Skip to main content

Good Practice Guidelines

The Good Practice Guidelines (GPG) are a series of informational documents which provide good practice advice in technology-specific areas of Information Security and Information Governance.
Each Good Practice Guideline is intended to support Department of Health Policy and Information Governance requirements for NHS organisations and suppliers.
These guidelines are updated with the latest security information and if you feel there is something missing please contact
We recognise these GPGs as essential communication from the Infrastructure Security Team and as such are aiming for the documents to be published to the highest possible standard.
All documents on this page have 'Approved' status. As Information Security is an evolving discipline these documents will be updated regularly and should be regarded as 'living documents'.
Title Description Last Update Version
3G / HSDPA Provides guidance for organisations who wish to deploy or operate 3G / HSDPA systems In Progress
Access Control Lists (PDF 77Kb This guide addresses the major issues associated with creating and maintaining secure networks using both the New NHS Network (N3) and other network infrastructures. 11/05/2009 2.0
Anti-Virus and Malware (PDF 305Kb) Provides guidance on the deployment, configuration and management of Anti-Virus software. 01/03/2010 2.0
Application Security (PDF 133Kb) Provides guidance for organisations providing user applications to users. 31/03/2007 1.0
Approved Cryptographic Algorithms (PDF 504Kb) Guidance on Authority standards for cryptographic algorithms and key sizes.
A guidance document on the changes between the previous version (v2.2) and this version (v3.0) of the Approved Cryptographic Algorithms GPG  can be found in "Approved Cryptographic Algorithms Good Practice Guideline – changes between v2.2 and v3 (PDF 299Kb)".
05/10/2012 3.0
Biometrics Provides guidance on facial, iris and finger recognition technologies. Proposed
Business Continuity and Disaster Planning (PDF 148Kb) Provides guidance for organisations implementing BCP and DR Procedures 29/09/2009 1.0
Connecting Modem Devices to Local Area Networks (PDF, 261Kb) Provides guidance on the security challenges associated with connecting modems to Local Area Networks. 25/10/2010 1.0
Content Filtering Provides guidance for organisations who wish to deploy or operate Content Filtering systems In Progress
Disposal and Destruction of Sensitive Data (PDF, 331.8kB) Provides guidance for organisations on the disposal and destruction of sensitive data (UPDATED) 13/03/2015 3.0
Email, Calendar and Messaging Services (PDF 75Kb) Provides guidance for organisations using Email, Calendar and Messaging Services. 13/10/2006 1.0
Firewall Technologies (PDF 2Mb) Provides guidance on the planning, implementation and operation of firewalls and associated technologies 20/12/2007 1.0
General Principles for Securing Information System (PDF 130Kb) Provides introductory information on general principles for securing information systems. 26/05/2009 1.0
Glossary of Security Terms (PDF 277Kb) Glossary of Security Terms used in the Good Practice Guidelines 13/12/2007 1.0
GPRS and PDAs (PDF 371Kb) Provides guidance for organisations who wish to deploy or operate GPRS and PDA services 31/03/2007 1.0
IDS and IPS Technologies (PDF 1Mb) Provides guidance for organisations implementing IDS/IPS solutions 02/10/2009 2.0
Local Area Network Security (PDF 171Kb) Provides guidance on security good practice in relation to Local Area Network security 29/09/2009 1.0
Network Address Translation (PDF 183Kb) Provides guidance on the implementation of NAT and the possible security implications 10/03/2006 1.0
Password Policy for Non-Spine Connected Applications (PDF 302Kb) Provides guidance on the use and control of passwords for organisations deploying and using non-SPINE connected applications. 23/07/2010 1.0
Patching Management (PDF 168Kb) Provides advice and guidance relating to Patch Management in NHS or other healthcare environments 07/10/2009 1.0
Portable Storage Devices Provides guidance on security good practice in the implementation of portable storage devices within an organisation Proposed
Proxy Services (PDF 86Kb) Provides guidance on Proxy Services such as web proxies, application proxies and gateway services 26/01/2006 1.0
Remote Access (PDF 150Kb) Provides guidance on the implementation of Remote Access technologies 15/07/2009 2.0
Remote Management Provides guidance for organisations who wish to deploy or operate Remote Management In Progress
Secure Use of the N3 Network (PDF 88Kb) Provides guidance for organisations who wish to move sensitive information using the N3 network. 08/03/2006 1.0
  Securing Web Infrastructure and supporting services Provide information on good security practices in relation to the security, and securing of Web infrastructure and associated systems. 26/02/2010  1.0
Security of the Endpoint Provides guidance on implementing security of endpoint devices such as desktops Proposed
Server Virtualisation Security (PDF 307Kb) Provides security guidance to technical and policy making personnel when deploying virtualisation within their organisations. This document focuses on the security aspects of virtualisation. 06/07/2009 1.0
Site to Site VPN (PDF 97Kb) Provides guidance for organisations who wish to deploy or operate Site to Site VPNs 08/03/2006 1.0
Smart Card Best Practices Provides guidance on the implementation and operation of smartcard based systems. Proposed
System Hardening (PDF 96Kb) Provides guidance on the implementation of security for devices such as firewalls, routers etc 01/10/2009 1.0
TCP IP Ports and Protocols (PDF 149Kb) Provides guidance on the security risks associated with common TCP/IP services 07/11/2007 1.0
Use of Tablet Devices in NHS environments (PDF 213Kb) Provides vendor and product independent security guidance to organisations wishing to make use of tablet devices in NHS environments 19/12/2011 1.0
VLANs (PDF 104Kb) Provides guidance on the use of VLANs within a network infrastructure. 24/06/2009 2.0
Voice Over IP Provides guidance on the implentation of Voice over IP services and the security issues which may be encountered In Progress
WiMAX / WiBRO Provides guidance for organisations who wish to deploy or operate WiMAX or WiBRO wireless systems In Progress
Wireless LAN Technologies (PDF 123Kb) Covers the design and deployment of Wireless Local Area Networks 08/03/2006


