§ Mr. CohenTo ask the Secretary of State for Education whether he has incorporated the code of practice for information security management, published by the British Standards Institution, into relevant contracts with information technology suppliers.
743W
§ Mr. ForthThe code of practice for information security management was developed by and established for use by commercial organisations and does not specifically address the requirements for the protection of official information. The security requirements for IT systems and services used by central Government Departments are stated in the Government's IT security policy document. The IT security policy is supported by use of the CCTA risk analysis and management method.CRAMM.and baseline security for IT systems.BSITS.risk analysis methods and by supporting advice and guidance published by the Government IT security authorities. These are regularly reviewed to ensure best practice, have been developed specifically for use within government and have been in operation for some time.
The Department for Education's IS security policy is in line with the Government's IT security policy and all major contracts with information technology suppliers follow the guidelines in Central Computer and Telecommunications Agency.CCTA.model agreements.