A known community of users from a
closed business community
comprising members from more than
one organisation

Then consider whether they are using a

public or private network.
11.2.4 Consider the type of network: SC9-1.1
Data, voice or hybrid. Also packet, switched
or Multi-Protocol Label Support (MPLS)
11.2.5 Collect other information to scope the SC9-1.1
network security design, as follows:
- Information types
- Business processes
- Actual or potential hardware
components; software, services and
connections
- Potential environments (locations and
facilities)
- Activities (Operations)

Version 1.3 Page 6 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
11.2.6 The network security design MUST take SC2-1.2
account of the following types of risks; SC5-1.2
Loss of- SC5-2.4
- Confidentiality of information and code SC9-1.1
- Integrity of information and code
- Availability of information and network
services
- Non-repudiation of network
transactions
- Accountability of network transactions
- Authenticity of information, users and
administrator
- Reliability of information and code
- Ability to control unauthorised use of
information and resources
- Ability to control abuse of authorised
access

Network Security Architecture

Reference Security Control Requirement DWP Control

Reference
11.3.1 Different protocols have different security SC9-1.1
characteristic and should be afforded special
consideration
11.3.2 The approach to Network Security SC9-1.1
Architecture MUST take account of ITU-T
X.805.
11.3.3 The network Security Architecture MUST SC5-1.1
support the following security dimensions: SC5-2.4
- Access control SC8-4.12
- Authentication SC9-1.1
- Non-repudiation SC9-2.5
SC14-1.4
- Data confidentiality
- Communication security
- Data integrity
- Availability
- Privacy

11.3.4 Security protection MUST be provided for all SC9-1.1

three security layers as defined in X.805: the
infrastructure layer, the services layer and the
application layer.

Version 1.3 Page 7 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
11.3.5 It MUST be possible to separate the security SC9-1.1
concerns associated with each of the planes
as defined in X.805: the planes are
management, control and end-user. For
example, if there is a flood of packets related
to the end-user plane these MUST not
interfere with the ability of the network
administrator to correct the problem in the
management plane. Take account of the
security objectives for each plane as they are
documented in X.805.
11.3.6 Network Security Design MUST include the SC5-1.1
following inputs: SC5-2.4
- DWP’s documented service SC9-1.1
requirements SC8-4.12
- Documentation of any planned SC9-2.5
SC14-1.4
architecture, design and
implementation
- Current network security policy (or
relevant parts of the information
security policy) preferably based on a
risk assessment combined with a
management review
- Definition of the assets that should be
protected
- Current and planned performance
requirements
- Current information regarding the
products which implement the network
infrastructure

11.3.7 Network Security Design MUST include the SC5-4.17

following outputs: SC8-1.1
- The network technical security SC9-1.1
architecture
- Service access requirements for each
of the security gateways (including
firewall rulesets)
- Security operating procedures
- Conditions for secure connection of
third parties
- User guidelines for third parties

Version 1.3 Page 8 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
11.3.8 The Network Security Design MUST consider SC2-2.1
the following scenarios: SC5-4.12
- Internet access for employees SC5-4.13
- Enhanced collaboration services SC6-1.8
- Business to business services SC9-1.1
SC9-2.2
- Business to customer services
- Outsourced services
- Network segmentation (segregation)
- Mobile communication
- Networking support for travelling users
- Networking support for home users

11.3.9 The Network Security Design MUST consider SC5-5.2

the following technology topics: SC5-4.15
- Local area networks SC9-1.1
- Wide area networks SC9-1.5
- Wireless networks SC9-2.4
- Radio networks
- Broadband networks
- Security gateways
- Virtual Private Networks
- Voice networks
- IP convergence
- Web hosting
- Internet email
- Routed access to third parties
- Data centres

11.3.10 ISO27033 Part 2 contains guidelines for the SC14-1.1

design of network security. These guidelines SC14-2.2
should be followed. The design MUST take
account of legal and regulatory requirements
11.3.11 The Network Security Design MUST define SC2-1.1
the roles and responsibilities which relate to
network security
11.3.12 Steps MUST be taken to carry out audit of the SC9-1.1
effectiveness of Network Security controls. SC9-1.5
This MUST include IT Health Checks and
other forms of security testing including
vulnerability scanning.
11.3.13 The following design principles MUST be SC9-1.1
considered:
 Provide for defence-in-depth – create
layered security controls such that, if one

Version 1.3 Page 9 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
control fails, other controls will protect
valuable assets
 Keep solutions simple – the objective of
the design process is to produce the
simplest possible outcome. Simple
solutions are easier to explain to people
and most likely to be reliable, deliverable
and maintainable.
 Reduce Attack Surface - every feature
that is added to an application adds a
certain amount of risk to the overall
application. The aim for secure
development is to reduce the overall risk
by reducing the attack surface area.
 Fail securely - When a system fails, it
should do so securely. This typically
involves several things: secure defaults
(default is to deny access); on failure
undo changes and restore to a secure
state; always check return values for
failure; and in conditional code/filters
make sure that there is a default case that
does the right thing. The confidentiality
and integrity of a system should remain
even though availability has been lost.
Attackers must not be permitted to gain
access rights to privileged objects during
a failure that are normally inaccessible.
Upon failing, a system that reveals
sensitive information about the failure to
potential attackers could supply additional
knowledge for creating an attack.
Determine what may occur when a
system fails and be sure it does not
threaten the system.

