Our information security

These are the functions we use to manage cyber security risks and events.

In this section



Understanding and managing cyber security risk to our systems, data, assets and overall capabilities. 


You must follow our information risk governance processes.


To govern risk appropriately, you must make sure that:

  • named individuals are clearly responsible and accountable for the security of sensitive information and key operational services
  • you've appropriately documented processes to direct the project or service approach to information security, for both build and run
  • you identify, assess and manage risks to sensitive information and key operational services
  • you understand and manage security-related issues arising from dependencies on external suppliers and their supply chains - this includes ensuring that suppliers of third-party services hold valid Cyber Essentials certificates
  • you give appropriate information security and risk management training to all users with access to sensitive information or operational services
  • you promote a culture of awareness


You must identify and catalogue sensitive information that you hold or access.


You must document:

  • what sensitive information is held and accessed and why
  • where the information is held and which computer systems or services access it
  • an understanding of the impact of loss, compromise or disclosure of the sensitive information


You must identify and catalogue key operational services provided or supported.


You must document:

  • the key operational services that are provided or supported
  • an understanding of the technologies and services the operational services rely on to remain available and secure
  • an understanding of the other dependencies that the operational services have (power, cooling, data, people and so on)
  • an understanding of the impact of loss of availability, or compromise on the service


You must actively manage access to sensitive information and key operational services.


To achieve an appropriate level of access management, you must make sure that:

  • users only hold the minimum access to sensitive information or key operational services necessary for their role
  • access is removed when individuals leave their role or the organisation
  • periodic reviews take place to ensure appropriate access is maintained



This function outlines the safeguards needed to ensure proper functioning and effective delivery of critical infrastructure services.

It helps us limit and contain the impact of an information security event.


You must only give access to sensitive information and key operational services to identified, authenticated and authorised users or systems.


You must make sure users and systems are always identified and authenticated before you give them access to information or services.

Depending on the sensitivity of the information or criticality of the service, the device being used for access may also need to be authenticated and authorised.


You must make sure systems which handle sensitive information or key operational services are protected from exploitation of known vulnerabilities.


For our systems:

You must record and track all software and hardware assets and their configuration.

You must carry out secure configuration and patching to prevent our infrastructure being vulnerable to common attacks. Where this isn't possible, you must set up other mitigations (including logical separation).

You must regularly test for the presence of known vulnerabilities and common configuration errors. You must remediate any issues.

Only strongly authenticated and authorised administrators must make changes to our authoritative DNS.

You must understand and document our IP ranges.

Where applicable, you must maintain clear documentation recording the security related responsibilities remaining with National Highways and those which are with a supplier or contractor.

For our endpoints:

You should account for all end-user devices and removable media.

You must manage devices that have access to sensitive information, or key operational services, so that you can apply technical policies and exert controls over software that interacts with sensitive information.

You must regularly patch all operating systems and software packages that are in use and make sure they are still supported by the vendor.

You must ensure that, where physical protection cannot be assured, data at rest is encrypted.

You should make sure that you're able to remotely wipe and revoke access from an end-user device.

For our email:

A minimum of Transport Layer Security Version 1.2 (TLS v1.2) for sending and receiving email securely is supported.

You must ensure that Domain-based Message Authentication Reporting and Conformance (DMARC), Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) records are in place to make email spoofing difficult.

You must make sure that spam and malware filtering is present, and DMARC is enforced on inbound email.

For our digital services:

You must ensure that web applications are not susceptible to common security vulnerabilities, such as those in the top 10 Open Web Application Security Project (OWASP) vulnerabilities.

You must routinely test that the underlying infrastructure is secure. This includes verifying that the hosting environment is maintained securely and that you take responsibility for securely configuring the infrastructure and platform.

You must transit data using a minimum of TLS v1.2.

You must routinely conduct web app scanning to test for known vulnerabilities and common configuration errors.

You must make sure that all external URLs are shared with the Security Team and monitored by the NCSC WebCheck Service.


You must make sure that highly privileged accounts have additional protections and are not vulnerable to common attack techniques.


Users with wide-ranging or extensive system privilege must not use their highly privileged accounts for high-risk functions, particularly reading email and web browsing.

You must use multi-factor authentication where technically possible, such as where administrative consoles provide access to manage cloud-based infrastructure, platforms or services.

You must use multi-factor authentication for access to official social media accounts

You must change passwords for highly privileged system accounts, social media accounts and infrastructure components from their default values. Passwords must not be easy to guess. Passwords which would on their own grant extensive system access must have high complexity.


The activities needed to identify the occurrence of an information security event in a timely manner.


You must be able to detect common cyber-attacks.


You must make sure that:

  • you capture system events and combine them with threat intelligence sources to detect known threats
  • prioritised custom use cases are in place to detect events which might indicate situations we wish to avoid
  • monitoring solutions expand and evolve with business and technology changes, as well as changes in threat
  • attackers attempting to use common cyber-attack techniques cannot gain undetected access to our data or any control of our technology services 
  • digital services that are attractive to cyber criminals for the purposes of fraud have transactional monitoring


The activities you must perform once an information security incident has been detected, to contain its negative impact.


You must have a defined, planned and tested response process to information security incidents that impact sensitive information or key operational services.


You must have an incident response and management plan with clearly defined actions, roles and responsibilities.

You must test your incident response and management plan at regular intervals, so all people involved understand their roles and responsibilities as part.

You must have communication plans for security incidents.

When you discover an incident, you must assess and apply mitigating measures as soon as possible. You must get expert advice where necessary (for example our Cyber Incident Response (CIR) partner or National Cyber Security Centre (NCSC).

You must report any incident involving a personal data breach to our Data Protection Officer as soon as it's identified.

You must assess post incident lessons and remediations and record them in future iterations of the incident management plan.



Activities needed to maintain organisational resilience and restore any services that have been impaired as a consequence of an information security incident.


You must have defined and tested processes to ensure the continuity of key operational IT services in the event of failure or compromise.


You must identify and test contingency mechanisms to deliver essential services in the event of any failure, forced shutdown, or compromise of any system or service.  This may include the preservation of out-of-band or manual processes for essential services or critical national infrastructure.

You must have a tried and tested 'restoring the service to normal' operation and process.

You must set up post-incident recovery activities to protect the system in future and make sure the same issue cannot arise in the same way again. These activities must identify and remediate systemic vulnerabilities.