Popular posts from this blog

Why Madge Networks, the token-ring company, went titsup

There I was shooting the breeze with an old mate. The conversation turned to why Madge Networks which I wrote about here went titsup. My analysis is that Madge Networks had a solution and decided to go out and find a problem. They deferred to more incorrect strategic technology choices. The truth of the matter is that when something goes titsup, its not because of one reason only, but a myriad of them all contributing to the negative consequence. There are the immediate or visual ones, which are underpinned by intermediate ones and finally after digging right down, there are the root causes. There is never a singular root cause for anything but I'll present my opinion and encourage everyone else to chip in. All of them together are more likely the reason the company went titsup. As far as technology brainfarts go there is no better example than Kodak . They invented the digital camera that killed them. However, they were so focused on milking people in their leg

Flawed "ITIL aligned"​ Incident Management

Many "ITIL aligned" service desk tools have flawed incident management. The reason is that incidents are logged with a time association and some related fields to type in some gobbledygook. The expanded incident life cycle is not enforced and as a result trending and problem management is not possible. Here is a fictitious log of an incident at PFS, a financial services company, which uses CGTSD, an “ITIL-aligned” service desk tool. Here is the log of an incident record from this system: Monday, 12 August: 09:03am (Bob, the service desk guy): Alice (customer in retail banking) phoned in. Logged an issue. Unable to assist over the phone (there goes our FCR), will escalate to second line. 09:04am (Bob, the service desk guy): Escalate the incident to Charles in second line support. 09:05am (Charles, technical support): Open incident. 09:05am (Charles, technical support): Delayed incident by 1 day. Tuesday, 13 August: 10:11am (Charles, technical support): Phoned Alice.

Updated: Articles by Ron Bartels published on iot for all

  These are articles that I published during the course of the past year on one of the popular international Internet of Things publishing sites, iot for all .  These are articles that I published during the course of the past year on one of the popular international Internet of Things publishing sites, iot for all . Improving Data Center Reliability With IoT Reliability and availability are essential to data centers. IoT can enable better issue tracking and data collection, leading to greater stability. Doing the Work Right in Data Centers With Checklists Data centers are complex. Modern economies rely upon their continuous operation. IoT solutions paired with this data center checklist can help! IoT Optimi