Network Perimeter Requirements

Network perimeter controls MUST be deployed in accordance with SS-006 Secure

Boundaries standard. The following controls are the principal, best practice
requirements required to secure an external physical network perimeter from outside

Version 1.3 Page 10 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

networks. For further details and requirements, please refer to the Secure
Boundaries standard.

Reference Security Control Requirement DWP Control

Reference
11.4.1 Access to ports, protocols and applications SDC9-1.1
MUST be managed by filtering and inspecting
all possible traffic at the network perimeters to
ensure that only authorised, minimum
necessary, traffic which is required to support
DWP business is being exchanged.
11.4.2 All inbound and outbound connections to the SC9-1.1
DWP network MUST be examined and
managed (including encrypted data, where
applicable) using network security enforcing
components.
11.4.3 Packet filtering (i.e. with the use of a packet SC9-1.1
filtering/screening router) MUST be
conducted at the network perimeter to filter
out unwanted packets.
11.4.4 Firewalls MUST be used to create a SC9-1.1
demilitarised (DMZ) zone between the
Internet (and other untrusted networks) and
the networks used by DWP, in compliance
with SS-013 Firewall Security Standard and
the DWP Firewall Security Policy. The firewall
rule set MUST deny incoming traffic by
default, returning traffic only for established
connections and a whitelist MUST be applied
that only allows authorised protocols, ports
and applications to exchange data across the
boundary.
11.4.5 All encrypted traffic from outside the DWP SC9-1.1
network MUST firstly be decrypted and
passed through a content checker before
being directed to its intended recipient.
Similarly where required, encrypted data
MUST only be allowed to leave the network
after being content checked. If it is not
possible to decrypt the traffic it MUST be
blocked.
11.4.6 There MUST be malware checking solutions SC8-2.1
(and where required, subject to risk
assessment, reputation-based scanning
services) to examine both inbound and
outbound data at the perimeter in addition to
protection deployed internally (in accordance
with SS-015 Malware Protection Security
Standard). Using different antivirus and

Version 1.3 Page 11 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
malware solutions is good practice to protect
the enterprise network and systems in order
to provide some additional defence in depth.
11.4.7 There MUST be no direct connectivity SC9-1.1
between inside the enterprise network and
external networks. All incoming and outgoing
traffic MUST pass through some form of
security boundary before being allowed onto
the enterprise network. An application proxy
could be used to ensure that there is no direct
connection between enterprise client systems
and systems hosted on the Internet. The
application proxy is used to check inbound
and outbound packets and to:
a. Hide the details of network internals to the
external interface (details of IP addresses,
user details, software, etc.) and deny this
information to potential external attackers.
b. Provide a Protective Monitoring point for
user activity that can be used to make users
accountable for their use of the connection.
c. Provide session breaking and malware
scans (A session is an open connection
between two endpoints)
11.4.8 There MUST be filters for mobile code on the SC5-4.11
gateways to the Internet, with mobile code
accepted only from uncritical, white listed
sites or only digital signed mobile code signed
from approved Certification Authorities or
from approved vendors (enable the
respective configuration options on the client
side, e.g. actively manage and implement a
white list of allowed code signing Certification
Authorities).
11.4.9 Network infrastructure devices on the SC9-1.1
perimeter MUST be hardened (in accordance
with the relevant security standards and
patterns) to avoid unauthorised access and
compromise - this should include the use of
secure protocols, disabling unused services,
limiting access to necessary ports and
protocols and the enforcement of
authentication and access control where
appropriate.

Protecting data

Version 1.3 Page 12 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
11.5.1 Appropriate cryptographic controls, MUST be SC6-1.7
used to protect sensitive data in transit over the
network in accordance with SS-007 Use of
Cryptography.
11.5.2 Appropriate cryptographic controls MUST be SC6-1.5
used to protect sensitive data at rest within
network components including temporary
storage buffers in accordance with SS-007 Use
of Cryptography.

Protecting the enterprise network

The enterprise network covers services, network devices and interconnections

between the different parts of the organisation within DWP controlled locations and
management of the whole network (where consuming cloud services outside these
traditional locations, also see SS-023 Cloud Computing Security Standard).

Reference Security Control Requirement DWP Control

Reference
11.6.1 Anti-virus and malicious code checking SC8-2.1
solutions with signature-based capabilities
MUST be on the internal enterprise network in
accordance with SS-015 Malware Protection
Security Standard. Heuristic scanning methods
MUST be considered as well.
11.6.2 The network MUST be segregated into zones SC9-1.4
and appropriate controls should be applied
between the zones (see section 11.5).
11.6.3 Administrator access to any network SC5-2.5
component MUST use multi-factor
authentication and strong authorisation controls
(see SS-001 Access and Authentication
Standard).
11.6.4 Default administrative passwords for network SC5-2.3
equipment MUST be changed and default
accounts MUST be removed. Authentication
credentials MUST not be shared between
users or devices. Passwords MUST be set in
line with DWP User Access Control Policy (also
see SS-001 Access and Authentication for
further guidelines).
11.6.5 Any error messages returned to enterprise or SC5-2.3
external systems or users MUST not include
sensitive information that may be useful to
attackers (except encrypted messages as part
of event logging – see requirement 11.12.3).

