Skip to main content

Government Departments: ICT

Volume 503: debated on Wednesday 6 January 2010

To ask the Minister for the Cabinet Office if she will initiate a review of the potential effect of the practices of Government departments in respect of the use of data sticks on the risk of importing viruses and spyware into Government IT systems. (309411)

The Data Handling Review (DHR) requires that Departments conduct independent penetration testing of their systems to protect against hacking and other forms of malicious attack including malware and viruses. In addition, the Security Policy Framework (SPF; published by the Cabinet Office in December 2008) sets out the mandatory protective security requirements that all Departments are required to adhere to, covering all aspects of physical, personnel and information/data security. The policy guidance is available on the Cabinet Office website at:

SPF Mandatory Requirement (MR) 39 requires that Departments have effective information security policies and procedures in place which must include policies preventing unauthorised access to ICT systems and the effective prevention of virus and spyware attacks. Detailed (often protectively marked) technical guidance is available to help Departments implement these requirements, including material developed by CESG, the National Technical Authority for Information Assurance (part of GCHQ).