Overview
What
This guide seeks to:
- Encourage and enable effective partnership working and information sharing on critical infrastructure resilience
Who
This guide is aimed at:
- Government – CI Resilience Policy leads in Scottish Government
- Critical Infrastructure (CI) Operators – Strategic Management, Resilience and Business Continuity Management (BCM) leads
- Responder Communities – Regional Resilience Partnerships (RRPs), Local Resilience Partnerships (LRPs)
Why
Stakeholder Collaboration is a Guiding Principle of the CIR Strategy.
Stakeholder collaboration promotes and helps:
- CI information being shared with the right people at the right time
- Identify interdependencies
- A better understanding of vulnerabilities
- Mitigation action to be taken
- Provide a better understanding of the consequences when things do go wrong
- More effective multi-agency response
How
Ensure that information on CI is shared with the right people at the right time, taking into account commercial sensitivities and protective markings.
Available tools include:
- Resilience Direct (RD) – https://collaborate.resilience.gov.uk/
- Information Sharing Protocols (ISPs) (see Annex A)
- Non-Disclosure Agreement (see Annex B)
- HMG Personnel Security Controls – Right Issue, Right Time, Right Level, Right Assessment (see Annex C)
- Cabinet Office Guidance “Keeping the Country Running” – Critical Infrastructure Owner/Operator – Categories of Information for lead category 1 Responders (see Annex D)
Case Study
Establishing a Local Multi-agency Critical Infrastructure Resilience Group
With the approval of Scottish Government, a local multi-agency ‘Critical Infrastructure’ Group was established in the West of Scotland. Membership was drawn from local authority areas, emergency services, utility companies, the Scottish Environmental Protection Agency, Scottish Government, Police, the Centre for the Protection of National Infrastructure and the Ministry of Defence.
The primary focus was to make better use of local knowledge, particularly Counter Terrorist Security Advisors (CTSAs) and local industry/critical site owners, to improve the resilience and protective security of critical sites and Critical National Infrastructure (CNI) in the local area.
The group encouraged greater partnership working at a local level, in order to develop a better multi-agency approach to address crises or serious incidents occurring.
A significant challenge for the group was developing an environment where both security related and commercially sensitive information could be shared safely and appropriately.
Key to the process was the development of an Information Sharing Protocol for members (see Annex A).
The protocol proved to be extremely useful in live situations, where members of the group were able to exchange sensitive information due to the existing relationship and trust that had already been developed.
The group also participated in a Cabinet Office Pilot Project which looked at information sharing and understanding interdependencies at a Critical Infrastructure asset belonging to the Police.
Key to this process was the development of a non-disclosure document to ensure sensitive commercial information was not distributed or made available inappropriately to competitor organisations involved in the project (See Annex B).
The group also utilised:
- HMG Personnel Security Controls – Right Issue, Right Time, Right Level, Right Assessment (see Annex C)
- Cabinet Office Guidance “Keeping the Country Running” – Critical Infrastructure Owner/Operator – Categories of Information for Lead Category 1 Responder (see Annex D)
Background
Scotland’s critical infrastructure is a complex interconnected number of assets, systems and networks, providing essential services to the People of Scotland. This Guide has been developed to support infrastructure owners and operators, emergency responders, and government departments to work together to improve the resilience and security of critical infrastructure and essential services in Scotland. This document supports the framework provided by the Civil Contingencies Act 20044 (CCA), which forms the legal basis for emergency preparedness in Scotland and across the UK and the duty to share information for the purposes of improved emergency planning.
For detailed information on the obligations for information sharing and cooperation that underpin the normal day to day exchange of information between those involved in resilience planning, reference should be made to:
- The Civil Contingencies Act (CCA) 2004 (Contingency Planning) (Scotland) Regulations 20055;
- Ready Scotland, which is the Scottish Government civil emergencies website containing a suite of guidance and useful resources6;
- Preparing Scotland7, a Scottish Government publication containing a hub of guidance to assist Scotland plan, respond and recover from emergencies. While produced by the Scottish Resilience Development Service (ScoRDS) there is a core emphasis on coordination as a successful Preparing Scotland is one that is developed and owned by the resilience community.
To achieve successful long term enhancement of CIR, it is crucial that effective Stakeholder Collaboration (partnership working and information sharing) is one of the guiding principles applied by Government, Industry and Responder Communities during the Integrated Emergency Management (IEM) process of ‘Anticipation’, ‘Assessment’, ‘Prevention’, ‘Planning’, ‘Response’ and ‘Recovery’.8 The aim of IEM is to develop flexible and adaptable arrangements for dealing with emergencies, whether foreseen or unforeseen. It is based on a multi-agency approach and the effective co- ordination of those agencies. Whilst an individual commitment to this process is important, experience shows that working together greatly increases effectiveness. All involved should therefore ensure that you have explored fully the benefits of collaborative working, training and exercising. In doing this you will gain the benefits of partnership working, maximise effectiveness and, in large part, meet you duty of cooperation under the CCA.