Version 1.3 Page 13 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
11.6.6 Intrusion detection and prevention systems SC8-4.12
MUST be deployed on appropriate areas of the
network (e.g. network boundary, CNI systems,
and significant critical applications) and MUST
be configured by authorised and qualified staff
(in compliance with SS-015 Malware Protection
Security Standard and SS-012 Protective
Monitoring). Alerts generated by the system
MUST be promptly managed by appropriately
trained staff.
11.6.7 Network Address Translation MUST be used. SC9-1.1
The enterprise network IP address range
should be ‘non-routable’ from the Internet.
11.6.8 All configuration details of network devices SC8-1.4
(e.g. IP address) MUST be registered against
the DWP CMDB.
11.6.9 Deploy ACLs, where appropriate, to limit SC5-1.2
access to known and trusted communication
partners.
11.6.10 Traffic routing MUST be identified during SC9-1.1
design to avoid transiting insecure network
environments.
11.6.11 There MUST be hardening of security controls SC9-1.1
on network devices and supporting
infrastructure including servers (see SS-008
Server Operating System Security Standard for
servers). Unnecessary software, protocol, ports
and services on the enterprise network MUST
be disabled.
11.6.12 Warning banners MUST be displayed to SC14-1.1
enforce legal and regulatory requirements.
These should be presented on privileged and
normal user access accounts.
11.6.13 Remote access into the enterprise network SC5-4.12
MUST be in accordance with SS-016 Remote
Access Security Standard

Segmentation

Boundaries between the security zones should conform to the requirements within
the SS-006 Secure Boundaries Security Standard.

Reference Security Control Requirement DWP Control

Reference
11.6.14 Networks of different risk profiles MUST be SC9-1.4
located in different security zones:

Version 1.3 Page 14 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
 Devices and computer systems
providing services for external networks
(e.g., the Internet) MUST be located in
different zones (De-Militarized Zone –
DMZ) than internal network devices and
computer systems.
 Application or data assets with higher
protective requirement MUST be located
in dedicated security zones.
 Devices and computer systems of low
trust level such as remote access
servers and wireless network access
points MUST be located in dedicated
security zones

11.6.15 Networks of different types MUST be located in SC9-1.4

separate security zones:
 User workstations MUST be located in
different security zones than servers
 Network and security management
systems MUST be located in dedicated
security zones
 Systems in development stage MUST
be located in different zones than
production systems

11.6.16 Network segmentation MUST be used to: SC9-1.4

 segregate administrative and
maintenance capabilities from routine
user access to business applications;
 segregate applications with higher
protective requirements from other
applications;
 segregate databases from ordinary
users who do not have business
requirements for access.

Securing Network Services and Devices

Version 1.3 Page 15 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
11.6.17 Switches MUST be secured and hardened in SC9-1.1
accordance with manufacturer and industry
best practices
11.6.18 There MUST be Anti-ARP spoofing SC9-1.1
technologies to protect network devices.
11.6.19 Network services including Domain Name SC9-1.1
System (DNS), Network Time Protocol (NTP)
and Dynamic Host Configuration Protocol
(DHCP) MUST be secured in accordance with
manufacturer and industry best practices or in
accordance with relevant standards/patterns.
11.6.20 Network products and services MUST be SC9-1.1
purchased through a process where security is
one of the evaluation criteria. They MUST
NOT be purchased if the risks of adoption are
outside risk appetite and, in those situations
where the evaluation team have major
reservations, every effort MUST be made to
choose more secure alternatives.

Maintaining Network Security

Reference Security Control Requirement DWP Control

Reference
11.6.21 Network Configurations MUST be audited at SC9-1.1
least annually (or after significant changes that
occur earlier) and include network scanning.
These checks MUST reference against group
policy and network configuration rule-base(s).
11.6.22 There MUST be regular back up of network SC8-3.1
configuration, network devices, and other
critical servers or devices. Frequency and
retention of the backups should be established
according to service delivery requirements or
otherwise risk assessment advice. The backed
up data MUST be protected to the same level
as the live devices that the backups reflect.
11.6.23 Access to network configuration including SC9-1.1
backup, authentication databases and
administrative services MUST only be available
to authorised personnel. The network
configuration MUST be protected from
unauthorised modification.
11.6.24 A security template providing a baseline SC9-1.1
configuration of the network MUST be
maintained and not kept on the network – this

Version 1.3 Page 16 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
is to facilitate recovery after a major outage or
security incident.
11.6.25 A formal change process MUST be established SC8-1.2
and all changes MUST be reviewed and
authorised – this process should link to CMDB
management.
11.6.26 There MUST be a regular IT health check, at SC10-2.3
least once annually or at the point of major SC9-1.1
change or following changes that may have a
significant effect on the network security
controls. This is required to ensure that network
security posture has not been weakened by the
change.

