From d546799bd52add818d4fcdea0993630f9f6c82ce Mon Sep 17 00:00:00 2001
From: SheryllGDS <sheryll.sulit@digital.cabinet-office.gov.uk>
Date: Thu, 3 Nov 2016 16:55:11 +0000
Subject: [PATCH 1/3] Updating text

---
 app/templates/views/information-security.html | 106 +++++++++++-------
 1 file changed, 63 insertions(+), 43 deletions(-)

diff --git a/app/templates/views/information-security.html b/app/templates/views/information-security.html
index 3fbe0f06b..064d24cef 100644
--- a/app/templates/views/information-security.html
+++ b/app/templates/views/information-security.html
@@ -14,39 +14,32 @@ Information security guidelines – GOV.UK Notify
       Information security for text messages, emails and letters
     </h1>
 
-    {% call banner_wrapper(type='warning') %}
-      <h2 class="heading-medium">This content is a work in progress</h2>
 
-      <p>It should not be relied upon</p>
-    {% endcall %}
 
-    <p>A more pragmatic approach to information security</p>
 
-    <p class="lede">In the past, government has taken a risk-averse approach to information security. This resulted in services that were unhelpful and hard to use.</p>
+    <p class="lede">Use a practical approach to information security, one that balances a user’s need to be kept informed with being kept safe.</p>
 
-    <p class="lede">We’re switching to a more pragmatic approach to information security – one that balances a user’s needs to be kept informed and kept safe.</p>
-
-    <p>In the past, for example, our blanket no-links policy meant we were telling people to “search ‘the UK government’ and click the first result” rather than just telling them to “visit <a href="https://www.gov.uk">www.gov.uk</a>”. Other services had a blanket policy of not sending any information at all, resulting in obtuse messages like “You have a message in your online account. Sign in to see the message.” (no sign-in link included).</p>
 
     <section id="contents">
       <h2 class="heading-medium">Contents</h2>
 
       <ul class="list list-bullet">
-        <li><a href="#start-with-needs">Start with needs – user needs, not government needs</a></li>
+        <li><a href="#start-with-needs">Start with user needs, not government needs</a></li>
         <li><a href="#understand-the-risks">Understand the risks</a></li>
-        <li><a href="#information-security-guidelines">Information security guidelines</a></li>
+        <li><a href="#information-security-guidelines">Information security principles</a></li>
+        <li><a href="#examples">Examples</a></li>
         <li><a href="#you-can-do-more">You can do more if you want to</a></li>
       </ul>
     </section>
 
     <section id="start-with-needs">
-      <h2 class="heading-medium">Start with needs – user needs, not government needs</h2>
+      <h2 class="heading-medium">Start with user needs, not government needs</h2>
 
       <p>Start by writing the message you want to send. Don’t worry about the information security aspect just yet – write the message you want to convey as clearly and directly as possible.</p>
 
       <p>We have <a href="">design patterns</a> and <a href="">content guidance</a> to help you write clearly and convey the right information at the right time.</p>
 
-      <p>Once you have a message which meets user needs, look at it in relation to the risks below. Use this framework to decide if you need to change the message in order to keep the users safe.</p>
+      <p>Once you have a message which meets user needs, look at it in relation to the risks we outline. Use this to decide if you need to change the message in order to keep the users safe.</p>
     </section>
 
     <section id="understand-the-risks">
@@ -54,19 +47,19 @@ Information security guidelines – GOV.UK Notify
 
       <p>There are 3 main risks involved in sending notifications by text message, email or letter:</p>
 
-      <ul class="list list-bullet">
-        <li>Someone accidentally sees the notification</li>
-        <li>An attacker intercepts a message, or gains access to someone’s email inbox, phone messages or paper files</li>
-        <li>An attacker tricks the user by sending a fake notification (phishing)</li>
-      </ul>
+      <ol class="list list-number">
+        <li>Someone accidentally sees the notification.</li>
+        <li>An attacker intercepts a message, or gains access to someone’s email inbox, phone messages or paper files.</li>
+        <li>An attacker tricks the user by sending a fake notification (phishing).</li>
+      </ol>
 