It is therefore the principles of collaboration and partnership working which the present guide seeks to foster.
4 https://www.legislation.gov.uk/ukpga/2004/36/contents
5 http://www.legislation.gov.uk/ssi/2005/494/contents/made
6 & 7 https://www.readyscotland.org/
8 See Chapter 3, Integrated Emergency Management: Guidance and Principles for further reading at: https://ready.scot/how-scotland-prepares
Guidance
General – All Stakeholders
Protection vs Sharing: Striking a balance
A pragmatic balance needs to be struck between the protection and sharing of CI information to ensure security does not become a major barrier to effective stakeholder collaboration.
If the security of CI information is compromised this could increase the vulnerability of an asset or assets to attack. Therefore, sensitive information which may help identify the significance or importance of an asset, its vulnerabilities or security arrangements should be appropriately protected. Applying too high a protective marking to CI information on the other hand will create barriers to legitimate access to the information, adversely impacting on the efficiency and effectiveness of those involved in CI resilience work.
How is this tension resolved? Useful guidance on the key principles, classification definitions, handling and storage instructions as well as protecting assets and infrastructure, can be found in the Cabinet Office publication ‘Government Security Classifications May 2018’, available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715778/May-2018_Government-Security-Classifications-2.pdf
A proportionate approach to the security classification of sensitive information can also be found in the UK Government’s framework for protectively marking sensitive information, contained in the Cabinet Office publication HMG Security Policy Framework (SPF).9 The framework is impact driven in that it takes account of the likely consequence of the information being compromised. In applying this guidance, all government departments and agencies must adhere to the SPF.The UK Government operates a Classification Policy to identify and value information according to its sensitivity and to drive the right protections. This comprises three levels: OFFICIAL, SECRET and TOP SECRET for which there are distinct security arrangements. OFFICIAL covers most of the day-to-day business of government, service delivery, commercial activity and policy development. SECRET and TOP SECRET information will typically require bespoke, sovereign protection, but OFFICIAL information can be managed with good commercial solutions that mitigate the risks faced by any large corporate organisation. In this way government can deliver securely and efficiently, and shape its services to meet the user needs.
This system is designed to ensure that access to information is correctly managed and safeguarded to an agreed and proportionate level throughout its lifecycle from creation, processing, storage and transmission through to destruction. It is designed to protect information (and other assets) from accidental or deliberate compromise and CI information must be classified, handled and stored in line with its requirements.
One other way of enabling the discussion is to declassify the information, by either removing or summarising particularly sensitive information such as information about asset vulnerabilities. This may still enable key information/messages to be included and shared but at a lower protective marking.
‘Sanitising’ information in this way respects the principle of ‘Right issue, Right time, Right level’ (as outlined in Annex C), in line with the Civil Contingencies Act and Preparing Scotland.
Overall, success of the balanced approach to the protection and sharing of CI information is dependent upon establishing effective relationships between Government, CI Operators and Responders.
9 HMG Security Policy Framework: www.cabinetoffice.gov.uk/resource-library/security-policy-framework
Government - CI Resilience Policy Leads
The Scottish Government Directorates with policy lead for the CNI sectors have a leadership role to play in delivering effective stakeholder arrangements based on collaboration, cooperation and a shared commitment to enhance CIR in Scotland.
CI Operators – Strategic Management, Resilience and BCM Leads
Upon request from a lead Category 1 responder within a Regional Resilience Partnership (RRP) Critical Infrastructure group, owners of critical infrastructure should collaborate and provide information from their BCM process on any critical infrastructure that provides essential services within the RRP area (whether the infrastructure is located within or out with the area). This should include sites where a response or support may be needed from emergency responders to manage the consequences of civil emergencies. See Annex D for further guidance on the categories of information to provide to a Category 1 responder.
CI operators/owners should give consideration to facilitating visits for the police and Fire & Rescue Service (and other Category 1 responders as appropriate) to the most critical sites, to establish familiarisation of access to the site; location of critical components/equipment, site operators and their actions in a crisis; and back-up arrangements, to understand the recovery process and timetables. This aligns to similar good practice for civil nuclear and chemical sites under the Radiation (Emergency Preparedness and Public Information) Regulations 2001 (REPPIR) and the Control of Major Accident Hazards Regulations 2015 (COMAH). For those sites that are part of the CNI and have not previously had engagement with police and Fire & Rescue Service planners, any proposed initial contact and visit must only be conducted after consultation with the local CTSA.
