The Data Handling Review (DHR) requires that Departments conduct independent penetration testing of their systems to protect against hacking and other forms of malicious attack including malware and viruses. In addition, the Security Policy Framework (SPF; published by the Cabinet Office in December 2008) sets out the mandatory protective security requirements that all Departments are required to adhere to, covering all aspects of physical, personnel and information/data security. The policy guidance is available on the Cabinet Office website at:
www.cabinetoffice.gov.uk/spf.
SPF Mandatory Requirement (MR) 39 requires that Departments have effective information security policies and procedures in place which must include policies preventing unauthorised access to ICT systems and the effective prevention of virus and spyware attacks. Detailed (often protectively marked) technical guidance is available to help Departments implement these requirements, including material developed by CESG, the National Technical Authority for Information Assurance (part of GCHQ).