One of the priorities in any move of records and other information following a transfer of functions is information security.
Security provision should be proportionate to the nature, contents and sensitivity level of the information and should conform to the principles of the Security Policy Framework (SPF), ensuring that confidentiality, integrity and availability of information is appropriately maintained.
Any transferring organisation should satisfy itself that the receiving organisation has the necessary accreditation, infrastructure, procedures and policies in place, that is the capacity to hold and protect the material, and the organisational culture to treat it appropriately. Commercial and other partners who may be involved in handling the move of records should follow the same principles and practice.
Identify what material should be transferred to the receiving organisation and the nature of any risks associated, for example, with regards sensitivity or personal data.
Assess whether the receiving organisation meets appropriate security requirements or if existing information communications technology (ICT) infrastructure, policies and procedures will need to be revised or upgraded. This should be done by or under the auspices of the Departmental Security Officer (DSO)s concerned and guidance on accreditation and the implementation of information assurance (IA) and risk management should be sought from CESG, who are the UK’s National Technical Authority for IA. Organisations should also follow Office of the Government Senior Information Risk Owner (OGSIRO)’s guidance on managing information risk.
Only when any necessary upgrading or implementation of appropriate security measures has taken place should the material be moved. The method of transit and the security measures employed to protect the information during the move should conform to the principles of the SPF and relevant CESG IA Standards and Guidance.