Information surrounding this document is controlled, below is a high level overview.

Unless controlled, computer and communications vulnerabilities create opportunities for unauthorized users to gain access, and copy or otherwise manipulate the data held. Keeping track of these vulnerabilities, and advising users of appropriate protective controls, are continuing functions of the security authorities. Protective controls therefore need to be put in place to counter the risks (threats and vulnerabilities) to information and communication systems. HMG Information Assurance Standard No. 4, Part 3, Information and Communication Technology Vulnerabilities and Risk Management has been produced to aid the user.

Within the SPF, Mandatory Requirement 40 concerns IS4. Departments and Agencies must comply with HMG IA Standard No.4 – Communications Security and Cryptography (parts 1-3) for the protection of protectively marked material. Paying particular attention to the circumstances when encryption is required, the requirement to only use CESG approved solutions, the control mechanisms for cryptographic items, and the requirement for specified levels of personnel security clearance for individuals handling cryptographic items.

Now a component of Tier 4 of the Security Policy (SPF), (which has replaced the MPS version of IS4), Part 1 will be named Management of Cryptographic Systems, Part 2, Forms & Instructions and Part 3, Information & Communications Technology Vulnerabilities & Risk Management which includes aspects of communications formerly covered by the Standard.

If you have a requirement that involves this Standard please contact us at standards@platinumsquared.co.uk

For more information from CESG, please visit www.cesg.gov.uk

Extracts taken from HMG Documentation. © Parts of this document are copyright, reserved and vested in the Crown.