       <h3 class="heading-small" id="risk-privacy">Someone accidentally sees the notification</h3>
 
-      <p>For some messages, the recipient would be unhappy if someone else accidentally saw the contents – for example, the results of a recent medical test.</p>
+      <p>For some messages, the recipient would be unhappy if someone else accidentally saw the contents, for example, the results of a recent medical test.</p>
 
       <p>This is a privacy issue – in this case the unintended recipient isn’t trying to steal money or identity information.</p>
 
-      <p>To address this risk, don’t reveal the important information in the subject line or opening sentence, or ask the user to sign in to see the information in full. More about this below.</p>
+      <p>To address this risk, don’t reveal the important information in the subject line or opening sentence, or ask the user to sign in to see the information in full.</p>
 
       <h3 class="heading-small" id="risk-fraud">An attacker intercepts a message, or gains access to someone’s email inbox, phone messages or paper files</h3>
 
@@ -74,7 +67,7 @@ Information security guidelines – GOV.UK Notify
 
       <p>It’s also possible for a criminal to gain access to someone’s entire email inbox, phone messages or paper files. Email accounts can be hacked, phones and paper files can be stolen, left lying around or picked out of the rubbish.</p>
 
-      <p>In both cases, criminals are looking for information they can use to commit fraud. To address this risk, don’t send payment details, ID numbers or any other information that can be used for fraud. More about this below.</p>
+      <p>In both cases, criminals are looking for information they can use to commit fraud. To address this risk, don’t send payment details, ID numbers or any other information that can be used for fraud.</p>
 
       <h3 class="heading-small" id="risk-phishing">An attacker tricks the user by sending a fake notification (phishing)</h3>
 
@@ -82,26 +75,26 @@ Information security guidelines – GOV.UK Notify
 
       <p>This is known as a ‘phishing attack’.</p>
 
-      <p>To address this risk, don’t send <strong>requests</strong> for personal information <strong>of any kind</strong>, unless the request is <strong>directly connected with a transaction</strong>. More about this below.</p>
+      <p>To address this risk, don’t send requests for personal information of any kind, unless the request is directly connected with a transaction.</p>
     </section>
 
     <section id="information-security-guidelines">
-      <h2 class="heading-medium">Information security guidelines</h2>
+      <h2 class="heading-medium">Information security principles</h2>
 
       <h3 class="heading-small" id="guideline-privacy">Protect the user’s privacy</h3>
 
-      <p>If you think the recipient might be upset if someone accidentally saw the message contents, either:</p>
+      <p>To avoid someone other than the recipient accidentally seeing a message that has sensitive or confidential information, either:</p>
 
       <ul class="list list-bullet">
-        <li>use a fairly generic subject line and opening sentence, and only give the information in full within the body of the message, or</li>
-        <li>send a fairly generic message which asks the person to sign in to see the information in full</li>
+        <li>use a generic subject line and opening sentence, and only give the information in full within the body of the message</li>
+        <li>send a generic message which asks the person to sign in to see the information in full</li>
       </ul>
 
       <p>Remember that even the sender ID also reveals information. For example, don’t set your sender name as ‘STI clinic’.</p>
 
       <h3 class="heading-small" id="guideline-fraud">Don’t send information that can be used for fraud</h3>
 
-      <p>To reduce the risk if messages are intercepted, hacked or stolen, don’t send information that can be used for fraud – either now or in the future:</p>
+      <p>To reduce the risk if messages are intercepted, hacked or stolen, don’t send messages with:</p>
 
       <ul class="list list-bullet">
         <li>payment details</li>
@@ -118,53 +111,80 @@ Information security guidelines – GOV.UK Notify
 
       <p>To reduce the risk from phishing attacks, don’t send <strong>requests</strong> for personal information <strong>of any kind</strong>, unless the request is <strong>directly connected with a transaction</strong>.</p>
 
-      <p>It’s OK to send a request for personal information if it’s directly connected with a transaction. Here are two examples of where it would be OK:</p>
+      <p>It’s OK to send a request for personal information if it’s directly connected with a transaction. Here are 2 examples of where it would be OK:</p>
 
