The Security Liaison Officer (SLO) is the local security representative at each of our facilities. They provide a local point of contact for security and ensure that all our security requirements are cascaded throughout the business.

Your SLO will be able to advise you on your facility’s security arrangements and how to protect UKNNL assets at your location. They will make you aware of any specific security measures that you need to be aware of at certain times, for example when building work is being carried out at your site.

SLOs also monitor and report on compliance with UKNNL security standards and will often carry out spot checks to ensure that the appropriate security procedures are being followed.

Your SLO is your local contact for security advice.

You can find full details about the Security Liaison Officer role on Q-Pulse in IMS-01-SLO v3.

View the SLOs list

Vetting aftercare maintains your security clearance throughout your employment at UKNNL. Any information that might constitute a security concern that could affect your suitability to hold or continue to hold security clearance must be reported to your line manager. In some instances, your line manager may need to share this information with the vetting team.

This could include:

• Criminal offences - you are arrested, refused bail, received a police caution, reprimand or final warning or are convicted of an offence (other than minor road traffic offences)
• Significant physical or psychological problems, such as depression or emotional instability
• Addiction, for example, gambling, alcohol or drugs
• Serious security breaches

You should also inform security vetting of any changes in personal circumstances.

These could be:

• Changes in your financial circumstances, which may include:
• a significant change in finances that makes a real difference to your financial situation, either by making it more difficult or by improving it, for example, incurring more debt than you can easily manage, bankruptcy or receiving a lump sum for example by inheritance or as a gift.
• A planned reduction in income or savings e.g maternity/paternity leave for an extended period; reduction in working hours or a partner retires.
• A planned increase in income or savings e.g paying a mortgage off, removal of financial liability such as a loan, expected investment maturity, expected inheritance, UKNNL promotion, significant bonus payment.
• change of Nationality - you acquire a new nationality or renounce a nationality that you previously held
• a marriage or civil partnership or you start living with a partner as a couple.
• when a new co-resident starts living with you in shared accommodation (Developed Vetting (DV) only).

All reports will be treated confidentially but may be shared on a need-to-know basis.

In some circumstances, information may need to be shared with the HR team, Sellafield site security (if you are based at Sellafield and the Office for Nuclear Regulation (ONR). The vetting team will work with you and relevant partners to mitigate any potential risk to our organisation.

We recognise that you may feel nervous about reporting a change in circumstances to the vetting team but it’s important to remember that their primary aim is to mitigate risk rather than remove your clearance. You can reach the security vetting team at nnl.security.vetting@uknnl.com. For urgent matters click the Report an incident button on the nucleus home page.

Line managers have additional responsibilities when it comes to security. As they oversee teams, they’re often the first to notice if someone might be struggling or at risk of being exploited. If you're a line manager you must complete NN5825 Security for Line Managers e-learning to help you recognise and address these risks effectively, ensuring a safe and secure environment for everyone.

For everyone else, don’t worry—you can move on to the next step.

UKNNL E-Learning

While it’s normal for many organisations to ask their employees to carry or wear an ID pass, due to the nature of our work, we place strict controls on when and where you should wear your pass.

Please familiarise yourself with the following rules and be prepared to respectfully challenge if you see someone wearing or using their pass incorrectly:

• passes must always be worn and displayed within UKNNL premises - the only exception is where there is an agreed overriding safety requirement.
• passes are not to be displayed outside UKNNL premises (except whilst on a nuclear licensed site where UKNNL is located).
• pass holders must not allow anyone else to use their pass.
• lost passes must be reported immediately to the local Security Liaison Officer (SLO), and the loss recorded on the UKNNL online reporting system, OSHENs.
• ensure you comply with local and company access control requirements
• passes that are worn, damaged or where the photograph is no longer a good likeness of the holder must be replaced.
• if you have a name change, for example due to marriage, you must request an updated pass.
• passes must be treated responsibly and held securely. - it is your responsibility to look after your pass.
• passes should be held in official passholders with lanyards or other appropriate authorised holders to minimise loss/damage.
• passes must not be left in vehicles.
• only one UKNNL security pass may be held by an individual.
• passes must be handed in if you are going to be absent from work for an extended period, for example maternity or paternity leave, career break, long term sickness or as a result of suspension.
• passes must not be tampered with, be given to another person to use and the security access control system must not be abused.

What do the CISO Function do?

Everything we do at UKNNL is informed by information, from developing advanced reactors, to supporting university-led projects, to managing monthly payslips.

The expertise and insight held within all types of UKNNL information is vast, and sometimes highly sensitive. This makes it valuable.

Unfortunately, others may wish to exploit this value - from hostile states looking to shortcut their nuclear programmes, to cyber criminals looking to ransom our information for money.

Occasionally, mistakes can also put UKNNL information at risk.

The UKNNL Chief Information Security Officer (CISO) function's role is to help UKNNL protect its information. The CISO team provide specialist advice and support to help everyone across UKNNL protect our information. They do this as part of day-to-day business, and also as part of responses to specific incidents.

What can the CISO function help you with?

As well as working closely with IT to help monitor and ensure UKNNL information is secure, the CISO function provides a range of other services. Examples of when you may need to reach out include:

• if you are starting a new project or procurement and want to ensure it has the right level of security included from the start.
• if you are travelling overseas on business and need to use UKNNL kit securely.
• if you need advice on sharing information securely with organisations outside UKNNL.
• if you have urgent/immediate concerns that UKNNL information is being put at risk

How to contact CISO

You can contact the CISO function for non-urgent queries about projects, procurements and travel etc, at nnl.ciso.team@uknnl.com

Don't forget that a range of supporting instructions and procedures are available on Q-Pulse. UKNNL's CISO Function page also provides useful information about how we all have a role to play protecting our information.

