BS 7858 specifies a Code of Practice for the security screening of individuals and third party individuals prior to their employment by an organisation in a security environment where the security and safety of people, goods or property is of extreme importance. It also applies when there is a public interest requirement for security screening.
Giving best-practice recommendations, BS 7858 sets the standard for the security screening of staff. This includes data security, sensitive and service contracts and confidential records.
BS 7858 sets out all the necessary requirements to conduct a successful security screening process. It covers ancillary staff, acquisitions and transfers and the security conditions of contractors and subcontractors. It also looks at information relating to the Rehabilitation of Offenders and Data Protection Acts.
The Security Policy Framework
The Security Policy Framework (SPF) describes the standards, best practice guidelines and approaches that are required to protect UK Government assets (people, information and infrastructure). It focuses on the outcomes that are required to achieve a proportionate and risk managed approach to security that enables government business to function effectively, safely and securely.
The SPF is applicable to all UK Government Departments and Agencies and those bodies that are directly responsible to them. It can be extended to any organisations working on behalf of, or handling, HMG assets such as Non-Departmental Public Bodies, contractors, Emergency Services, devolved administrations, Local Authorities, or any regular suppliers of good and/or services.
The UK Government Security Secretariat (GSS) within the Cabinet Office is responsible for developing and maintaining the Framework and works closely with a variety of security agencies and organisations across government including the CPNI, the NCSC, OCSIA and the Civil Contingencies Secretariat (CCS,) within the Cabinet Office.
The SPF is endorsed by the Official Committee on Security (SO) and is updated on a regular basis with a refreshed edition every six months.
Further details can be found at https://www.gov.uk/government/publications/security-policy-framework
Security Clearance Levels
There are a number of security clearance levels available: The Counter-Terrorist Check (CTC), Security Check (SC) and Developed Vetting (DV). For information, further details on each of them can be found below.
These security vetting processes give an assurance of an individual’s suitability for access to sensitive government information or other valuable assets. However, vetting alone does not give a guarantee of future reliability. It is important that personnel security continues after the initial security clearance is approved and that any new information or concerns that may affect the reliability of a person are brought quickly to the attention of the appropriate authorities. This is achieved through a combination of aftercare and the routine security clearance review procedures.
CREST looks for the minimum vetting level requirement as outlined in BS7858 but companies should consider the type of work they undertake and the importance of client confidentiality.
a) Counter Terrorist Check (CTC) or (CTC Cleared)
The Counter-Terrorist Check (CTC) is most commonly required by police, legal agencies and government agencies hiring contractors. A CTC will normally take up to six months to complete and is usually valid for 3 years.
The purpose of the CTC is to prevent persons who may have connections with terrorist organisations, or who may be vulnerable to pressure from them, from undertaking certain security duties where sensitive information may be compromised.
A CTC does not allow access, knowledge or custody of protectively marked assets and information, but the Baseline Personnel Security does unlock some restrictions. It is carried out as part of the CTC as part of the vetting process, along with Departmental/Company Records Check, Security Questionnaire, Criminal Record Check and Security Service Check.
b) Security Check (SC) or (SC Cleared)
Security Clearance (SC) is the most common type of vetting process. Transferable between government departments, it covers a wide range of jobs from IT and health to government, MoD, defence and private sector.
Valid for five years for contractors and ten years for permanent employees, SC is for IT professionals who need substantial access to secret, occasionally top secret, assets and information.
To gain (SC) clearance you will normally need to have been a UK resident for a minimum of five years and will need to successfully complete all stages of the vetting process which includes:
i. Baseline Personnel Security Standard
ii. Departmental/Company Records Check
iii. Security Questionnaire
iv. Criminal Record Check
v. Credit Reference Check
vi. Security Service Check
On completion, information is assessed and a decision made to refuse or approve the clearance application. It will usually take a minimum of six weeks to complete and is generally reviewed every ten years.
c) Developed Vetting (DV)
Developed vetting is the most thorough method of security vetting. The DV process includes a check of identity documents, employment and education references.
A criminal records and credit reference checks are carried out along with a check against security service records. Some of the references may also be double checked by writing to or interviewing the individuals who provided them. The individual being vetted will also be interviewed by a Vetting Officer.
The usual criteria for requiring a DV are “long term, frequent and uncontrolled access to top secret information or assets or in order to satisfy requirements for access to material originating from other countries and international organisations”.