diff --git a/app/templates/views/information-security.html b/app/templates/views/information-security.html
index 064d24cef..76765fd6b 100644
--- a/app/templates/views/information-security.html
+++ b/app/templates/views/information-security.html
@@ -164,31 +164,31 @@ Information security guidelines – GOV.UK Notify
“Dear Anne Smith, you’ve got a licence appointment tomorrow at 2:15pm at the Licence Office, 1 Chapel Hill, Heswall, Bournemouth BH1 1AA. To cancel your appointment, visit licensing.service.gov.uk/appointment/12345678/cancel. To change your appointment time, sign in to your account.”
This is a good example because:
- - The message and link doesn't reveal any sensitive personal data.
- - The message and link doesn't ask for personal data, passwords or payment details.
- - The reminder addresses the user by their name, helping to make phishing attacks more difficult.
- - The link just cancels the appointment. The worst that could happen is that an attacker cancels someone else’s appointment.
- - Users have to sign in to change the appointment time, making it harder for an attacker to know what their appointment time is .
- - The topic is something the user is familiar with.
+ - the message and link doesn't reveal any sensitive personal data
+ - it doesn't ask for personal data, passwords or payment details
+ - the reminder addresses the user by their name, making phishing attacks more difficult
+ - the link just cancels the appointment which minimises what an attacker can do
+ - users have to sign in to change the appointment time, making it harder for an attacker to know what their appointment time is
+ - the topic is something the user is familiar with
- Example of an application
- “Dear Anne Smith, you’ve got a licence appointment tomorrow at 2:15pm at the Licence Office, 1 Chapel Hill, Heswall, Bournemouth BH1 1AA. To cancel your appointment, visit licensing.service.gov.uk/appointment/12345678/cancel. To change your appointment time, sign in to your account.”
+
+ Example to add a photo to an environmental permit
+ “Dear Andrew Jones, to add a location photo to your environmental permit application, visit environmentalpermit.service.gov.uk/12345678/add-photo. If you didn’t request this link, please ignore this message.”
This is a good example because:
- - The message and link doesn't reveal any sensitive personal data.
- - The message and link doesn't ask for personal data, passwords or payment details.
- - The reminder addresses the user by their name, helping to make phishing attacks more difficult.
- - The link just cancels the appointment. The worst that could happen is that an attacker cancels someone else’s appointment.
- - Users have to sign in to change the appointment time, making it harder for an attacker to know what their appointment time is .
- - The topic is something the user is familiar with.
+ - the message and link doesn't reveal any sensitive personal data
+ - it doesn't ask for personal data, passwords or payment details
+ - the reminder addresses the user by their name, making phishing attacks more difficult
+ - the link only lets users add a photo to an environmental permit application – it doesn’t complete the process, which minimises what an attacker can do
+ - it shows users what to do if the message doesn't apply to them
-
+
You can do more if you want to
- These guidelines are the minimum requirement. If you want to take more stringent measures for your service, that’s fine.
+ These guidelines are the minimum requirement. You can take stricter measures for your service if you think it's necessary.
Just make sure you’re balancing your users’ needs to be kept informed and kept safe.