Current timestamp: 23/03/2025 14:23:05
AgeAlertAnonymousAppealsApplicationsApply Or RegisterArea OutlineArrow DownArrow LeftArrow RightArrow UpAutomatic DoorsBack ArrowBusinessCalendarCashArrow DownArrow LeftArrow RightArrow Down[Missing text '/SvgIcons/Symbols/Titles/icon-chrome' for 'English (United Kingdom)']ClockCloseContactDirectionsDocumentDownloadDrawDrugExpandExternal LinkFacebookFb CommentFb LikeFiletype DefaultFiletype DocFiletype PdfFiletype PptFiletype XlsFinance[Missing text '/SvgIcons/Symbols/Titles/icon-firefox' for 'English (United Kingdom)']First AidFlickrFraudGive FeedbackGlobeGuide DogHealthHearing ImpairedInduction LoopInfoInstagramIntercom[Missing text '/SvgIcons/Symbols/Titles/icon-internet-explorer' for 'English (United Kingdom)']LaptopLiftLinkedinLocal ActivityLoudspeakerLow CounterMailMapMap PinMembershipMenuMenu 2[Missing text '/SvgIcons/Symbols/Titles/icon-microsoft-edge' for 'English (United Kingdom)']Missing PeopleMobility ImpairmentNationalityNorth PointerOne Mile RadiusOverviewPagesPaper PlaneParkingPdfPhonePinterestPlayPushchairRefreshReportRequestRestart[Missing text '/SvgIcons/Symbols/Titles/icon-rotate-clockwise' for 'English (United Kingdom)']Rss[Missing text '/SvgIcons/Symbols/Titles/icon-safari' for 'English (United Kingdom)']SearchShareSign LanguageSnapchatStart AgainStatsStats And Prevention AdviceStopSubscribeTargetTattosTell Us AboutTickTumblrTwenty Four HoursTwitter LikeTwitter ReplyTwitter RetweetUploadVisually ImpairedWhatsappWheelchairWheelchair AssistedWheelchair ParkingWheelchair RampWheelchair WcYoutubeZoom InZoom Out

Leave this site

Skip to main content

Skip to main navigation

Welcome

This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.

Cyber Security Policy

1. Statement of Policy

The Cyber Security Policy states the principles to maintain and support an effective cyber security capability within Dyfed-Powys Police

It is of paramount importance that Dyfed-Powys Police upholds the ability to Identify, Protect, Detect, Respond and Recover in line with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and that Dyfed-Powys Police continually follows the standards and guidelines as set out by the National Cyber Security Centre (NCSC).  

The NIST Cybersecurity Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure, following a prioritised, flexible and repeatable approach. The adoption of NIST methodology for cyber security management facilitates effective management of the cyber security capability and supports associated functions in achieving a strong cyber security posture.

The functional areas of the NIST Cybersecurity Framework are:

Identify – the identification of the cyber threat landscape in relation to the business context, the identification of assets and the level of protection in place, and identification of relevant legal and regulatory requirements. 

Protect – the methods used to protect assets, inclusive of ICT procedures and staff awareness training.

Detect – the means and processes to detect the occurrence of a cyber security event, inclusive of protective monitoring and the initial reporting of actual or suspected cyber security events. 

Respond – the activities undertaken to respond to a cyber security event and the ability to mitigate the impact of such an event.

Recover – the restoration of functions or services to expected levels and reduction in the overall impact of a cyber security event.

The NCSC is the lead for cyber security in the United Kingdom, providing guidance and support to critical organisations in the UK, the wider public sector, industry, and small and medium enterprises. The NCSC creates practical cyber security guidance, responds to cyber security incidents, and works alongside industry and academia to develop the United Kingdom’s cyber security capability. The guidelines set out by the NCSC facilitate a strong cyber security posture.

Applies (but not limited) to: All categories of Dyfed-Powys Police Officers and staff, whether full-time, part-time, permanent, fixed term, temporary (including agency staff, associates and contractors), seconded staff and volunteers.   Police Officers, sraff and volunteers accessing and using Force assets and property must have due regard to the contents of this policy.

 

2. Policy Scope

Maintaining confidentiality, integrity and availability of data is of paramount importance to Dyfed-Powys Police, particularly in relation to the need to protect data in line with the requirements of the Data Protection Act 2018 and the UK General Data Protection Regulation.

Any event which impacts, or may potentially impact, upon the confidentiality of data, the ability to access data, or the level of data integrity could have an adverse effect on the efficient operation of policing services, and upon the reputation of Dyfed-Powys Police as an organisation.

Dyfed-Powys Police recognises and undertakes practices and procedures, including timely patch management, the use of firewall technology, the production of risk and vulnerability assessments, the carrying out of penetration testing, and the application of mitigations to prevent and/or reduce the impact of cyber security events. The Force operates a dynamic and adaptable cyber incident response capability, in accordance with the potential cyber security events existent within the cyber threat landscape.

