Guidance

DCPP requirements: 'Low' cyber risk profile

Updated 24 July 2020

The Low Cyber Risk Profile applies to contracts where it has been assessed the cyber risks to the contract may be basic but are more targeted and where the attackers may be semi-skilled but not persistent.

Low cyber risk profile requirements

Governance

L.01 Define and implement an information security policy, related processes and procedures.
L.02 Define and assign information security relevant roles and responsibilities.
L.03 Define and implement a policy which addresses information security risks within the supply chain.

Security culture and awareness

L.04 Define and implement a policy which ensures all functions have sufficient and appropriately qualified resources to manage the establishment, implementation and maintenance of information security.
L.05 Define employee (including contractor) responsibilities for information security.
L.06 Define and implement a policy to provide employees and contractors with information security training.

Information asset security

L.07 Define and implement a policy for ensuring sensitive information is clearly identified.
L.08 Define and implement a policy to control access to information and information processing facilities.

Info-cyber systems security

L.09 Maintain annually renewed Cyber Essentials Scheme Plus Certification.
L.10 Define and implement a policy to control the exchanging of information via removable media.
L.11 Record and maintain the scope and configuration of the information technology estate.
L.12 Define and implement a policy to manage the access rights of user accounts.
L.13 Define and implement a policy to maintain the confidentiality of passwords.

Personnel security

L.14 Define and implement a policy for verifying an individual’s credentials prior to employment.
L.15 Define and implement a process for employees and contractors to report violations of information security policies and procedures without fear of recrimination.
L.16 Define and implement a disciplinary process to take action against employees who violate information security policies or procedures.

Security Incident Management

L.17 Define and implement an incident management policy, which must include detection, resolution and recovery.

Online guidance:

Cyber essentials scheme
Sans Information Security Policy templates
Staff awareness and training Staff education and awareness
Data security
Removable media controls
Managing user privileges
Password policy: updating your approach
Incident Management