Request Approval to publish 'Accessing MOJ IT Systems from abroad'.

[warmanaMOJ]

Hello @cybersquirrel

Please may I request approval to publish guidance on 'Accessing MOJ IT Systems from abroad'? A preview of the document can be seen here.

I have also updated the landing page to include the new topic as part of the Asset Management section here.

Thank you.

[cybersquirrel]

Hi @warmanaMOJ - thanks for readying this for publication. A couple of minor tweaks / suggestions:

• I am worried that it's still not completely obvious that you only need to make a request if visiting one of the list of countries; could we possibly tweak the 'info to collect' list to change 'country of travel' to something like 'country / countries from above list that you will be accessing IT systems from'?
• The linked-to form has a different rubric about when to fill it in (reads like 'always fill it in if accessing IT, and if visiting any of these countries even if not accessing IT').
• Do we even have MoJ Blackberries any more? I thought they'd all been decommissioned?
• plural agreement needed (device/they) in "apply additional technical controls to protect you, your device, and any data they can access".
• HMPPS HQ staff - I don't think people have IAOs; data has an IAO. I think this should be their SCS.
• Should the Corp Security contact details now be Group Security (or do they still work this way)?
• The 'making a request' flow is a bit confusing - you gather the info, complete the form, then send it to both security@ and your relevant SCS etc in parallel; once you've received business approval (from the SCS presumably?) then you send this to OST, who acknowledge receipt and you're good to go?

[warmanaMOJ]

@cybersquirrel Thank you, I have updated the draft accordingly.

[cybersquirrel]

Thank you - and apologies for my tardiness in the re-review.

I think the content is now spot on.

The only bit I'm slightly unsure about is the part 1 / part 2 flow. It feels like the activity at the end of part 1 (item 2) feels like it could happen first, before you collect all the data?

The other point is the ordering of part 2 - shouldn't item (3) come first? I'm not really sure of this, but it feels like you should first check that your LM is ok with the concept, then you get guidance from us, then you get your SCS to agree with any risks we've flagged? But then part 5 feels like there's a potential to get rejected again - this is a touch circular!

Sorry for further questions.

Jon.

[warmanaMOJ]

@cybersquirrel Thank you, a revised draft including your comments is available here

NB This is a different link to the one used earlier in the conversation (above).

[cybersquirrel]

This looks spot on. Happy to approve publication.

[warmanaMOJ]

Thank you very much.