Access Control

Reference Security Control Requirement DWP Control

Reference
11.6.27 There MUST be a well-defined policy for SC5-1.2
access management (see SS-001 Access and SC9-1.1
Authentication and User Access Control
Policy).
11.6.28 Access to the enterprise network MUST only SC9-1.1
be granted to managed endpoints and devices.
11.6.29 User access to the network MUST be via SC5-2.5
strong and agreed authentication (this can be
via device authentication given there was prior
authentication of user to device), with the use
of multi-factor authentication where
appropriate.
11.6.30 Users MUST only be provided with access to SC5-2.5
the network and network services that they
have specifically been authorised to use.
11.6.31 As part of a privileged user management SC9-1.1
regime, the allocation and use of privileged
access rights of the network infrastructure
MUST be restricted and controlled to
authorised administrators. They MUST be
appropriately trained and cleared network
administrators. Privileges MUST be
periodically reviewed and removed where no
longer required.
11.6.32 The network MUST be designed to provide SC9-1.1
authentication and access controls for systems
connecting to them. Unauthorised or
noncompliant devices MUST be placed in a

Version 1.3 Page 17 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
quarantine area where remediation can occur
prior to gaining access to the network. This can
be done by using the 802.1X protocol to secure
the physical ports where end users connect.
11.6.33 There MUST be consideration if a Network SC9-1.1
Admission Control (NAC) Appliance should be
deployed on the network infrastructure to
enforce security policy compliance on all
devices seeking to access network computing
resources.
11.6.34 Infrastructure device access MUST be secured. SC9-1.1
This includes:
 The accessible ports and access
services MUST be limited.
 Access to authorised services MUST be
restricted from authorised originators
only.
 Session management MUST be
enforced (e.g. enforce idle timeouts,
time to live)
 Vulnerability to dictionary and DoS
attacks MUST be minimised (e.g. Limit
the rate of login attempts, Restrict the
maximum number of concurrent
sessions, enforce a lockout period upon
multiple authentication failure attempts,
enforce the use of strong passwords, log
and monitor user login authentication
failures)
 Access MUST only be granted to
authenticated users, groups, and
services.
 The principle of least privilege MUST be
adopted for all authorised users.
 Deny outgoing access unless explicitly
required
 There MUST be role based access
control to limit the function the user is
permitted to perform.

Patching & Testing

Version 1.3 Page 18 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
11.6.35 There MUST be regular patching and update of SC9-1.1
network components, applications and services
in accordance with the DWP Technical
Vulnerability Management Policy.
11.6.36 Vulnerability management MUST be on all SC8-6.1
systems. Particular focus should be given to
those receiving internet traffic, either on
transport or application level, which includes all
systems used in the context of the gateways
used towards the Internet as well as end user
systems used for accessing internet.
11.6.37 Steps MUST be taken to annually audit SC9-1.1
existing security controls against established
benchmarks (i.e. policies, standards,
procedures and compliance obligations),
including by security testing, vulnerability
scanning etc.

Redundancy

Reference Security Control Requirement DWP Control

Reference
11.6.38 The network MUST meet availability SC13-2.1
requirements (in accordance with the SLA
requirement for that part of the network).
Ideally, it should have no single point of failure.

Administration & Management

Reference Security Control Requirement DWP Control

Reference
11.6.39 System and service management channels SC9-1.1
MUST be appropriately secured and separated
from the data channels (i.e. in-band or out-of-
band).
11.6.40 Management access to infrastructure devices SC9-1.1
MUST be secured. This includes:
 Restricting access to authorised terminal
and management ports
 Restricting access to authorised
services and protocols only
 Only granting access to authenticated
and authorised users

Version 1.3 Page 19 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
Also depending on the network, the following
options are available and MUST be considered:
 In large, dispersed networks where
management terminals or systems are
on a dedicated or sensitive architecture
use Access Control Lists (ACL) to
identify devices allowed to access
management interfaces to prevent
unauthorised access

11.6.41 The management network access MUST be SC9-1.1

deployed using the following best practices:
 Enforce access control using a
management boundary firewall
 Classify and prioritize management
traffic
 Provide network isolation using NAT
 Enforce the use of encrypted, secure
access, and reporting protocols

11.6.42 Administrators MUST be prohibited from SC5-2.3

conducting ‘normal’ day-to-day business from
their high privilege account.
11.6.43 Administration and management MUST SC5-2.3
enforce individual user accounts.
11.6.44 Administrators MUST use different passwords SC5-2.3
for their high-privilege and low-privilege
accounts.
11.6.45 Management traffic MUST be encrypted and SC6-1.7
MUST use agreed and secure protocols.
11.6.46 Remote management MUST use tools which SC6-1.8
ensure strong and multi-factor authentication
and which provide adequate integrity and
confidentiality functions should be used.

Protective Monitoring

Reference Security Control Requirement DWP Control

Reference
11.6.47 A protective monitoring solution for the network SC8-4.12
MUST be implemented in accordance with SS-
012 Protective Monitoring.
11.6.48 Audit logs MUST be drawn from a number of SC8-4.12
sources, such as routers, firewalls,

Version 1.3 Page 20 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
IDS, and sent to a central audit server for
consolidation and thorough analysis.
11.6.49 Audit logs or error messages with sensitive SC6-1.7
data MUST be encrypted.
11.6.50 There MUST be visibility and awareness into SC9-1.1
what is occurring on the network at any given
time. This should include traffic statistics,
system utilisation/status information, Syslog,
SNMP, ACL logging, accounting, archive
configuration change logger, packet capture,
device access information etc.
11.6.51 Audit logs MUST be maintained that include SC9-1.1
the following types of event:
 a record of who accessed network
infrastructure components, what
occurred, and when,
 Logging of all critical/non-critical
transactions by users,
 remote failed log-on attempts with dates
and times,
 failed re-authentication (or token usage)
events,
 security gateway traffic breaches,
 remote attempts to access audit logs,
 system management alerts/alarms with
security implications (e.g. IP address
duplication, bearer circuit disruptions),
 configuration control changes including
altering permissions for management
interfaces and altering routing tables.