Responder Communities – RRPs, LRPs and RRP CI Groups
This guidance outlines a process for Category 1 and 2 responders10 that is intended to support their statutory information sharing obligations and to enable the Responder Communities to receive the necessary information on critical infrastructure to carry out their duties to best effect.
To achieve this, there is a need to share information on critical infrastructure prior to an event in order to ensure that appropriate plans are in place to respond and recover from a CIR related emergency.
It is therefore necessary to understand:
- What infrastructure provides essential services in an area, and its dependencies
- The risks (likelihood and impact) of disruption to that infrastructure from natural hazards and threats
- The assumptions being made about assistance from emergency services and other RRP partners e.g. pumping of flood waters by the Scottish Fire and Rescue Service (SFRS)
An agreed lead Category 1 Responder from the RRP Critical Infrastructure group may request information on critical infrastructure within the area from Category 2 responders (and other owners of critical infrastructure who are prepared to provide information under these arrangements).
It should be noted that labelling infrastructure as ‘CNI’ within emergency plans is not permitted. Plans will be shared with relevant Lead Government Body11 so they can be assured key sites have been prioritised appropriately.
RRPs/LRPs will also produce their local ‘Risk and Preparedness Assessments’ based on the Scottish Government, Ready Scotland Guidance12 and the National Risk Assessment (NRA), a classified assessment of the risks of civil emergencies facing the UK. The National Risk Register of Civil Emergencies13 (NRR) is an unclassified version of the National Risk Assessment (NRA) and useful resource. This process should also identify the hazards and threats that could affect the RRP/LRP area and the potential consequences of these (including the impact on the provision of essential services in the area).
Critical infrastructure groups (RRP-CI) have been established in each of the Regional Resilience Partnership (RRP) areas to ensure that Regional Resilience Partnerships have effective liaison with Critical Infrastructure operators and owners and arrangements to prevent or minimise impacts resulting from loss or disruption to critical infrastructure.
Whilst detailed delivery may vary between RRP-CI groups, the above aim is generally achieved through the following four work-streams:
What is critical?
- Identify and collate information relating to Significant Local Infrastructure sites in each of the RRP areas, feeding into RRP Communality Risk Register processes for strategic context.
What are the vulnerabilities?
- Develop work streams to improve our understanding of the vulnerabilities and interdependencies for key Significant Local Infrastructure sites
How Resilient are they?
- Utilising the tripartite approach14 explore and understand resilience issues
What do we need to do?
- Maintain an overview of critical infrastructure resilience within the RRP area and develop capabilities to assess and understand the impacts and consequences of the wider loss of essential services affecting organisations and communities
- Understand human behaviour responses to the consequences of loss of critical infrastructure and essential services
- Oversee preparedness of the RRP for CI disruptions in terms of Category 1 and 2 responder communities
- Provide reassurance to the RRP that Critical Infrastructure issues are being addressed
- Identify areas of work which require cross regional cooperation
- Develop a suitable Information Sharing Protocol
Police Counter Terrorist Security Advisors (CTSAs) are represented in the RRP CI groups and provide regular briefings to RRPs and LRPs, on the CI within their area. Information on Critical Infrastructure should be provided at the RRP/LRP during civil emergencies for the purpose of enabling an effective emergency response in line with the ‘need to know’ principle that access to sensitive information must be shared no wider than necessary to provide for the efficient conduct of an emergency response and limited to those with an identified need and the appropriate personnel security control15.
Delivery
The following tools may assist in the delivery of the collaborative relationship which this Guide seeks to foster.
Critical Infrastructure Resilience International Network (CIRINT.NET)
Between 2013 and 2015 the Scottish Government Resilient Essential Services Team and Police Scotland participated in an EU funded project together with EU partners, to promote collaboration and the development of good practice on Critical Infrastructure Resilience (CIR) in Europe.
During the course of the project a vast range of CIR stakeholders, within Government, CI Operators (both public and private sector organisations), responders and academia from throughout Europe and farther afield, collaborated with the partners to deliver the project objectives and for mutual CIR benefit.
The overwhelming opinion of those who collaborated in the project was that there was a pressing need within the CIR community for a Critical Infrastructure Resilience International Network and consequently one should be developed as the lasting legacy of the project.
Scottish Government and partners in Lombardy, Kennemerland and the Basque Region have developed this concept into a fully functioning, living and dynamic network of regions across the World, collaborating on critical infrastructure resilience, sharing good practice and learning from one another. The network is known as CIRINT.NET.
The network is designed to be somewhere you can go when you’re looking for help or assistance, or just some advice in your specific subject of Critical Infrastructure Resilience. A trusted and accessible source, so that you don't have to re-invent the wheel or spend weeks researching. Somewhere you can access and share good practice, experience and expertise from an international network of practitioners, academics, responder organisations, industry or National and Regional government departments.
