Skip to page content
Fire Standards Board logo, click to return to homepage

Digital and Cyber

Desired outcome

A fire and rescue service that delivers excellence to the public by using information and communications technology (ICT) safely, effectively and efficiently to deliver prevention, protection and response services. It uses ICT to provide appropriate access to information and facilitate vital communications when and where it is needed, contributing to the safety of communities.

A fire and rescue service whose approach to investment and development of ICT enables it both to meet its statutory obligations to its communities and take proactive steps to maintain sustainable technology and provision of service. That investment will be driven by a clear strategic approach to bring about necessary continuous improvement in using and evaluating technology.

A service which seeks opportunities to contribute to good practice in the sector and beyond, maximising the resources available to them. One that implements appropriate technology, which demonstrates proportionate resilience and value for money. It has proportionate security controls and enables and educates its Employees to use the technology well. It maintains technology in line with good practice, planning for the replacement of assets and solutions before becoming end-of-life.

A service that supports its Employees to achieve the level of Digital skill necessary to carry out their roles effectively and safely, and to understand their obligations when using technology.  Its leaders recognise how critical effective technology is and enables its workforce to fully engage with it.

One that governs and manages Cyber Security appropriately, balancing the protection of ICT services, assets and data, while making sure that those who need to use ICT have the correct authorisation and permission to do their work. It proactively monitors and mitigates against changing cyber threats and can continue to deliver its duties successfully in the event of a cyber incident. It encourages its people to remain vigilant with respect to such threats and to report any concerns without delay.

Activity

Enabling

Business Area(s)

Digital and Cyber and Resources

Date approved
Date issued
Review date
Reference number
FSE-DC01

What is required to meet the fire standard

A fire and rescue service must:

  1. Maintain a continually evolving strategy for implementing and managing ICT to achieve its organisational objectives.
  2. Know what its information and Digital assets are and publish policies and procedures that protect those assets, including, but not limited to:
    1. Protection from and response to Cyber Security threats
    2. Lifecycle management for ICT services and assets, aligned to the Procurement and Commercial Fire Standard where appropriate
    3. Acceptable use expectations and obligations
    4. Major incident management and disaster recovery
    5. Procurement and supplier management, aligned to the Procurement and Commercial Management Fire Standard where appropriate
  3. Understand its Digital and Cyber Security related risks and put in place controls to manage them, demonstrating good practice in Cyber Security that meets or exceeds nationally accepted baselines.
  4. Ensure that effective organisational security management is led at board level.
  5. Align to a Cyber Security framework as directed by Government, following guidance and tools including relevant Cyber Security tools provided by the National Cyber Security Centre (NCSC).
  6. Deploy and actively maintain security toolsets to safeguard sensitive data, prevent security incidents and ensure the integrity of production status technology, that include at a minimum:
    1. Endpoint detection and response
    2. Secure infrastructure, including firewalls, storage and networks
    3. Multi factor authentication
    4. Privileged identity management
    5. Encrypted transmission (information and communications) where necessary
    6. Assured security where third parties supply elements of ICT service, e.g. software/platform/infrastructure-as-a-service, outsourced infrastructure or desktop management
  7. Identify and implement information and communications technologies which support and enhance emergency response capabilities.
  8. Deploy mobilisation and incident management solutions that provide efficient co-ordination, communication and resource allocation during emergencies.
  9. Provide solutions to connect Employees to the information they require to effectively and efficiently undertake their roles, e.g. 4G/5G, wide area networks, local area networks.
  10. Provide solutions to connect Employees to each other, and to other agencies when required, for effective and efficient voice and data communications as part of their roles.
  11. Continually assess security threats and controls to identify vulnerabilities, assess risks and control measures, and implement corrective measures when necessary to maintain or reinstate uncompromised ICT services.
  12. Ensure the whole organisation is prepared to continue its essential operations in the event of ICT Solution or service failures.
  13. Effectively recover its use of ICT solutions or services in the aftermath of a failure, to agreed timescales appropriate to criticality, and periodically exercise such failures, thereafter, applying lessons learnt.
  14. Ensure all appropriate information assets are backed up and that backups are secure and encrypted.
  15. Demonstrate continual development of Digital skill to the standard determined necessary for people in their workforce to conduct their duties well.
  16. Ensure sufficient ICT skills and roles are available to it, irrespective of governance and delivery model. These skills include but are not limited to:
    1. Technology strategy and ICT service design
    2. Information and infrastructure security
    3. Availability and service continuity management
    4. Fixed and mobile networks management
    5. ICT asset and device management
    6. Management of changes, problems, incidents and service requests
  17. Deliver inclusive and accessible ICT solutions and toolsets, recognising that each workforce and community has different and diverse needs.
  18. Engage across the organisation to ensure the ICT needs for the whole service are met.
  19. Understand the reliance the service places on ICT in the delivery of its statutory duties and provide strategic investment that enables sustainable technology service provision.
  20. Establish clear data governance policies about the responsible and compliant handling of sensitive information held in the service’s information and communication technologies, aligning these policies with the requirements of the Data Management Fire Standard and NFCC Data Management Framework.