11.6.52 On-going monitoring MUST include coverage SC9-1.1

of the following: SC8-4.12
 audit logs from firewalls, routers,
servers, etc.,
 alerts/alarms from such as audit logs
pre-configured to notify certain event
types, from such as firewalls, routers,
servers, etc.,
 output from IPS/IDS,
 results from network security scanning
activities,

Version 1.3 Page 21 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
 information on events and incidents
reported by users and support
personnel, (as well as results from
security compliance reviews)

11.6.53 There MUST be the use of analysis tools to SC8-4.12

help to identify when network systems are SC9-1.1
behaving in an unexpected way or providing
indications that systems are under attack or
have been.
11.6.54 There MUST be audit of the use of import and SC9-1.1
export services. Users can be provided with the
means to ‘self-audit’ their use of import and
export services.
11.6.55 All network devices MUST be synchronised to SC8-4.13
the same network clock by using Network Time
Protocol (NTP) to enable accurate and effective
event correlation.
11.6.56 Remote Monitoring MUST be enabled where SC9-1.1
appropriate.

Users Instructions and Training

Reference Security Control Requirement DWP Control

Reference
11.6.57 Users MUST be provided with appropriate SC3-2.2
security training and documented security
operating instructions on acceptable and
secure use of networks.
11.6.58 There MUST be appropriate knowledge and SC3-2.2
training of network systems and up-to-date SC9-1.1
security practices, controls, procedures, and
architectures.
11.6.59 Systems administrators and security managers SC9-1.1
MUST keep up-to-date with the latest
information on vulnerabilities.

Roles and Responsibilities

Reference Security Control Requirement DWP Control

Reference
11.6.60 Roles and responsibilities MUST be SC2-1.1
established and defined for personnel
responsible for the security of the network
including connections to the internet.

Version 1.3 Page 22 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
11.6.61 There MUST be separation of duties for SC2-1.1
personnel responsible for the security of the
network and personnel responsible for the
security boundaries. Sensitive security
operations MUST not be implemented by a
single individual
11.6.62 Only trained and authorised staff MUST be SC9-1.1
permitted to carry out network security tasks.

Incident management

Reference Security Control Requirement DWP Control

Reference
11.6.63 A security incident management process for SC12-1.1
the network MUST be implemented in
compliance with SS-014 Security Incident
Management Standard.

Physical Security

Reference Security Control Requirement DWP Control

Reference
11.6.64 All network devices (including communication SC7-1.3
cables) MUST be physically protected.
11.6.65 There MUST be policies and practices SC7-1.5
governing physical security in place to protect
personnel, hardware, programs, networks and
data from loss, damage or compromise.
11.6.66 When network equipment is to be reused, SC9-1.1
disposed of or sent for repair outside of DWP
security management boundary domain all
sensitive data MUST be sanitised as described
in HMG IA Standard No.5 (IS5), Secure
Sanitisation or NCSC guidance

9. Office Local Area Network (LAN)

For Office LAN, all relevant requirements specified in Section 11 – Generic Network
Security apply in addition to all the requirements below

Additional LAN Requirements

Reference Security Control Requirement DWP Control
Reference
11.6.67 Consideration MUST be given to whether it is SC9-1.1
appropriate for there to be content checking of

Version 1.3 Page 23 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
incoming and outgoing traffic to the internet at
the application layer and if there should be
safeguards against potential bypass
The content checking can include:
 recursive checking
 strict file type identification and filtering

11.6.68 In addition to the anti-malware solutions SC8-2.1

deployed on the network, tiered anti-malware
controls MUST be deployed to protect the LAN
devices.

Wireless Networking
Reference Security Control Requirement DWP Control
Reference
11.6.69 Wireless Networking MUST be in compliance SC9-1.1
with SS-019 Wireless Networking Security
Standard and SS-016 Remote Access Security
Standard. Wireless networks access points
MUST be treated as untrusted and network
controls MUST be implemented accordingly

10. Wide Area Network (WAN)

For Wide Area Network, all relevant requirements specified in Section 11 – Generic
Network Security and Section 12 – Office LAN apply in addition to all the
requirements below

Core WAN Requirements

Reference Security Control Requirement DWP Control
Reference
11.6.70 Where there is a shared WAN backbone, SC9-1.1
enterprise WAN traffic MUST be separated
from other traffic that may be on the WAN to
enable the confidentiality and integrity of data.
11.6.71 WAN network domains MUST be secured SC9-1.1
against attacks. For example, to protect against
Layer 3-based network attacks this could
include device hardening, anti-spoofing
filtering, routing protocol security, protective
monitoring, firewalls, and intrusion prevention
systems.
11.6.72 There MUST be data/file integrity verification SC9-1.1
using algorithms such as hash/checksums,

Version 1.3 Page 24 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
certificates, validating all critical device
configurations on the WAN network.