With a global reach, covering 17 Regions across Europe, the US, Australia and Canada, the International Critical Infrastructure Resilience Network (CIRINT.NET) hosts a website and secure discussion forum that brings practitioners together to share knowledge, experience and expertise through international collaboration.
CIRINT.NET is a voluntary association and no enforced commitment or participation is assumed.
It provides:
- Information sharing
- Collaboration
- Good practice
- Academic papers
- Learning
- Benchmarking
- Peer review
- Networking
- Free membership.
As a community concerned with critical infrastructure resilience issues, CIRINT seeks to provide a platform to connect practitioners who shape the future evolution of CIR strategy, policy and delivery.
Depending on individual access requirements, you can choose between Open and Secure discussion areas. Open discussion areas cover Resilience Education, Communities and General, whilst the secure discussion areas cover Energy, Health, Water, Food, Government, Emergency Responders, Transport, Civil Nuclear, Communications, Finance, Space, Chemical and Defence.
CIRINT.NET is your asset but will only be as useful and successful as the participants who use it.
A framework and Terms of Reference for the network has been developed and is available through the website at http://www.cirint.net/.
Membership and participation is now available. To register as ‘Members’ (Organisations) and ‘Participants’ (Individuals) please apply through the website at http://www.cirint.net/.
Resilience Direct
Resilience Direct is a government sponsored secure web-based platform for the resilience community to share information amongst all Category 1 and 2 emergency responders and organisations to assist with planning, response and recovery to major emergencies. It has been designed by the end user for the end-user.
Resilience Direct has been accredited to the Security classification ‘Official’. This allows documentation to be shared securely amongst nominated individuals providing instant access to real-time information. The system also provides a content management system in conjunction with mapping capability.
With Resilience Direct you can:
- Gain access to resilience contacts who can be searched for, messaged instantly and create groups with, to give you immediate response in an emergency.
- Create, amend and share documents securely with colleagues in any location without worrying about file size or type, with instant notifications to keep you up to date.
- Create and query maps from the latest OS data so you know you have the latest information about any location and match these with live data feeds, including met office rainfall and Environment Agency flood data.
Resilience Direct is a robust platform that provides the tools and information to plan and respond to emergencies and may be accessed at: https://collaborate.resilience.gov.uk/
Information Sharing Protocols and Non-Disclosure Agreements
The Civil Contingencies Act permits the use of information sharing protocols/agreements to formalise information sharing arrangements. The Strathclyde SECG multi-agency Critical Infrastructure Group has developed the following protocols to aid information sharing:
- Information Sharing Protocol (ISP) (see Annex A)
- Non-Disclosure Agreement (NDA) (see Annex B)
These tools aid the development of a multi-agency environment where information can be shared safely and appropriately, whilst ensuring that sensitive commercial information is not distributed or made available inappropriately to competitor organisations.
10 Schedule 1, CCA 2004: https://www.legislation.gov.uk/ukpga/2004/36/schedule/1
11 Reserved Sectors / Sub-Sectors – UK Government Department, Devolved Sectors / Sub-Sectors – Scottish Government
12 ready.scot
14 A three way relationship between Government (Scottish Government and/or UK Government), CPNI/NCSC (as the security advice specialist) and Critical Infrastructure owners and operators
ANNEX A: INFORMATION SHARING PROTOCOL (ISP) Established by Insert group/consortium name] Version 1.0
INDEX
SUMMARY SHEET
- INTRODUCTION
- PURPOSE
- PARTNER(S)
- POWER(S)
- PROCESS
- GUIDANCE
- TYPES OF INFORMATION TO BE SHARED
- CONSTRAINTS ON THE USE OF THE INFO
- ROLES AND RESPONSIBILITIES UNDER THIS AGREEMENT
- SPECIFIC PROCEDURES
- SHARING OF INFORMATION UNDER THIS ISP WITH OTHERS
- RETENTION, REVIEW & DELETION
- REVIEW OF THE INFORMATION SHARING AGREEMENT
- INDEMNITY
- GOVERNMENT AGENCIES
- SIGNATURES
APPENDIX 1 - List of Group Members
SUMMARY SHEET
INFORMATION SHARING PROTOCOL WITHIN THE [Insert name of group/consortium]
ISP Ref: | [To be completed by ………………………………….. insert ISP record keeper e.g. Records Management, Company Headquarters] |
---|---|
PURPOSE | To regulate the sharing of information among members of the [insert name of group/consortium] |
PARTNERS | [Insert names of member organisations] |
Date Agreement Comes into Force |
|
Date of Agreement Review |
Annually or when amendment is identified |
Agreement Owner | [Insert details Chief Officer or organisation chairing the Group] |
Agreement Drawn up by: | [Insert details of ISP administrator] |
Location of Agreement | [Insert details of location where principle signed document is stored] |
VERSION RECORD
Version No. |
Amendments Made & By Whom |
V1.0 |
First Version |
V1.1 |
|
V1.2 |
|
V1.3 |
|
V1.4 |
|
1. INTRODUCTION
The [Insert name of group/consortium] has responsibility for monitoring, developing, and addressing critical infrastructure related issues within the [Insert name of area] area. This may also include certain issues relating to sensitive information.