       <ul class="list list-bullet">
         <li>Someone clicks a ‘Forgot your password?’ link – it’s OK to send them a link where they can reset their password</li>
         <li>Someone’s MOT is about to expire – y</li>
       </ul>
 
-      <h3 class="heading-small" id="guideline-links">It’s OK to include links – but you need to follow these rules</h3>
+      <h3 class="heading-small" id="guideline-links">It’s OK to include links</h3>
 
-      <p>The same 2 rules above apply to links, too:</p>
+      <p>The same 2 rules above apply to links:</p>
 
       <ul class="list list-bullet">
         <li>Don’t send links that reveal information that can be used for fraud</li>
         <li>Don’t send unsolicited messages that include a link requesting personal information of any kind (it’s OK to send a message with a link requesting information if the user has just requested it)</li>
       </ul>
 
-      <p>There are additional rules that apply specifically to links:</p>
+      <p>There are additional rules that apply specifically to links.</p>
 
-      <ul class="list list-bullet">
-        <li>Links must point to a .gov.uk domain – for example, <a href="https://www.gov.uk">https://www.gov.uk</a> or <a href="https://www.armslengthbody.gov.uk">https://www.armslengthbody.gov.uk</a></li>
-        <li>Links must show the URL in full – for example <a href="https://www.gov.uk/vehicle-tax">https://www.gov.uk/vehicle-tax</a>, not <a href="https://www.gov.uk/vehicle-tax">Vehicle tax</a></li>
-        <li>Don’t use redirects or tracking links – disguising the URL makes phishing easier. Just show the URL in full</li>
-        <li>Don’t link directly to a sign-in page – this is a request for personal data. If the user needs to sign in to your service, link to your start page on GOV.UK</li>
-        <li>It’s OK to deep-link into your service, as long as the user doesn’t have to sign in to view the information or take action</li>
-      </ul>
+      <ol class="list list-number">
+        <li>Links must point to a .gov.uk domain – for example, <a href="https://www.gov.uk">https://www.gov.uk</a> or <a href="https://www.armslengthbody.gov.uk">https://www.armslengthbody.gov.uk</a>.</li>
+        <li>Links must show the URL in full – for example <a href="https://www.gov.uk/vehicle-tax">https://www.gov.uk/vehicle-tax</a>, not <a href="https://www.gov.uk/vehicle-tax">Vehicle tax</a>.</li>
+        <li>Don’t use redirects or tracking links – disguising the URL makes phishing easier. Just show the URL in full.</li>
+        <li>Don’t link directly to a sign-in page – this is a request for personal data. If the user needs to sign in to your service, link to your start page on GOV.UK.</li>
+        <li>It’s OK to deep-link into your service, as long as the user doesn’t have to sign in to view the information or take action.</li>
+      </ol>
 
       <h3 class="heading-small" id="guideline-attachments">Don’t send attachments</h3>
 
       <p>If you want to communicate something, write it in the body of the email. This is more user-friendly. If the information is too sensitive to include in the email body, it’s too sensitive to include in an attachment.</p>
 
-      <p>If you need to send someone a file, make the file available within your service, then link to it. </p>
-
-      <p>Criminals often use attachments to conceal viruses, spyware and other kinds of malware. We want people to be cautious about opening attachments.</p>
+      <p>If you need to send someone a file, make the file available within your service, then link to it.</p>
 
+ 
       <h3 class="heading-small" id="guideline-name">Include the user’s name – it makes phishing more difficult</h3>
 
       <p>Start your message by addressing the user. For example, Hi Alice Smith or Dear Bob Jones. Including this extra piece of information makes phishing more difficult.</p>
 
       <h3 class="heading-small" id="guideline-technical">Use technical approaches to improve privacy and prevent phishing</h3>
 
-      <p>There are several technical approaches to preventing phishing – <a href="https://www.gov.uk/guidance/common-technology-services-cts-secure-email-blueprint">SPF/DKIM, DMARC</a> and <a href="https://en.m.wikipedia.org/wiki/Transport_Layer_Security">TLS</a>. You must use them.</p>
+      <p>There are several technical approaches to preventing phishing. You must use <a href="https://www.gov.uk/guidance/common-technology-services-cts-secure-email-blueprint">SPF/DKIM, DMARC</a> and <a href="https://en.m.wikipedia.org/wiki/Transport_Layer_Security">TLS</a>.</p>
 