Internet Access
Reference DWP Control
Reference
11.6.73 All exports to the Internet MUST be authorised SC9-1.1
by a user. Export authorisation should be
traceable to the user who conducted the export.
Validity checks MUST be conducted on users
export authority (e.g. check for any revocation)
and protect the integrity of exports. This could
be achieved using digital signatures.

Routing Security
Reference Security Control Requirement DWP Control
Reference
11.6.74 Routing sessions MUST be restricted to trusted SC9-1.1
peers and the origin and integrity of routing
updates MUST be validated. This should
include authenticating all routing peers and
disabling routing on all unauthorised interfaces
by default.
11.6.75 Only legitimate networks MUST be advertised SC9-1.1
and propagated.
11.6.76 Neighbour status changes that may indicate SC9-1.1
network connectivity and stability issues (due to
an attack or general operations problems)
MUST be detected and logged.
11.6.77 Appropriate filters MUST be deployed at WAN SC9-1.1
edges where invalid routing information may be
introduced.
11.6.78 There MUST be IP spoofing protection that SC9-1.1
includes source address validation

Service Resilience
Reference Security Control Requirement DWP Control
Reference
11.6.79 WAN resources MUST be protected from SC9-1.3
exhaustion attacks
11.6.80 It MUST be ensured any limited resources at a SC9-1.3
remote site, such as a low bandwidth WAN link
or a low performance platform, are not
overwhelmed, and their utilization is optimised.

Version 1.3 Page 25 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
This to preserve and optimise remote site
services
11.6.81 Device, link, and geographical diversity MUST SC13-2.1
be deployed to eliminate single points of failure.

11. Datacentre
For Datacentre, all relevant requirements specified in Section 11 – Generic Network
Security Section 12 – Office LAN and Section 13 – Wide Area Network apply in
addition to all the requirements below

General Requirements
Reference Security Control Requirement DWP Control
Reference
11.6.82 There MUST be a firewall for datacentre SC9-1.1
ingress and egress traffic. The firewall MUST
be in accordance with SS-013 Firewall Security
Standard and the DWP Firewall Security
Policy.
11.6.83 The use of shared, virtualised network, server SC9-1.1
and storage infrastructure to host applications
and databases containing OFFICIAL classified
data MUST be in compliance with SS-025
Virtualisation Security Standard
11.6.84 Virtualised network, server, storage machines SC9-1.1
and other virtualised network components
MUST provide the same level of security
controls as per their physical counterparts.
11.6.85 A separate services segment is required which SC9-1.4
can offer firewalling, application delivery
scanning/control and additional security
inspection capabilities to the hosting segments
as appropriate
11.6.86 Separate domains MUST be used to manage SC9-1.4
and monitor from a service and security
perspective. There are four possible domains:
1. Management - common management
components for managing the hosting
service.
2. Security - similar to Management
domain, but instead provides access to
the security enforcing components.
Accessed from a secure environment
3. Service Monitoring –Receives and
stores all non-security alerts and
monitoring feeds. Provides a platform for
initial processing of events to provide

Version 1.3 Page 26 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
de-duplication and event enrichment.
Only accepts traffic (unidirectional) from
hosted and supporting domains.
Security monitoring and management
treated within separate domains.
4. Security Monitoring –Receives
(unidirectional), stores and forwards logs
and events to the SOC via a secure
channel.
11.6.87 Network management tools MUST be SC9-1.1
hardened – this includes infrastructure
orchestration tools to manage the configuration
of network, compute or storage fabric.

Network and Boundary Controls

Reference Security Control Requirement DWP Control
Reference
11.6.88 There MUST be physically separate external SC9-1.1
security boundary controls to inspect
ingress/egress traffic to the data centre
(configured in accordance with SS-006 Secure
Boundaries Security Standard).
11.6.89 There MUST be clear demarcation between SC9-1.4
different hosting segments enabling them to be
supported independently.
11.6.90 All inbound traffic MUST only come from an SC9-1.1
authorised source and MUST be forwarded to
an authorised destination on the core
datacentre network

11.6.91 The datacentre MUST provide the ability for SC9-1.4

applications and data to be hosted in separate
hosting segments to provide segregation of
data and to control interactions between them
11.6.92 Segregated network, compute and storage SC9-1.4
facilities MUST be provided to manage and
monitor the datacentre infrastructure.
11.6.93 Consideration MUST be given to determine SC9-1.1
which components of the datacentre
infrastructure MUST be built using dedicated
infrastructure components physically discrete
from the overall shared network for added
security.
11.6.94 Consideration MUST be given to inform the SC9-1.1
extent and need for (traffic) filtering/ separation
for each of the layers 2, 3, 4 and 7 (of the OSI

Version 1.3 Page 27 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
model) and the need for IPS/IDS either on the
host and/or between segments.
11.6.95 Infrastructure and application “Call Home” data SC9-1.1
flows (i.e. for updating) MUST be subject to risk
assessment for protocol break and inspection
in transit across boundaries with untrusted
networks.

