Guest post from Tony Richards, Head of Security and Accreditation for G-Cloud.
From 2nd April 2014, the UK government is changing the way that it classifies and protects its information. There will be a simplified approach going forward, with just three levels of security classification: OFFICIAL, SECRET and TOP SECRET. The new policy, controls framework and related guidance have already been published here.
Security classifications indicate the sensitivity of information and the need to defend against a broad range of threats to it. Each classification will attract a range of security controls appropriate for managing the information risks involved. There is no direct mapping from the old government protective marking scheme (GMPS) to the new classifications.
What is OFFICIAL?
The public sector holds a very wide range of information and delivers many different services, but many of the risks to that information are broadly similar. The majority of information related to public sector business, operations and services can be managed as OFFICIAL, including most policy development, service delivery, contracts, statistics and administrative data.
In general terms, information assets that were previously classified up to and including RESTRICTED should be managed at OFFICIAL and where some information was over marked at CONFIDENTIAL and this may be appropriate to manage as OFFICIAL too.
How does this affect G-Cloud and the CloudStore? The G-Cloud 5 Framework (G5), which opened for submission on the 25th February 2014, still refers to the older system (e.g. IL2 and IL3), however, this will be a transition period while we develop a new approach that is better aligned to OFFICIAL and clearer about our expectations of cloud services.
When the new classifications go live, buyers will be looking for services that can be used with OFFICIAL data and not for Impact level 2 or 3. We will be advising Government buyers to really think about their security requirements and use the Classification Policy Controls Framework and Cloud Security Principles as the basis for their decision-making.
What is happening to Business Impact Levels (BILs)?
BILs were originally conceived as a means of normalising and articulating the output of an impact assessment in the course of an overall technical risk assessment. However BILs have been widely misused beyond their intended purpose, which has led to negative outcomes.
There is no longer any mandatory or policy requirement for the use of BILs. However, the reference by a security professional to the BIL tables in IS1&2 remains acceptable in the course of a comprehensive technical risk assessment, however they should never be used as a label for accreditation, level of security or as a proxy for specifying contractual security requirements.
We’ll be writing further posts to help with this transition, what it means for you, and what the new process for getting an OFFICIAL status will be in the run up to G-Cloud 6.