Skip to main content

Good Practice Guidelines

The Good Practice Guidelines (GPG) are a series of informational documents which provide good practice advice in technology-specific areas of Information Security and Information Governance.
Each Good Practice Guideline is intended to support Department of Health Policy and Information Governance requirements for NHS organisations and suppliers.
These guidelines are updated with the latest security information and if you feel there is something missing please contact
We recognise these GPGs as essential communication from the Infrastructure Security Team and as such are aiming for the documents to be published to the highest possible standard.
All documents on this page have 'Approved' status. As Information Security is an evolving discipline these documents will be updated regularly and should be regarded as 'living documents'.
Title Description Last Update Version
3G / HSDPA Provides guidance for organisations who wish to deploy or operate 3G / HSDPA systems In Progress
Access Control Lists (PDF 77Kb This guide addresses the major issues associated with creating and maintaining secure networks using both the New NHS Network (N3) and other network infrastructures. 11/05/2009 2.0
Anti-Virus and Malware (PDF 305Kb) Provides guidance on the deployment, configuration and management of Anti-Virus software. 01/03/2010 2.0
Application Security (PDF 133Kb) Provides guidance for organisations providing user applications to users. 31/03/2007 1.0
Approved Cryptographic Algorithms (PDF 504Kb) Guidance on Authority standards for cryptographic algorithms and key sizes.
A guidance document on the changes between the previous version (v2.2) and this version (v3.0) of the Approved Cryptographic Algorithms GPG  can be found in "Approved Cryptographic Algorithms Good Practice Guideline – changes between v2.2 and v3 (PDF 299Kb)".
05/10/2012 3.0
Biometrics Provides guidance on facial, iris and finger recognition technologies. Proposed
Business Continuity and Disaster Planning (PDF 148Kb) Provides guidance for organisations implementing BCP and DR Procedures 29/09/2009 1.0
Connecting Modem Devices to Local Area Networks (PDF, 261Kb) Provides guidance on the security challenges associated with connecting modems to Local Area Networks. 25/10/2010 1.0
Content Filtering Provides guidance for organisations who wish to deploy or operate Content Filtering systems In Progress
Disposal and Destruction of Sensitive Data (PDF, 331.8kB) Provides guidance for organisations on the disposal and destruction of sensitive data (UPDATED) 13/03/2015 3.0
Email, Calendar and Messaging Services (PDF 75Kb) Provides guidance for organisations using Email, Calendar and Messaging Services. 13/10/2006 1.0
Firewall Technologies (PDF 2Mb) Provides guidance on the planning, implementation and operation of firewalls and associated technologies 20/12/2007 1.0
General Principles for Securing Information System (PDF 130Kb) Provides introductory information on general principles for securing information systems. 26/05/2009 1.0
Glossary of Security Terms (PDF 277Kb) Glossary of Security Terms used in the Good Practice Guidelines 13/12/2007 1.0
GPRS and PDAs (PDF 371Kb) Provides guidance for organisations who wish to deploy or operate GPRS and PDA services 31/03/2007 1.0
IDS and IPS Technologies (PDF 1Mb) Provides guidance for organisations implementing IDS/IPS solutions 02/10/2009 2.0
Local Area Network Security (PDF 171Kb) Provides guidance on security good practice in relation to Local Area Network security 29/09/2009 1.0
Network Address Translation (PDF 183Kb) Provides guidance on the implementation of NAT and the possible security implications 10/03/2006 1.0
Password Policy for Non-Spine Connected Applications (PDF 302Kb) Provides guidance on the use and control of passwords for organisations deploying and using non-SPINE connected applications. 23/07/2010 1.0
Patching Management (PDF 168Kb) Provides advice and guidance relating to Patch Management in NHS or other healthcare environments 07/10/2009 1.0
Portable Storage Devices Provides guidance on security good practice in the implementation of portable storage devices within an organisation Proposed
Proxy Services (PDF 86Kb) Provides guidance on Proxy Services such as web proxies, application proxies and gateway services 26/01/2006 1.0
Remote Access (PDF 150Kb) Provides guidance on the implementation of Remote Access technologies 15/07/2009 2.0
Remote Management Provides guidance for organisations who wish to deploy or operate Remote Management In Progress
Secure Use of the N3 Network (PDF 88Kb) Provides guidance for organisations who wish to move sensitive information using the N3 network. 08/03/2006 1.0
  Securing Web Infrastructure and supporting services Provide information on good security practices in relation to the security, and securing of Web infrastructure and associated systems. 26/02/2010  1.0
Security of the Endpoint Provides guidance on implementing security of endpoint devices such as desktops Proposed
Server Virtualisation Security (PDF 307Kb) Provides security guidance to technical and policy making personnel when deploying virtualisation within their organisations. This document focuses on the security aspects of virtualisation. 06/07/2009 1.0
Site to Site VPN (PDF 97Kb) Provides guidance for organisations who wish to deploy or operate Site to Site VPNs 08/03/2006 1.0
Smart Card Best Practices Provides guidance on the implementation and operation of smartcard based systems. Proposed
System Hardening (PDF 96Kb) Provides guidance on the implementation of security for devices such as firewalls, routers etc 01/10/2009 1.0
TCP IP Ports and Protocols (PDF 149Kb) Provides guidance on the security risks associated with common TCP/IP services 07/11/2007 1.0
Use of Tablet Devices in NHS environments (PDF 213Kb) Provides vendor and product independent security guidance to organisations wishing to make use of tablet devices in NHS environments 19/12/2011 1.0
VLANs (PDF 104Kb) Provides guidance on the use of VLANs within a network infrastructure. 24/06/2009 2.0
Voice Over IP Provides guidance on the implentation of Voice over IP services and the security issues which may be encountered In Progress
WiMAX / WiBRO Provides guidance for organisations who wish to deploy or operate WiMAX or WiBRO wireless systems In Progress
Wireless LAN Technologies (PDF 123Kb) Covers the design and deployment of Wireless Local Area Networks 08/03/2006


Popular posts from this blog

easywall - Web interface for easy use of the IPTables firewall on Linux systems written in Python3.

Firewalls are becoming increasingly important in today’s world. Hackers and automated scripts are constantly trying to invade your system and use it for Bitcoin mining, botnets or other things. To prevent these attacks, you can use a firewall on your system. IPTables is the strongest firewall in Linux because it can filter packets in the kernel before they reach the application. Using IPTables is not very easy for Linux beginners. We have created easywall - the simple IPTables web interface . The focus of the software is on easy installation and use. Access this neat software over on github: easywall

No Scrubs: The Architecture That Made Unmetered Mitigation Possible

When building a DDoS mitigation service it’s incredibly tempting to think that the solution is scrubbing centers or scrubbing servers. I, too, thought that was a good idea in the beginning, but experience has shown that there are serious pitfalls to this approach. Read the post of at Cloudflare's blog: N o Scrubs: The Architecture That Made Unmetered Mitigation Possible

Should You Buy A UniFi Dream Machine, USG, USG Pro, or Dream Machine Pro?