Visit CISO Function page

Data protection is ensuring fair and correct use of information about people – people like you, your colleagues, friends, and family. The Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR) provide rules on how data must be handled and processed to ensure it is used fairly, lawfully, and transparently.

Every day, we all handle personal data in our roles – we just may not realise it.

Understanding what this data looks like and the handling principles is vital. Mistakes can be serious and could result in UKNNL facing regulatory interventions and fines. More importantly, we could also risk causing harm to those who trust us with their information.

If you have a serious or urgent concern regarding data protection contact the IT Service Desk in the first instance on 01925 933777 who will advise on next steps.

Learn more about GDPR and data protection by completing NN5803 Data Protection Essentials e-learning. If your role means you’ll be processing personal data or controlling data (e.g. Human Resources or payroll) you may need to complete NN0417 General Data Protection Regulation Advanced. Speak to your line manager if you are unsure.

UKNNL E-Learning

Phishing is how criminals try to introduce malicious code onto our network by sending emails containing malicious links or attachments. Attackers may also try to manipulate you into sharing sensitive information, such as usernames, passwords, email addresses and credit card details; as well as coerce you into making fraudulent payments. Phishing doesn't only happen through email; phone calls or voice phishing are increasingly common, along with SMS and other 'messenger' types of phishing. Everyone is at risk of falling victim to a phishing attack and it's up to all of us to remain vigilant. In all cases, don't interact, click or supply any details if you feel it isn't appropriate to do so. You can report suspicious emails using the 'Report Phishing' button on the top right of the Outlook menu bar. For anything else, use the report an incident button on Nucleus home page.

The information which UKNNL holds and processes could be subject to export controls. An “export” occurs when information, including information sent electronically or communicated verbally, crosses the UK border. An intention to export is not relevant. An export therefore includes the taking or sending of any information outside of the UK via the following means of transmission:

• physical exports, for example laptop, mobile device, memory stick, disk or hard copy document.
• electronic transfer, for example email, fax, video conference, intranets or shared data environments.
• remote access from overseas to emails or corporate networks, for example, technology contained on an individual’s laptop will be exported if that individual takes the laptop outside the UK.

UKNNL’s policy is that laptops should not be taken out of the UK without approval from IT (export control, CISO and S&R). If permission is granted, advice must be sought from the Export Control Administrator to ensure that no information is inadvertently exported and that any information which is to be exported is under the relevant licence.

Further information on export controls is given in IMS-P-243.

Security & Resilience (S&R)

The Security & Resilience team are responsible for all our people, facilities and assets.

Personnel Security

The Personnel Security team (sometimes referred to as the Vetting team) check the identity and integrity of everyone working for or on behalf of UKNNL.

Security Liaison Officer

Security Liaison Officer’s (SLO’s) are based at each of our facilities and act as a local point of contact for security, ensuring security requirements are cascaded throughout the business.

Information Management System

The information management system is similar to an electronic library, and it is the way we manage interrelated parts of our business to achieve our objectives. You might hear the phrase ‘check the management system’ 'look on IMS' or 'Check Q-Pulse' these are all used interchangeably and refer to checking what information is recorded under our IMS arrangements.

Q-Pulse

Q-Pulse is the is the electronic system or tool that provides a home for all of our information management arrangements.

OSHENS

Our event reporting system, pronounced OH-SHENS. To ‘raise an OSHENS’ is to log an event on the system.

Assets

Our assets include nuclear material, proprietary technology and information, our people, facilities, business processes, government classified information and our IT network.

Vetting

The method used to check the identity and integrity of an individual working for or on behalf of UKNNL.

Security Check

Security Check or SC clearance is required for posts involving regular and uncontrolled access to SECRET information and/or occasional, supervised access to TOP SECRET information assets.

Developed Vetting

Developed Vetting or DV clearance is used for positions that require substantial unsupervised access to TOP SECRET information and assets.

Vetting Aftercare

Aftercare is the management of personnel security. Its purpose is to investigate and monitor any continuing or arising security concerns and minimise risk.

Office of Nuclear Regulation

The Office of Nuclear Regulation (ONR) is the UK’s independent nuclear regulator with the legal authority to regulate nuclear safety, civil nuclear security and safeguards and conventional health and safety at nuclear licensed sites in the UK.

Chief Information Security Officer

The Chief Information Security Officer (CISO) function's role is to help UKNNL protect its information. The CISO team provide specialist advice and support to protect our information.

Hostile States

A term used to describe a foreign state that may carry out hostile activity such as sabotage, espionage and foreign interference.

UK General Data Protection Regulation

Sets out the responsibilities of organisations and individuals when processing personal data in the UK.

Data Protection Act 2018

The Data Protection Act 2018 (DPA) sets out the framework for data protection in the UK. It sits alongside and supplements the UK GDPR.

Personal Devices

Any portable technology such as mobile phones, tablets, laptops and USB flash drives.

Incidents

An event that may compromise information, physical or personnel security e.g. sensitive information shared in error, a person unwilling to show a pass etc.

Phishing

A technique used to try and deceive people into revealing sensitive information such as usernames or passwords through fraudulent emails or websites.

Export Controls

Controls placed on the export – the sharing of information - either electronically or verbally, across a UK border.

Baseline Personnel Security Standard (BPSS)

The standard level of screening used in the energy sector for positions working with or for Government Departments.