Technology security policy

Published: 19 November 2024
Freedom of information class: How we manage our resources

This policy sets out RoS commitment to protect information assets and is subordinate to the overarching RoS Information Security Policy and applicable to all employees and contractors who design, build, maintain and improve technology.


1. Purpose and scope

1.1  This policy sets out Registers of Scotland (RoS) commitment to protect information assets by outlining the necessary security requirements for information processing technologies throughout their lifecycle. The scope applies to all technical assets, whether hardware, software, or cloud services.

1.2 This policy is subordinate to the overarching RoS Information Security Policy and applicable to all employees and contractors who design, build, maintain and improve technology.

2. Requirements for information processing technologies

2.1 A risk assessment must be carried out for all business change that requires new technology or major improvements. This includes, but is not limited to, changes that affect the processing, transmission, or storage of services which process, communicate or store information assets.

2.2 When establishing security requirements for new or existing information processing technologies a defence in depth approach must be undertaken without reliance on a single layer of protection.

2.3 When establishing security requirements for new or existing information processing technologies, controls must be considered, implemented and supported to manage and protect information assets based upon their classification.

2.4 Information Systems Security Controls must be designed to comply with the requirements mandated within business, security and technology standards, patterns and guidance, and where this is not possible an Exception must be requested and authorised as per the Security Requirements Exceptions Process.

2.5 In line with the organisations risk appetite Information systems and services must have appropriate vendor agreements in place to ensure that support is provided for the prompt remediation of operational issues and vulnerabilities.

2.5.1 Approved Open-Source Software support forums must be proactively monitored to ensure that release notes for updates or fixes are actioned without undue delay.

2.5.2 All changes to information systems and services that may affected their operation, configuration or security must be subject to Change Control.

2.6 Details of information processing technologies, whether new or existing and regardless of environment, must be recorded in the technical asset management system, where ownership and business service alignment must be established.

3. Roles and responsibilities

3.1 All RoS employees and contractors who are designing, building, and maintaining technology within RoS are bound by the terms of this policy. They are required to effectively operate the various procedures and controls which facilitate compliance in practice.

3.2 The RoS Information Security Assurance Group (ISAG) has operational ownership of this policy and is responsible for ensuring its fulfilment in practice.

3.3 The RoS Information Security Assurance Group (ISAG), have strategic oversight and overall accountability for information security within RoS. IAOs can authorise exceptions to the agreed business, security and technology standards, patterns, and guidance.

3.4 In so far as this policy is applicable to them, the partners in our supply chain will support its fulfilment in practice, and ISAG will take steps to ensure that this is compliant.

3.5 This policy should be part of the publication scheme. The policy must be a mandatory read for all Digital colleagues and contractors working within these areas.

4. Approval and review

4.1 This policy will be reviewed and approved by the ISG annually, unless earlier review is appropriate.

Author Information Assurance Advisor
Reviewed Service Manager for Information Security Risk and Assurance
Cleared Director of Policy and Corporate Services and Accountable Officer
Approval ISG Approval date October 2024
Policy version Version 3.0
Review responsibility ISG Review date October 2025
Publication scheme Yes
Email to contact

SRA@ros.gov.uk