For the purposes of this document, “Sensitive Information” refers to [Describe the information] within a geographical area [Insert details of area (If applicable)]
The Group is chaired by [Insert details of chair and organisation] who also has responsibility for secretariat functions of the Group/Consortium, and administration of its various work-streams. Membership includes [Insert membership]. In addition, other organisations [List organisations if known] may also be invited onto the Group. Finally, the Group may – on an ad hoc basis – invite membership from other persons or bodies whose particular professional, technical or academic qualifications or experience may be thought of assistance to its work.
2. PURPOSE
The purpose of this Protocol is to regulate the procedure for and circumstances in which information may be shared among members of the Group/Consortium. It is intended that information is shared where appropriate, and disseminated in a manner that ensures its secure management.
This Protocol will assist in coordination among members and [Insert aim/purpose of the information sharing].
The benefits obtained in information to be shared has to be balanced against the harm that can be caused to national security, public safety, commercial confidentiality or the rights of individuals. Similarly, the use of information has to be with care to ensure that information shared is not misused.
3. PARTNERS
This Protocol is among the following partners who are members of the Group/Consortium:
> [Insert list of member organisations]
Point of Contact/members: - Names, contact details, organisation and roles are listed in Appendix 1.
4. POWERS
The 2004 Act and delegated legislation under it, and the Scottish Government document ‘Preparing Scotland’ (2007), makes it clear that there is a need for Category 1 and 2 responders to share information for the purposes of civil contingency response and improving resilience. However, this is a general expectation of information sharing: sensitive information requires to be managed and stored securely.
Such information sharing will, as appropriate, also be in accordance with the provisions of
- Data Protection Act 1998
- Human Rights Act 1998
- Computer Misuse Act 1990
- Official Secrets Act 1989
- Freedom of Information (Scotland) Act 2002
5. PROCESS
5.1 GUIDANCE
It is incumbent on all Group/Consortium members to recognise that any information shared in terms of this Protocol must be shared appropriate to need, and be managed and secured appropriately. A record must be kept of the information being shared and the parties sharing it.
Adherence to this Protocol – and to the obligations to which it refers – shall be monitored through the Chair of the Group. It will be for the Chair of the Group, as required, to inform any Group member of their breach, or apparent breach, of their obligations; to recommend appropriate remedial action and to remind them of the relevant sanctions for repeated, or further, breaches. Those nominated to be Points of Contact and their substitute shall be satisfactorily vetted to a minimum of ‘Baseline Security Standard’. Dependent on the sensitivity of work being undertaken, it may be necessary to obtain SC clearance. Decisions as to the appropriate vetting level requirements for members will rest with the Chair of the Group/Consortium.
5.2 TYPES OF INFORMATION TO BE SHARED
The Group will share information on:
- [Insert types of information]
- ……………………………….
- ……………………………….
- ……………………………….
- ……………………………….
- other pertinent information with relevance to the work of the Group/Consortium
5.3 CONSTRAINTS ON THE USE OF THE INFORMATION
The information which is shared among members only in consequence of the operation of this Protocol (and not otherwise) must not be disclosed to any third party without the written consent of the member that provided the information, and the approval of the Chair of the Group.
Notwithstanding that all members do not currently conform to the Government Protective Marking Scheme (GPMS) guidelines (See link - https://www.gov.uk/government/publications/government-security-classifications); all information shared in accordance with this Protocol must be handled in a manner which will comply with these guidelines.
Only some of the members of the Group are “public authorities” in terms of the Freedom of Information (Scotland) Act 2002 (‘the 2002 Act’). All information which is shared in terms of this Protocol and which is in the hands of any Group member which is also a public authority in terms of the 2002 Act may, then, fall within the ambit of any relevant request for information received by that member (i.e. the public authority) under the 2002 Act. It will, in the first instance, be for the member in receipt of the request to determine what exemption – if any – may apply under the 2002 Act, however, that member will consult with the other member(s) in the Group from whom the information originated to seek their views on its disclosure (full or partial) or not. The Chair of the Group will also be consulted.
5.4 ROLES AND RESPONSIBILITIES UNDER THIS AGREEMENT
[Insert name of organisation] has responsibility for the chairing, management and administration of the Group/Consortium and its activities. It will ensure that all members receive briefings, discussion and other papers. In addition, it will co-ordinate and manage further work of sub groups which may be established.