Network Storage Devices

Reference Security Control Requirement DWP Control
Reference
11.6.96 There MUST be a firewall to protect storage SC5-5.1
devices from users on the network, with ACL
where appropriate to enforce further
separation. These measures should be backed
up by implementing effective privilege
management controls.
11.6.97 If a SAN is being implemented using fibre SC5-5.1
channel (FC), then the following controls
MUST be implemented:
 Any unnecessary accesses, ports or
services MUST be appropriately locked
down (i.e. set/configure FC switch ports,
zones (subsets of servers and storage
arrays), Logical Unit Number (LUN)
masks, and any present proprietary
access control mechanisms (such as
virtual SANs))
 An assured secure authentication
mechanism MUST be used between all
FC devices (servers, switches and
storage arrays) and make the
authentication mutual
 Data-in-transit and all communications
between FC devices MUST be
encrypted

Physical Security
Reference Security Control Requirement DWP Control
Reference
11.6.98 The datacentre MUST have resilient diverse SC13-2.1
communications. In the event of a power

Version 1.3 Page 28 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
failure, there MUST be provision to maintain
continuity of power supply.
11.6.99 Physical access to the servers, switches, SC7-1.3
routers, cables and other network devices
MUST be restricted – for example, with the use
of secure rooms and lockable cabinets.
11.6.100 Networking equipment MUST be physically SC7-1.3
secured such that they cannot be
disconnected, interfered or removed without
authorisation.
11.6.101 Where appropriate, hardware ports in SC5-2.16
networking equipment MUST be physically
protected so that there can be no unauthorised
connection.
11.6.102 Ingress and egress to secure areas where SC7-1.3
network devices reside MUST be protected by
appropriate entry controls and monitored using
surveillance.

12. Virtual Private Networks (VPNs)

VPN Core Requirements
Reference Security Control Requirement DWP Control
Reference
11.6.103 The confidentiality of data and code in transit in SC6-1.7
the tunnel between trusted and untrusted
networks MUST use encryption of the data
when it is in transit, to prevent compromise
(see SS-007 Use of Cryptography).
11.6.104 The integrity of data and code in transit in the SC6-1.7
tunnel MUST not be compromised. The
mechanisms used to implement the VPN tunnel
should support integrity checking of data and
code in transit, using techniques such as
message verification codes, message
authentication codes and anti-replay
mechanisms or integrity protection controls
should be implemented in the end-systems.
11.6.105 Authenticity of information crossing public IP SC6-1.7
networks MUST be provided between
participating peers in a VPN.
11.6.106 The tunnel establishment and operating SC6-1.7
process MUST be supported by authorisation
controls and should include Access Control
Lists.
11.6.107 Security controls to counter denial of service SC9-1.3
attacks which are specific to tunnel

Version 1.3 Page 29 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
mechanisms MUST be incorporated wherever
necessary
11.6.108 Split tunnelling MUST be prohibited. SC5-4.8

11.6.109 The VPN solution MUST maintain appropriate SC8-4.12

audit logs for the analysis of all actions at that
endpoint.
11.6.110 Technical vulnerability management MUST be SC8-6.1
present for all VPN devices. This means that
the device MUST be kept in a hardened
configuration and management arrangements
MUST be in place to manage vulnerabilities.
11.6.111 There MUST be hardening of VLANs against SC9-1.5
hopping and other attacks. This could be
mitigated by applying best industry and
manufacturer practices
11.6.112 In VPN architectures where endpoint SC9-1.5
obfuscation is a requirement, controls MUST
be implemented to mask source and
destination locations of VPN users. The chosen
solution will have to be approved by a DWP
Security Architect or by Design Authority.
11.6.113 The VPN MUST be in compliance with all SC8-2.1
relevant controls specified in SS-015 Malware
Protection Security Standard and SS-016
Remote Access Security Standard.
11.6.114 VPN deployment using portable media such as SC9-1.1
CD-ROMs, diskettes, etc. MUST be controlled,
e.g. by creating delivery and receipt log(s) and
by implementing restrictions on re-use of media
such as a date/time expiration or limitation on
the number of times an execution can be
performed.

VPN Gateway
Reference Security Control Requirement DWP Control
Reference
11.6.115 The VPN gateway, which terminates any SC9-1.1
encryption used to protect the link from the
endpoint, MUST be located in the security
boundary.
11.6.116 The VPN gateway MUST mutually authenticate SC5-2.4
with the device (with prior authentication of
user to device having occurred) before allowing
access.

Version 1.3 Page 30 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Reference Security Control Requirement DWP Control

Reference
11.6.117 A VPN gateway MUST be set up by configuring SC9-1.1
it to the network configuration and
port/application access required, installation of
certificates (e.g. for Higher Layer VPNs), and
the continuing network monitoring of the VPN
gateway enabled.
11.6.118 The VPN gateway MUST be protected against SC9-1.1
network layer attacks (e.g. through the use of
firewalls). Ensure that only VPN traffic
(nominally identified by destination port and
protocol number) reaches the VPN gateway.

VPN Endpoint Devices

Reference Security Control Requirement DWP Control
Reference
11.6.119 VPN endpoint MUST be configured to ensure SC5-4.8
that there is only communications between an SC9-1.1
always-on VPN and the hosting network.
11.6.120 There MUST only be authorised endpoint SC5-2.4
connectivity to other networks or devices to SC9-1.1
avoid an uncontrolled device from another
network compromising the VPN.

13. Compliance
Compliance with this standard MUST occur as follows:

Compliance Due Date

On-going From the first day of approval
Retrospective Within 6 months of the approval of the standard.