A fire and rescue service should:

  1. Adopt Government provided or advocated ICT and Cyber Security solutions when:
    1. Clear benefits for doing so can be articulated, and
    2. Existing solutions reach the end of their contracted period.
  2. When appropriate, and likely to deliver better outcomes for communities and people, collaborate with stakeholders and similar organisations to deliver solutions.
  3. Evaluate the ICT services it relies on to ensure the technological solutions and infrastructure remain fit for purpose, and that ICT practices are operated in line with service expectations.
  4. Stay informed about emerging technologies and use cases, so that ICT strategy, solutions and processes evolve appropriately, and investment is forward planned.
  5. Invest in research or innovation to deliver improved ICT solutions or to improve effectiveness and efficiency within existing ICT solutions.
  6. In the interest of cost avoidance and to increase productivity, prevent the use of multiple solutions with duplicated functionality or outcomes, except where an alternative Solution is provided to deliver specific requirements, such as enabling accessibility.

A fire and rescue service may:

  1. Align its ICT services to ITIL®4 practices or similar recognised best practice frameworks, proportionately implemented in line with the needs of the service.
  2. Maintain professional ICT delivery by investing in continued professional development through membership of relevant recognised professional bodies.
  3. Work with accreditation bodies or agencies to raise the standards of its ICT delivery and that of its supply chain.

Expected benefits of achieving the fire standard

  1. Decreased risk of data breach or data loss
  2. Enhanced professionalism and improved competence
  3. Statutory duties are underpinned by technology to deliver improved safety, health and wellbeing of communities
  4. Improved quality of service provided to the public
  5. Improved trust in and reputation of the service
  6. Greater regional and national collaboration leading to increased consistency and reduced organisational risk
  7. A more positive working culture generated

Legal requirements or mandatory duties

This Fire Standard reflects only the most appropriate legislation to this topic. We recognise that fire and rescue services must comply with a broader list of legislation to undertake their duties, which would be applicable to all standards. View the legislation which applies to all Fire Standards.

Some of the of the most pertinent legislation to this Fire Standard can be found below:

Linked qualifications, accreditations or fire standards

All Fire Standards work together and should be viewed as a suite. Those listed below are especially relevant to consider alongside this Fire Standard, however all Fire Standards are likely to have relevance.

Accreditations:

Services should be working towards achieving a Cyber Security framework; however, the below accreditations support an approach to protecting organisations against cyber threat, these include, but are not limited to:

Guidance and supporting information

We recognise that fire and rescue services must comply with a broader list of legislation (as amended from time to time) to undertake their duties, which would be applicable to all standards. View the key pieces of legislation which applies to all fire standards.

National Protective Security Authority guidance:

Other relevant guidance:

Glossary of terms

Digital

For the purposes of this standard, this relates to the use of computer technology, including communications.

Cyber Security

How individuals and organisations reduce the risk of cyber attack by protecting devices and services, as well preventing unauthorised access to personal information. (Abridged from NCSC definition)

Employees

Where this term is used, it is interchangeable for anyone authorised by the service to use its ICT services and assets, including volunteers and contractors.

Information and digital assets

All tangible and intangible assets where they have a value/purpose, including but not limited to end-user devices, data centre equipment, networks, virtual environments and workloads, cloud services, storage mechanisms, files and datasets used in the operation of the service.

Solution

An encompassing term for applications, platforms, toolsets and sometimes the delivery infrastructure (depending on delivery method, e.g. cloud).

Lifecycle management

The practice of managing an ICT asset or solution from provisioning, through operations, to decommissioning.

Major Incident Management

The practice of responding to, containing and resolving a significant loss or corruption of an ICT service.

Disaster Recovery

The provision of alternative infrastructure or services in the event of a failure, usually used in conjunction with major incident management, and followed by restoration of original infrastructure or services.

Production Status Technology

Solutions that are in use to deliver functions, also known as “live”, where the integrity of the information held in the solution is paramount. Alternative statuses include test, staging or development.

Multi Factor Authentication

The way an individual proves who they are by using more than one method, e.g. a password and then responding to a call or message.

Privileged Identity Management

The practice of managing privileged roles with increased ICT capabilities (e.g. global administrator) and providing timebound access to authorised users only when required.

Software/platform/infrastructure-as-a-service

Services operated from a third-party cloud environment, at different tiers of delivery.

ITIL®4

Information Technology Infrastructure Library – a framework for IT service management.

Download Implementation Tool View Consultation

Note Please contact the Fire Standards team within the NFCC for any queries or support with regards to this Fire Standard [email protected]

    Stay informed

    For the latest news from the Fire Standards Board sign up for regular updates.

    By contacting us via email, letter or phone, you give us consent to use your data to reply to your query. We will not contact you for any other purpose nor share your personal data with any Third-Party organisations. To know more about how what data we keep and how we use it, please read our Privacy Policy