Individual members of the Group/Consortium must nominate a Point of Contact/member, who will have responsibility for ensuring the management and use of information obtained via the group/consortium is stored and shared in a way that does not compromise any of the other partner organisations, or which fails to comply with the guidance provided in this document.
Should the Chair of the Group/Consortium determine that there has been a breach, or apparent breach, of this Protocol on the part of any member, then that shall be brought to the attention of the person who is the Point of Contact (as set out in Appendix 1) for that member – or some satisfactory alternative as determined by the Chair of the Group/Consortium. The member will be informed of the circumstances of the breach and remedial measures required to be put in place. If determined necessary by the Chair of the Group/Consortium, the operation of this Protocol may be suspended for that member, until appropriate and satisfactory measures are in place to remedy the breach.
5.5 SPECIFIC PROCEDURES
All types of information shared with members will be recorded on a Log, which will be maintained by the Chair of the Group/Consortium. The Log will record a sufficient description of the details of information shared and the members who received it. Recipients will be advised of the appropriate GPMS marking level for the information, to allow appropriate storage/security measures to be employed, and that GPMS marking level will also be recorded in the Log.
5.6 SHARING OF INFORMATION UNDER THIS ISP WITH OTHERS
Information which is shared with Partners under this Protocol may also, and at the discretion of the Chair of the Group/Consortium, be shared with [Insert details of other groups/consortiums/organisations] established elsewhere in Scotland. Information shall only be shared for the Purpose articulated at Section 2 above.
Information which is shared with Partners under this Protocol may also, and at the discretion of the Chair of the Group/Consortium, be shared with appropriate representatives of Her Majesty’s Government.
6. RETENTION, REVIEW & DELETION
Members of the Group/Consortium agree that information shared under this Protocol will only be used for the specific purpose for which it is intended. The recipient of the information is either required to keep it stored in accordance with the Cabinet Office Security Policy Framework (SPF) https://www.gov.uk/government/publications/security-policy-framework, or if this is not possible, in commensurate safe storage conditions as agreed with the Group/Consortium Chair.
Should any information have a GPMS marking level of OFFICIAL-SENSITIVE, or above, requiring safe storage in compliance with the Security Policy Framework, consideration should be given to storing the information in the most appropriate facility.
Any information exchanged in terms of this ISP should be reviewed at least on an annual basis to ensure that its continued retention is appropriate. It should also be deleted/destroyed when it is no longer required.
7. REVIEW OF THE INFORMATION SHARING AGREEMENT
This Protocol will be reviewed annually or when amendment is identified.
8. INDEMNITY
Members of the Group/Consortium who cause loss, injury or damage to other members by reason of their negligent failure to adhere to this Protocol shall fully indemnify those other members.
9. GOVERNMENT AGENCIES
UK Government and Scottish Government are all fully compliant with the Security Policy Framework, and are subject to the Government Protective Marking Scheme (GPMS).
10. SIGNATURES
All signatories accept responsibility for the member on whose behalf they sign. Staff are to be trained so that there will be adherence to the Protocol and to relevant legislation in its operation.
Signed on Behalf of Member Organisation:
Organisation: | |
Signature: | |
Print Name: | |
Position: | |
Date: |
[Repeat above information for all member organisations]
Annex A
List of Group Members
Name |
Role |
Organisation |
Contact Details |
Comments(e.g. Single point of Contact) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Non-Disclosure Agreement Template
NON-DISCLOSURE AGREEMENT Between [Insert name of group/consortium] constituted under [Insert appropriate legislation (If applicable)] and Insert name of organisations WHEREAS The parties wish to disclose certain technical and/or financial and/or commercial information to each other, in connection with [Insert type of sensitive information] located within the [Insert name of area (if applicable)] for the purpose of [Insert purpose]
NOW THEREFORE THE PARTIES AGREE AS FOLLOWS:
- DEFINITIONS
“Affiliate” Means in relation to [Insert name of organisation/company], any subsidiary, subsidiary undertaking or holding company of this body corporate, and any subsidiary or subsidiary undertaking of such holding company for the time being as deigned in Section 1159 of the Companies Act 2006;
‘Commencement Date’ Means the last date of execution of this Agreement;
‘Confidential Information’ Means any information, processes, strategies, data, know-how, trade secrets, designs, photographs, drawings, specifications, technical literature and other tangible and intangible information or material, whether in oral, written (including copies), graphic or electromagnetic form disclosed by the Disclosing Party either before or after the Commencement Date;
‘Disclosing Party’ Means the party disclosing the Sensitive Information in terms of this Agreement;
‘Receiving Party’ Means the party receiving the Sensitive Information in terms of this Agreement;
‘Working Day’ Means a day (not being a Saturday or Sunday) on which the banks are open for normal banking business in Scotland. - Duty
- For Sensitive Information that is disclosed by the Disclosing Party to the Receiving Party, the Receiving Party shall do the following for a period of 4 (four) years from the Commencement Date:-
- Keep in strict confidence and in safe custody any Sensitive Information disclosed to the Receiving Party by the Disclosing Party by exercising the same duty of care used to maintain as confidential the Receiving Party’s own Sensitive Information and at a minimum a reasonable duty of care;
- Not use or exploit any Sensitive Information other than for the Purpose;
- Not copy or reproduce any or all of the Sensitive Information except as is reasonably necessary for the Purpose; and
- Not distribute, disclose or disseminate Sensitive Information to anyone, except, as defined in Clause 2.2 below, persons who have a need to know such Confidential Information for the Purpose.
