UK Police-Assured Secure Facilities (PASF)

UK PASF overview

The National Policing Information Risk Management Team (NPIRMT) of the UK Home Office is charged with ensuring that the storage of and access to police information meet its standards. The NPIRMT provides a range of information assurance functions to the police community. It sets the central standards and controls for law enforcement agencies across the UK that are assessing the risk of moving police information systems to the cloud. The information assurance policy requires that all national police services in the UK that store and process protectively marked or other sensitive law enforcement information take an extra step in their risk assessment — a physical inspection of the datacenter where their data will be stored. A successful datacenter assessment determines that the facility qualifies for PASF.

Azure and UK PASF

Microsoft Azure can support UK law enforcement IT customers who require Police-Assured Secure Facilities (PASF) to process and store their data in the cloud. The NPIRMT completed a comprehensive security assessment of the physical infrastructure of Microsoft Azure datacenters in the UK, and concluded that they're in compliance with NPIRMT requirements. There were no compliance issues or necessary remedial actions identified as a result of this assessment. Risks identified during PASF audits are managed according to cyber risk assurance of national systems provided by NPIRMT.

Local police services can use the NPIRMT assessment to support their own review. Using the NPIRMT policy guidelines, the senior information risk owner for each police service is responsible for assessing the suitability of an individual datacenter in the context of their particular application, which they then submit to the NPIRMT for approval.

Microsoft takes a holistic defense-in-depth approach to security. Our UK datacenters (like all Microsoft datacenters) are certified to comply with the most comprehensive portfolio of internationally recognized standards of any cloud service provider and consistently meet those requirements.

These certifications are backed by the measures that we take to protect the physical security of our datacenters. We adopt a layered approach that starts with how we design, build, and operate datacenters to strictly control physical access to the areas where customer data is stored. Microsoft datacenters have extensive levels of protection with access approval required at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor. This structure reduces the risk of unauthorized users gaining physical access to datacenter resources.

Applicability

  • Azure UK datacenter physical infrastructure

Audit reports and certificates

The NPIRMT audits one Azure datacenter each year, annually cycling through the four Microsoft datacenters in the UK. The NPIRMT assessment that Microsoft datacenters are PASF is available through the Home Office for law enforcement customers who are conducting their own risk assessment regarding the use of cloud services.

How to implement

  • Microsoft provides the Azure Policy regulatory compliance built-in initiative for UK OFFICIAL and UK NHS, which maps to UK OFFICIAL and UK NHS compliance domains and controls. Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility - customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each UK OFFICIAL and UK NHS control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Frequently asked questions

Can police departments in the UK use the Azure PASF assessment as part of their own risk assessments?
Yes. Law enforcement can use the NPIRMT assessment of Azure to support their own local risk assessment before a move to the cloud.

Resources