The UK Government’s new security classification scheme came into effect in April 2014 – and what was previously prescriptive became a lot more open to interpretation. Instead of having detailed lists of dos and don’ts, the onus has shifted to every individual to think about the information they are entrusted with and take whatever precautions they feel are necessary.
So, what was previously fairly black and white has become “50 Shades of Grey” – turning up the heat in security classification – but for very different reasons than the infamous book.
All of this means that creating risk appetite statements that make sense and can be translated into tangible precautions that people understand (and are able to implement) – is not always a simple task.
The introduction of the OFFICIAL classification replaced the old UNCLASSIFIED, PROTECT, RESTRICTED and CONFIDENTIAL i.e. everything under SECRET. It is, therefore, a mixture of all of these old classifications ranging from low sensitivity to high sensitivity – but not SECRET levels of sensitivity.
In the previous Protective Marking Scheme, the controls needed to protect RESTRICTED and CONFIDENTIAL information were prescriptive. Government policies, standards and Good Practice Guides all helped to define exactly how to protect information marked as RESTRICTED. There was little room for manoeuvre. Times have changed!
How sensitive is sensitive?
The sensitivity of information is ephemeral. It can change like the wind. It can depend not just on the written word on a piece of paper but the circumstances surrounding it. The draft for the next episode of Coronation Street is kept very close to the chest of those in the know, but eventually, it is broadcast to all and sundry. It only needs protection until it is published. The same can be said of most draft scripts and other documents.
The actors involved in TV shows realise that any compromise of the scripts they are given could jeopardise the whole series and ultimately their jobs. Does ITV produce masses of detailed processes and procedures regarding the technical, physical and procedural controls needed to protect scripts? No chance. They rely on the integrity and common sense of those they employ. The Government is just doing the same thing with the OFFICIAL classification.
50 Shades of Grey
Think of OFFICIAL as the colour grey, it can be nearly white and also nearly black. If white represents one end of the sensitivity scale and black the other, there are a multitude of different shades of sensitivity in between.
What shade is relevant at any single point in time depends on what needs to be done with the information (the business case) and who is doing it. As the shade of grey gets darker or lighter, common sense dictates that the precautions needed to handle it are increased or reduced respectively.
Ownership of risk
Central Government cannot hope to predict all the shades of grey covered by the OFFICIAL classification. It has, however, introduced a handling instruction OFFICIAL-SENSITIVE to help government agencies and departments make it clear when some OFFICIAL information is heading towards the darker shade of grey. It has not stated that OFFICIAL-SENSITIVE needs to be handled in a certain way.
The precautions applied to OFFICIAL-SENSITIVE are a matter for individual agencies and departments to determine as they are the ones that understand the nature of the sensitivity and their own business demands. For example, to help clarify requirements for their suppliers, MOD has issued a couple of guidance documents for industry, in the form of Industry Security Notices (ISNs):
- ISN 2023/04: Electronic Movement of OFFICIAL-SENSITIVE MOD Identifiable Information;
- ISN 2022/10: Remote working with MOD Material;
- ISN 2020/07: Encryption of MODII at rest.
It is important to note that OFFICIAL-SENSITIVE is a handling instruction for OFFICIAL information – and not an actual classification itself.
Is all OFFICIAL-SENSITIVE the same?
Absolutely not. It can cover a huge range of the grey spectrum – from a little sensitive to protect a privacy requirement, to something verging on SECRET but not quite SECRET! So, the precautions needed to protect the information also have to be applied on an appropriate scale. Thats why there is no such thing as a generic set of precautions to protect OFFICIAL-SENSITIVE. The range is too big and the risk appetites of different departments too diverse.
All this is the reason why systems on G-Cloud are no longer accredited by the Pan Government Accreditor. They cannot decide where every department’s shade of OFFICIAL / OFFICIAL-SENSITIVE is positioned on the grey spectrum. It is up to individual departments to decide and select precautions that meet their own levels of risk appetite.
Ascentor can help!
We have experience in putting together risk appetite statements that really help people understand where different types of information fit on the sensitivity scale. We can help explain risks in a way that people understand. We can help identify the sensible precautions that are sufficiently flexible to allow choices to be made so that the business can still function. We can help people make common sense decisions about the information they are responsible for looking after.
In a nutshell, we can help you find exactly the right shade of grey for your information.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how our consultants could advise on any aspect of cyber security, please contact Dave James at Ascentor.