Part 1 of 3. This is the first in a series of blog articles where Ascentor discusses some of the recent UK Government Information Assurance changes – and what they mean for you. Written to be concise, they explain the essential “need-to-know” facts and implications with links to read further should you wish.
To start the series, we look at:
- The Government Security Classifications (GSC) system replacing the Protective Marking Scheme
- HMG IA Standard Numbers 1 and 2 – Risk Assessment Changes
- Abuse of Impact Levels
The Government Security Classifications (GSC) system
What’s changed?
The UK Government Protective Marking Scheme (GPMS) was replaced with the new Government Security Classifications (GSC) system on the 2nd April 2014. The old categories were reduced to just TOP SECRET, SECRET and OFFICIAL.
The introduction of the new OFFICIAL classification brings the biggest change. This classification replaces everything below the SECRET level meaning that the old UNCLASSIFIED, PROTECT, RESTRICTED and CONFIDENTIAL levels have disappeared.
So, with just three new classifications, shouldn’t things be clearer now? Not quite. There’s a handling instruction within the OFFICIAL classification called OFFICIAL-SENSITIVE for information that, as the name suggests, is leaning towards higher sensitivity and potential impact of loss. But just how sensitive?
Why do you need to know?
There is a risk that agencies and companies may not understand where their information sits on the sensitivity scale, leading to misclassification and greater exposure to risk.
The new system is not as prescriptive as the old Protective Marking Scheme and the handling requirements for OFFICIAL are now a matter for individual organisations to decide.
The trouble is that OFFICIAL covers a huge range of different sensitivities from only a little sensitive to just under, but not quite SECRET! It’s not as “black and white” as it used to be – we think it’s more “50 Shades of Grey”.
How do you get further information?
This topic is discussed in further detail on the Ascentor blog in the article – Could the new OFFICIAL classification be your “50 Shades of Grey”?
HMG IA Standard Numbers 1 and 2 – Risk Assessment Changes
What’s changed?
Compliance with HMG IA Standard Numbers 1 and 2 – Information Risk Management (IAS 1&2) is no longer a mandatory requirement for government departments.
IAS 1&2 consists of two separate documents:
- 20 Risk Management Requirements (RMRs) that form mandatory policy on the management of information risk that all government departments had to follow.
- Technical Risk Assessment and Risk Treatment Supplement that defined the mandated methodology to follow.
Government departments can now determine their own approach to information risk management based on their specific business requirements and risks. They may choose to use the methodology defined in the IAS 1&2 supplement, but the major change is that they do not have to.
Why do you need to know?
The requirement for assessing information risks in a structured way has not suddenly disappeared. All government departments are still required to meet the Security Outcomes defined in the Security Policy Framework (SPF – April 2014), which stipulate that they will have:
- A mature understanding of the security risks throughout the organisation and, where appropriate, this will be informed by the National Technical Authorities.
- A clearly communicated set of security policies and procedures, which reflect business objectives to support good risk management.
- Mechanisms and trained specialists to analyse threats, vulnerabilities and potential impacts, which are associated with business activities.
- Arrangements to determine and apply cost-effective security controls to mitigate the identified risks within agreed appetites.
- Assurance processes to make sure that mitigations are, and remain, effective.
So, information risk management is still a requirement, but how it is achieved is down to individual organisations. Choosing the most appropriate method can be tricky and may not always be necessary. CESG’s latest advice is for organisations to select one of three methods:
- Trust security statements made by suppliers.
- Implement common solutions to common problems.
- Conduct a bespoke risk assessment selecting a methodology that most suits the business need.
How do you get further information?
This topic is discussed in further detail on the Ascentor blog article “The Demise of IS1 & 2 – Are Risk Assessments Really Worth the Effort?”
Abuse of Impact Levels
What’s changed?
The IAS 1&2 Supplement includes a set of tables for measuring different levels of impact on a scale of 0-6. Now that organisations are no longer required to follow the methodology defined in the standard, there is the misconception that measurement of impact in a risk assessment is also not required. This is not true.
Why do you need to know?
Impact remains a critical component of any risk assessment and using different impact levels (ILs) as a means of measurement remains perfectly valid. However, the impact levels defined in the IAS 1&2 Supplement were often misinterpreted and misused. One such example being that they were used to indicate a certain level of security with the implication that, for example, an “IL3 system” was secure enough to protect Restricted data – which is not correct. You may have seen phrases like:
“It is an IL3 system”
“It must be accredited to IL2,3,4”
Impact is just one component of risk, albeit a very important one, there are others to consider such as asset value, threat and likelihood. Reliance on a single IL as a means to express security risk is missing the point entirely.
Organisations should still consider impact levels as part of a risk assessment process but be aware that impact is just one element that needs to be considered. Those that opt to continue to use the methodology defined in IAS 1&2 Supplement should take particular care not to use ILs as a means of conveying risk or security requirements.
How do you get further information?
The Ascentor blog provides further insight into the problems surrounding the use of impact levels and suggests how the problem can be addressed: What is “IL3” and why are so many searching for it?
Coming soon in Part 2:
We will be looking at the following changes in the next edition of “Cutting through the confusion: Government Information Assurance changes explained”.
- Adoption of Cyber Essentials (CE)
- Adoption of the MOD cyber security model
- Changes to the PSN compliance process
For further information:
If you have found this article interesting, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If youd like to discuss how our consultants could advise on any aspect of cyber security, please contact Dave James at Ascentor.
Other posts you might like:
IA Inside – building Information Assurance into the heart of your projects