8 May 2014
The Government Security Classifications policy, introduced in 2014, is a system that intends to classify sensitive government data and information in the UK.
It was introduced to ensure that government information is appropriately protected and applies to all information that government collects, stores, generates or shares.
This scheme, which replaced the Government Protective Marking Scheme, is intended for all government bodies. These divisions are mandated to implement it. Organisations that work in the government's supply chain are also expected to have staff who are trained to understand the classifications and their meaning, and apply actions in the appropriate way.
All data will be marked as either 'Official', 'Official-Sensitive', 'Secret', or 'Top Secret'. 'Official' will include most public sector data, which is not subject to any security risks.
In a corporate world
Larger corporates, certainly in financial services and industries, are looking at putting in place a classification solution for themselves.
Organisations must now behave in a more secure way. They are dealing with the increase in the use of open systems and more personal devices being used for business.
Going back 15 years, corporates had much simpler systems than they have now. Information would be used and processed in more structured environments. It was quite easy to work out what that information was, where it should be, and who should have access to it. As time has gone on that certainty has gone away on most of the ways the information is being shared and used.
It's not unusual now to have two organisations accessing a central sharepoint site where they can work together. The requirement is now there for being able to understand what information you have, the value of it, and who should be able to access it.
The descriptors and labels that are being applied to government data are the sorts of things that corporates will put into their labelling policy. The documents that are above 'Official' tend not to be in a corporate environment. But corporates will probably have three or four labels along with further descriptors once the policy is in place to tailor the policy to the organisation's own needs.
Applying the system
Data classification tools give businesses the ability to put a label on documents. That is visual, so when you open it you see it. It will also goes into the metadata, which can then be used by a range of other tools to make decisions. This might be: Can this email be shared with other people? Can it go external to the organisation? Should it be encrypted when it is stored? Is it non-business?
There are all sorts of speed bumps and tests that go on in a system that can stop you making a mistake. It is important to remember data classification schemes and the tools and software used will not stop external hackers retrieving information. But most data loss is just error - such as an email being sent to the wrong person.
One of the biggest problems with a labelling scheme and its application is that organisations need to know the resulting actions. If a manual process is applied such as writing or stamping - think of the traditional 'top secret' stamp. In the intel community, where people are very concerned about that type of thing, that probably does work. If people working in the military walk into a room and they see a file stamped top secret they walk out because they're not supposed to stay in the room with it. But in the corporate world that doesn't work. Also, 99 per cent of communications today is electronic.
A data-loss prevention tool scans information moving around the organisation, trying to get out of the organisation, and it makes decisions based upon rules that you as management have put together. However, there is a lot of manual checking that is required for anything that might be flagged.
When you integrate a data classification system with a labelling policy you can reduce the number of false positives significantly. The user will deal with the information appropriately because they own it. They understand the context and the consequences.
A data classification system must also go beyond communications. For manufacturing businesses the intellectual property is in their CAD files. These organisations need to implement a system that covers different information types on different platforms.
Organisations can be extremely secure providing that they have got control over the technology that is being used and they have control over the end devices.
Post-delivery controls are also important. For example, when an email is sent a delivery receipt can be sent to both parties, but if it is then sent on to another recipient the information is lost.
There will always be a trade-off between security and practicality and, generally, practicality wins. If staff are not trained and they don't understand the value of the information what they generally do is find a way of getting their job done, regardless of the consequences.
Classification is critical, because once the end user is involved in applying the label and understanding it, then fewer poor decisions are made.
Martin Sugden, chief executive, Boldon James