       <p>SPF/DKIM and DMARC make sure your emails get delivered, whilst phishing and spam email gets filtered into junk mail.</p>
 
       <p>TLS makes sure that no-one can intercept your emails.</p>
     </section>
-
+    
+      <section id="examples">
+      <h2 class="heading-medium">Examples</h2>
+      
+        <h3 class="heading-medium">Example of an appointment reminder</h3>
+        <p>“Dear Anne Smith, you’ve got a licence appointment tomorrow at 2:15pm at the Licence Office, 1 Chapel Hill, Heswall, Bournemouth BH1 1AA. To cancel your appointment, visit licensing.service.gov.uk/appointment/12345678/cancel. To change your appointment time, sign in to your account.”</p>
+        <p>This is a good example because:</p>
+         <ul class="list list-bullet">
+           <li>The message and link doesn't reveal any sensitive personal data.</li>
+           <li>The message and link doesn't ask for personal data, passwords or payment details.</li>
+           <li>The reminder addresses the user by their name, helping to make phishing attacks more difficult.</li>
+            <li>The link just cancels the appointment. The worst that could happen is that an attacker cancels someone else’s appointment.</li>
+            <li>Users have to sign in to change the appointment time, making it harder for an attacker to know what their appointment time is .</li>
+            <li>The topic is something the user is familiar with.</li>
+        </ul>
+      
+        <h3 class="heading-medium">Example of an application</h3>
+        <p>“Dear Anne Smith, you’ve got a licence appointment tomorrow at 2:15pm at the Licence Office, 1 Chapel Hill, Heswall, Bournemouth BH1 1AA. To cancel your appointment, visit licensing.service.gov.uk/appointment/12345678/cancel. To change your appointment time, sign in to your account.”</p>
+        <p>This is a good example because:</p>
+         <ul class="list list-bullet">
+           <li>The message and link doesn't reveal any sensitive personal data.</li>
+           <li>The message and link doesn't ask for personal data, passwords or payment details.</li>
+           <li>The reminder addresses the user by their name, helping to make phishing attacks more difficult.</li>
+            <li>The link just cancels the appointment. The worst that could happen is that an attacker cancels someone else’s appointment.</li>
+            <li>Users have to sign in to change the appointment time, making it harder for an attacker to know what their appointment time is .</li>
+            <li>The topic is something the user is familiar with.</li>
+        </ul>
+         </section>
+    
     <section id="you-can-do-more">
       <h2 class="heading-medium">You can do more if you want to</h2>
 

From 49ef6f22ff72d6ed20169eeecd8c549da048957a Mon Sep 17 00:00:00 2001
From: SheryllGDS <sheryll.sulit@digital.cabinet-office.gov.uk>
Date: Wed, 9 Nov 2016 11:52:52 +0000
Subject: [PATCH 2/3] Update information-security.html

---
 app/templates/views/information-security.html | 32 +++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/app/templates/views/information-security.html b/app/templates/views/information-security.html
index 064d24cef..76765fd6b 100644
--- a/app/templates/views/information-security.html
+++ b/app/templates/views/information-security.html
@@ -164,31 +164,31 @@ Information security guidelines – GOV.UK Notify
         <p>“Dear Anne Smith, you’ve got a licence appointment tomorrow at 2:15pm at the Licence Office, 1 Chapel Hill, Heswall, Bournemouth BH1 1AA. To cancel your appointment, visit licensing.service.gov.uk/appointment/12345678/cancel. To change your appointment time, sign in to your account.”</p>
         <p>This is a good example because:</p>
          <ul class="list list-bullet">
-           <li>The message and link doesn't reveal any sensitive personal data.</li>
-           <li>The message and link doesn't ask for personal data, passwords or payment details.</li>
-           <li>The reminder addresses the user by their name, helping to make phishing attacks more difficult.</li>
-            <li>The link just cancels the appointment. The worst that could happen is that an attacker cancels someone else’s appointment.</li>
-            <li>Users have to sign in to change the appointment time, making it harder for an attacker to know what their appointment time is .</li>
-            <li>The topic is something the user is familiar with.</li>
+           <li>the message and link doesn't reveal any sensitive personal data</li>
+           <li>it doesn't ask for personal data, passwords or payment details</li>
+           <li>the reminder addresses the user by their name, making phishing attacks more difficult</li>
+            <li>the link just cancels the appointment which minimises what an attacker can do</li>
+            <li>users have to sign in to change the appointment time, making it harder for an attacker to know what their appointment time is</li>
+            <li>the topic is something the user is familiar with</li>
         </ul>
       