- Persons who have a need to know include persons who are employed by or are directors, officers, contractors or consultants of the Receiving Party and in respect of [Insert details as appropriate], shall also include an Affiliate. The Receiving Party shall notify all such persons of the existence of this Agreement at the time the Sensitive Information is disclosed to them.
- For Sensitive Information that is disclosed by the Disclosing Party to the Receiving Party, the Receiving Party shall do the following for a period of 4 (four) years from the Commencement Date:-
- Exceptions The Receiving Party’s duty to maintain Sensitive Information in accordance with the provisions of this Agreement shall not apply to Sensitive Information that:
- Was known to the Receiving Party (without obligation to keep the same sensitive) at the date of disclosure of the Sensitive Information by the Disclosing Party; or
- Is after the date of disclosure acquired by the Receiving Party in good faith from an independent third party who is not subject to any obligation of confidentiality in respect of such Sensitive Information; or
- In its entirety was at the time of its disclosure in the public knowledge or has become public knowledge during the term of the Agreement otherwise than by reason of the Receiving Party’s neglect or breach of the restrictions set out in this or any other agreement; or
- Is requested or required to be disclosed by any court of competent jurisdiction, applicable law, or regulatory authority, or the regulations of any recognised stock exchange on which the Receiving Party's shares are listed of the Disclosing Party's Sensitive Information, provided that, prior to such disclosure or where that is impractical, as soon as reasonably possible thereafter, the Receiving Party shall notify the Disclosing Party (to the extent permitted by law) as to the proposed (or as the case may be, actual) form, nature and purpose of the disclosure and at the same time gives the Disclosing Party a copy of the disclosure so made; or
- Without prejudice to sub-paragraph (d) is disclosed in accordance with the Freedom of Information (Scotland) Act 2002. Before reaching a decision leading to the disclosure of information, where it is reasonably practicable to do so, the Receiving Party shall notify the Disclosing Party of the request for information and of the information to be disclosed and shall consider any representations that may be made by the Disclosing Party as to the possible application of exemptions and as to the balance of the public interest, where relevant, but nothing in this clause shall require the Receiving Party to delay disclosure in accordance with its statutory obligations. The decision of the Receiving Party in relation to disclosure shall be final; or
- Is independently developed by the Receiving Party without access to any or all of the Sensitive Information.
- Termination and Renewal This Agreement shall expire on a date that is [Insert duration] from the Commencement Date unless terminated earlier upon written agreement between the Parties. This Agreement shall not be renewed or extended unless agreed in writing between the Parties.
- Return of Sensitive Information On the earlier of either the expiration of the term of this Agreement, termination of this Agreement, or a written request of the Disclosing Party, the Receiving Party shall return or destroy (at the Receiving Party’s option) within five (5) Working Days any part of the Sensitive Information that consists of original, and copies of, source material provided by it and still in the Receiving Party’s possession and, if requested by the Disclosing Party, shall provide written confirmation to the Disclosing Party to that effect.
- Exclusion of Warranties Neither Party warrants the accuracy or completeness of any Sensitive Information and all implied warranties to that effect are hereby excluded.
- Title Nothing in this Agreement shall be construed as granting or conferring any rights in title to, or licence in respect of, any Sensitive Information. All Sensitive Information shall remain at all times the property of the Disclosing Party.
- Transactions and Press Releases
- The disclosure of Sensitive Information by the Disclosing Party will not create an obligation on either Party to enter into any further agreement or to proceed with any possible relationship or other transaction.
- Without prejudice to the provisions of Clauses 3 (d) and (e) of this Agreement, neither Party shall disclose the existence of this Agreement or issue any press releases relating to the Purpose to any third party without the other Party’s consent.
- No Partnership Nothing contained in this Agreement shall be construed as creating a joint venture, power of attorney, partnership or employment relationship between the Parties, it being understood that the Parties are independent entities in respect of one another. Except as specified herein, neither Party shall have the right, power or implied authority to create any obligation or duty, express or implied, on behalf of the other Party hereto.