Information Communications Technology is continually vulnerable to illegal and malicious activity, and to exploitation via internal and external sources. Cyber incident management is a paramount component to effectively manage and protect against the potential or actual outcome of such vulnerabilities, and to mitigate the impact of cyber security events. Whilst it is impossible to eliminate all cyber security events, proactive prevention is a critical element of a mature incident management capability.

Damage to ICT systems from a cyber security event can occur in a relatively short time period. All users of Dyfed-Powys Police systems should have an awareness of basic cyber security and all users are required to promptly report potential or actual cyber security events, or suspicions thereof, via the dedicated channels available, including the Workstream Tracker system and the ICT Service Desk.

This policy mitigates and reduces the impact of the following risks:

  • Loss of data confidentiality, integrity and/or availability
  • Negative impacts upon ICT resources
  • Disruption to policing services
  • Negative reputational and/or financial effects

Compliance with this policy protects Dyfed-Powys Police systems and data, thereby supporting the effective delivery of policing services, whilst also providing assurance to the local community, partner organisations, and the wider policing family that cyber security is effectively managed within Dyfed-Powys Police.

 

3.  Powers and Policy/Legal Requirements

This policy is fit for purpose in that it meets organisation requirements and is reflective of measures recommended as part of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and is supportive of practices and guidance endorsed by the National Cyber Security Centre (NCSC) relating to cyber security and incident response. 

The Force complies with the following legislation and all other legislation as appropriate, including, but not limited to:

  • Computer Misuse Act 1990
  • Data Protection Act 2018
  • UK General Data Protection Regulation
  • Human Rights Act 1998
  • Official Secrets Act 1989
  • Electronic Communications Act 2000
  • Regulation of Investigatory Powers Act 2000 (RIPA)
  • Freedom of Information Act 2000

Related policies, standards, procedures, practices, including, but not limited to:

  • Dyfed-Powys Police Information Security Policy and Associated Standards
  • Dyfed-Powys Police Removable Media Policy
  • Dyfed-Powys Police Protective Monitoring Policy
  • Dyfed-Powys Police Data Protection Policy

 

4.  Options and Contingencies

Policy Owner: The policy is owned by the Head of ICT who is responsible for regularly monitoring the policy for its effectiveness, challenges to the policy, any changes to National Institute of Standards and Technology (NIST) and National Cyber Security Centre (NCSC) practices and guidance, and any inefficiencies in relation to the implementation of this policy.

Approval Process: Approval of decisions regarding the implementation of this policy are made by the Information Assurance Board.

 

Key roles in Cyber Security: 

Senior ICT Operational Management

Overall ICT leadership and management

Information Security Officer / IT Security Officer

Incident management, liaison and support

Principal ICT Specialist - Security

Technical security lead

ICT Specialists – Security Team

Technical support

All Police Officers, Staff and Volunteers

Cyber Security awareness, reporting of actual or suspected incidents

 

The following Code of Ethics principles are relevant to this policy:

  • Courage 
  • Respect and Empathy 
  • Public Service 

 

5.  Take action and review

Incident reporting in relation to cyber security events are used to quantify issues relating to cyber security which have been reported.  

The ICT Department maintains the ability to detect events using various Security Information and Event Management (SIEM) tools; these are used to monitor cyber security events and to highlight any issues relating to cyber security and related policies and procedures.

As part of the Force’s Protective Monitoring capability, the ICT Department receives alerts from the National Management Centre (NMC); these are used to further support ICT in the carrying out of protective monitoring and the identification of cyber security issues. 

Any relevant issues relating to cyber security are referred for consideration to the Cyber Resilience Group and are escalated to the Information Assurance Board where necessary. 

Practices and guidance from the National Institute of Standards and Technology (NIST) and the National Cyber Security Centre (NCSC) are considered when reviewing and updating this policy, which shall take place annually as a minimum.

CODE OF ETHICS CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Code of Ethics and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Code and the principles underpinning it.

 

HUMAN RIGHTS ACT CERTIFICATE OF COMPLIANCE

This policy has been drafted in accordance with the Human Rights Act and has been reviewed on the basis of its content and the supporting evidence and it is deemed compliant with that Act and the principles underpinning it.

 

EQUALITY IMPACT ASSESSMENT

Section 4 of the Equality Act 2010 sets out the protected characteristics that qualify for protection under the Act as follows: Age; Disability; Gender Reassignment; Marriage and Civil Partnership; Pregnancy and Maternity; Race; Religion or Belief; Sex; Sexual Orientation.

The public sector equality duty places a proactive legal requirement on public bodies to have regard, in the exercise of their functions, to the need to:

  • eliminate discrimination, harassment, victimisation, and any other conduct that is unlawful under the Act;
  • advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it;
  • foster good relations between persons who share a relevant protected characteristic and persons who do not share it.

The equality duty applies to all protected characteristics with the exception of Marriage and Civil Partnership, to which only the duty to have regard to the need to eliminate discrimination applies.

Carrying out an equality impact assessment involves systematically assessing the likely or actual effects of policies on people in respect of all the protected characteristics set out above. An equality impact assessment should be carried out on any policy that is relevant to the public sector equality duty. 

EQUALITY IMPACT ASSESSMENT COMPLETED: January 2025