-        <h3 class="heading-medium">Example of an application</h3>
-        <p>“Dear Anne Smith, you’ve got a licence appointment tomorrow at 2:15pm at the Licence Office, 1 Chapel Hill, Heswall, Bournemouth BH1 1AA. To cancel your appointment, visit licensing.service.gov.uk/appointment/12345678/cancel. To change your appointment time, sign in to your account.”</p>
+    
+     <h2 class="heading-medium">Example to add a photo to an environmental permit</h2>
+        <p>“Dear Andrew Jones, to add a location photo to your environmental permit application, visit environmentalpermit.service.gov.uk/12345678/add-photo. If you didn’t request this link, please ignore this message.”</p>
         <p>This is a good example because:</p>
          <ul class="list list-bullet">
-           <li>The message and link doesn't reveal any sensitive personal data.</li>
-           <li>The message and link doesn't ask for personal data, passwords or payment details.</li>
-           <li>The reminder addresses the user by their name, helping to make phishing attacks more difficult.</li>
-            <li>The link just cancels the appointment. The worst that could happen is that an attacker cancels someone else’s appointment.</li>
-            <li>Users have to sign in to change the appointment time, making it harder for an attacker to know what their appointment time is .</li>
-            <li>The topic is something the user is familiar with.</li>
+           <li>the message and link doesn't reveal any sensitive personal data</li>
+           <li>it doesn't ask for personal data, passwords or payment details</li>
+           <li>the reminder addresses the user by their name, making phishing attacks more difficult</li>
+            <li>the link only lets users add a photo to an environmental permit application – it doesn’t complete the process, which minimises what an attacker can do</li>
+            <li>it shows users what to do if the message doesn't apply to them</li>
         </ul>
-         </section>
+       </section>
     
     <section id="you-can-do-more">
       <h2 class="heading-medium">You can do more if you want to</h2>
 
-      <p>These guidelines are the minimum requirement. If you want to take more stringent measures for your service, that’s fine.</p>
+      <p>These guidelines are the minimum requirement. You can take stricter measures for your service if you think it's necessary.</p>
 
       <p>Just make sure you’re balancing your users’ needs to be kept informed and kept safe.</p>
     </section>

From 23f52aae310afbebd4c20aa2a5d350284647336f Mon Sep 17 00:00:00 2001
From: SheryllGDS <sheryll.sulit@digital.cabinet-office.gov.uk>
Date: Wed, 9 Nov 2016 12:45:55 +0000
Subject: [PATCH 3/3] Update information-security.html

---
 app/templates/views/information-security.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/templates/views/information-security.html b/app/templates/views/information-security.html
index 76765fd6b..ddca943a5 100644
--- a/app/templates/views/information-security.html
+++ b/app/templates/views/information-security.html
@@ -37,7 +37,7 @@ Information security guidelines – GOV.UK Notify
 
       <p>Start by writing the message you want to send. Don’t worry about the information security aspect just yet – write the message you want to convey as clearly and directly as possible.</p>
 
-      <p>We have <a href="">design patterns</a> and <a href="">content guidance</a> to help you write clearly and convey the right information at the right time.</p>
+      <p>Use our <a href="https://designpatterns.hackpad.com/Notifications-5vuitmNqIjZ">design patterns</a> along with the <a href="https://www.gov.uk/topic/government-digital-guidance/content-publishing">GOV.UK style guide</a> to help you write clearly and convey the right information at the right time.</p>
 
       <p>Once you have a message which meets user needs, look at it in relation to the risks we outline. Use this to decide if you need to change the message in order to keep the users safe.</p>
     </section>