- Anti Bribery and Anti Corruption Each party shall:
- comply with all applicable laws, regulations, codes and guidance relating to anti-bribery and anti-corruption, including but not limited to the Bribery Act 2010 (“Relevant Requirements”); and
- have and shall maintain in place throughout the term of this Agreement, and enforce where appropriate, its own policies and procedures to comply with the Relevant Requirements, including but not limited to adequate procedures under the Bribery Act 2010.
For the purpose of this Clause 10, the meaning of adequate procedures shall be determined in accordance with section 7(2) of the Bribery Act 2010 (and any guidance issued under section 9 of that Act)
- Waiver No delay or omission by either Party in exercising any right, power or remedy provided by law or under this Agreement shall affect that right, power or remedy or operate as a waiver of it.
- Notice Any notice will be either delivered in person, or sent to the other Party by (a) postal mail, (b) facsimile (electronically confirmed and followed up immediately by postal mail), or (c) electronic mail (followed up immediately by postal mail). A notice is considered given when it is delivered (which in the case of a facsimile or email shall be when the follow up copy of the facsimile or email sent by postal mail is delivered). For the purposes of this Agreement, the address of each Party shall be:
[Insert details as appropriate] XXXXXXXXX
[Insert details as appropriate] XXXXXXXXX - Entire Agreement Save in respect of fraudulent misrepresentation by either Party, the Agreement constitutes the entire understanding between the Parties with regard to the disclosure of the Sensitive Information relating to the Purpose.
- Non Assignation Neither Party may assign or otherwise transfer this Agreement, or any of its rights and obligations hereunder, to any third party, except for the purposes of sharing Sensitive Information on a need to know basis as specified in this Agreement.
- Remedy Each Party agrees that damages may not be an adequate remedy for any breach of this Agreement and each Party shall be entitled to seek appropriate remedies for any reasonably threatened or actual breach of this Agreement.
- Governing Law This Agreement will be governed by the Law of Scotland and subject to the jurisdiction of the Scottish Courts.
IN WITNESS WHEREOF these presents consisting of this and the five preceding pages are executed as follows:
Subscribed for and on behalf of [Insert name of organisation] on [Insert date (Date)
Signed………………………………………………………(Authorised Signatory)
Name……………………………………………………….
Date
Signed……………………………………………………….. (Witness)
Name of Witness……………………………………………
Occupation…………………………………………………
Address…………………………………………………….
Subscribed for and on behalf of [Insert name of organisation] on [Insert date]
(Date)
Signed………………………………………………………(Authorised Signatory)
Name……………………………………………………….
Date
Signed………………………………………………………(Authorised Signatory)
Name……………………………………………………….
Date
[Repeat above information for all participating organisations]
Right issue, right time, right level
Table 1: “Right issue, right time, right level” Assessment 16
Issue |
Time |
Level |
Information on critical infrastructure (includes CNI) |
Before emergency for CIR work, including civil emergency planning |
Held by appropriate personnel in Stakeholder Organisations (Government, CI Industry and Responder Communities) who must be Security Cleared (SC) and have appropriate storage facilities. |
Planning assumptions for critical infrastructure |
Before emergency for CIR work, including civil emergency planning |
SCG (RRP and LRP from 01.11.2013) members must satisfy the Baseline Personnel Security Standard (BPSS). |
Information on critical infrastructure networks and systems |
Before emergency, for assessment of interdependencies |
Stakeholders must satisfy the Baseline Personnel Security Standard (BPSS). |
Relevant information on critical infrastructure |
During an emergency, for prioritisation and response |
SCG (RRP and LRP from 01.11.2013) must satisfy the Baseline Personnel Security Standard (BPSS). |
16 HMG Personnel Security Controls: www.cabinetoffice.gov.uk/resource-library/hmg-personnel-security-controls
Cabinet Office Guidance “Keeping the Country Running” – Critical Infrastructure Owner/Operator – Categories of Information for lead category 1 Responders
The provision of information (for emergency planning purposes only) to a lead Category 1 responder should include:
- Name of infrastructure asset / network / system
- Critical installations or sites in the network
- Location of critical installations / sites, and their function
- Network / site owners
- 24 / 7 Emergency contact name and numbers for emergencies
- Specific safety / hazards information for the network and sites (e.g. COMAH) and access / egress restrictions that the emergency services need to know
- Outline of the consequences of loss or disruption of the critical infrastructure in terms of loss of service to x number of people in the RRP/LRP area, and which other RRP/LRP areas could also be affected
- A general assessment of the service’s vulnerability to natural hazards and accidents, and any mitigation measures taken to reduce the risks
- What action the network / site owner would take in case of an emergency
- Support the infrastructure owner anticipates receiving or may need from emergency services and other emergency responders during an incident.