§ Mr. CohenTo ask the Chancellor of the Exchequer whether he has incorporated the code of practice for information security management, published by the British Standards Institution, into relevant contracts with information technology suppliers.
§ Sir John CopeThe security requirements for IT systems and services used by central Government Departments are stated in the Government IT security policy document. This document is supported by use of the CCTA risk analysis and management method—CRAMM —and baseline security for IT systems—BSITS—risk analysis methods and by supporting advice and guidance published by the Government security authorities. These are regularly reviewed to ensure best practice, have been developed specifically for use within government and have been in operation for some time. The code of practice for information security management was developed by and established for use by commercial organisations and does not specifically address the requirements for the protection of official information.
§ Mr. CohenTo ask the Chancellor of the Exchequer if he will make a statement about the operation of his Department's sensitive documents unit; how many staff are employed in its operation; and approximately how many documents per annum come within its purview.
§ Sir John CopeThe Treasury does not have a sensitive documents unit. Sensitivity checks are carried out on records being considered for release to the Public Record Office. In the period from October 1992 to October 1993, 97 linear feet of records were checked for sensitivity by 3.5 staff.