14. Accessibility
No user interfaces are included in this standard and accessibility is not applicable as
part of this standard. However, it is deemed that projects implementing this standard
are obliged to incorporate accessibility functions where necessary.

Version 1.3 Page 31 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

15. Security Standards Reference List

Document Name Location Version
Exceptions Process TBD N/A
DWP Baseline Control Set DWP SharePoint 1.0
Standard Master List TBD N/A

16. Reference Documents

Centre for the Protection of National Infrastructure: Protection of Data Centres, April
2010

CESG Good Practice Guide 8 – Protecting External Connections to the Internet,

Issue 1.0, March 2009

CESG Good Practice Guide 35 – Protecting an Internal ICT Network, Issue 2.0,
August 2011

Cisco: Network Security Baseline

Cisco SAFE Reference Guide, July 8 2010

PSN Code of Connection, Version 1.31, March 2017

NCSC: Network Security Guidance

ISO 27033: Network Security – Parts 1 - 6

DWP Digital Blueprint

DWP Technical Vulnerability Management Policy

Version 1.3 Page 32 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

17. Definition of Terms

Term Definition
Denial of Prevention of authorized access to a system resource or the
service (DoS) delaying of system operations and functions,
with resultant loss of availability to authorized users
Demilitarised perimeter network (also known as a screened sub-net) inserted
Zone (DMZ) as a “neutral zone” between networks
Firewall type of security barrier placed between network environments —
consisting of a dedicated device or a composite of several
components and techniques — through which all traffic from one
network environment traverses to another, and vice versa, and
only authorised traffic, as defined by the local security policy, is
allowed to pass.
Filtering process of accepting or rejecting data flows through a network,
according to specified criteria
Intrusion technical system that is used to identify that an intrusion has
Detection been attempted, is occurring, or has occurred and possibly
System respond to intrusions in information systems and networks
Intrusion variant on intrusion detection systems that are specifically
Prevention designed to provide an active response capability
System
Network physical or logical subnetwork that contains and exposes an
Perimeter organization’s external services to a public network
Network Zoning the concept that system resources of different sensitivity levels
(i.e., different risk tolerance values and threat susceptibility)
should be located in different security zones
Network process of continuously observing and reviewing data recorded
Telemetry on network activity and operations, including audit logs and
alerts, and related analysis
Router network device that is used to establish and control the flow of
data between different networks by selecting paths or routes
based upon routing protocol mechanisms and algorithms
Security set of assets and resources subject to a common security policy
Domain
Security point of connection between networks, or between subgroups
Gateway within networks, or between software applications within
different security domains intended to protect a network
according to a given security policy.
Switch device which provides connectivity between networked devices
by means of internal switching mechanisms, with the switching
technology typically implemented at layer 2 or layer 3 of the OSI
reference model
Security the basic means of keeping network traffic flowing where you
Boundary want and restricting it where you do not is a security boundary:
dedicated firewall devices, firewall functions in IPS devices, and
access control lists in network routers and switches
Tunnel data path between networked devices which is established
across an existing network infrastructure

Version 1.3 Page 33 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

Virtual Local independent network created from a logical point of view within a
Area Network physical network
VPN Gateway a type of networking device that connects two or more devices
or networks together in a VPN infrastructure. It is designed to
bridge the connection or communication between two or more
remote sites, networks or devices and/or to connect multiple
VPNs together.

18. Glossary
Abbreviation Definition
AAA Authentication, Authorization and Accounting
ACL Access Control List
AES Advanced Encryption Standard – defined in FIPS 197. Different
modes of operation are covered in different documents.
ARP Address Resolution Protocol
DAM Database Activity Monitoring
DHCP Domain Host Configuration Protocol
DLP Data Loss Protection
DMZ Demilitarised Zone
DNS Domain Name Service
DA Design Authority (DA)
DoS Denial of Service
DWP Department for Work and Pensions (DWP)
DMZ De-militarised Zone
FTP File transfer protocol
HIPS/HIDS Host-based Intrusion Protection/Detection System
HTTP/HTTPS Hypertext Transfer Protocol/ Hypertext Transfer Protocol Secure
IPS/IDS Intrusion Protection/Detection System
LAN Local Area Network
MAC Media Access Control
MITM Man-in-the-middle
MPLS Multi-protocol label switching
NAC Network Admission Control
NAT Network Address Translation
NAS Network Attached Storage
NCSC National Cyber Security Centre
NIPS/NIDS Network Intrusion Protection/Detection System
NTP Network Time Protocol
OOB Out of Band
PKI Public Key Infrastructure
PSN Public Sector Network
QoS Quality of Service
SAN Storage Area Network
SNMP Simple Network Management Protocol
SOC Security Operations Centre
SQL Structured Query Language
STP Spanning Tree Protocol

Version 1.3 Page 34 of 35

IMPORTANT. DWP Security Policies and Standards apply to DWP suppliers and contractors where
explicitly stated in the Security Schedule of the contract. DWP Standards are not a cross government
requirement.

SSD Solid State Drive

SSH Secure Shell
VLAN Virtual Local Area Network
VPN Virtual Private Network
WAN Wide Area Network
XML Extensible Markup Language
XSS Cross-Site Scripting

Version 1.3 Page 35 of 35