Government Departments and associated parties will need to change how their assets are classified from this April.
But provided classification is not solely used to govern risk there’s no reason why this simply can’t be handled as a form of change management, as Louise T. Dunne, Managing Director, Auriga, explains.
TOP SECRET documents only for perusal by those with the appropriate security clearance never fail to elicit a James Bond-esque thrill. Security classifications are synonymous with privilege, providing access on a ‘need to know’ basis. Yet Government assets will not ‘self-destruct in 60 seconds’ and need effective management from the cradle to the grave. It may even present a risk to the organisation if it falls into the wrong hands, as a result of which security classifications are often closely linked with risk management.
Security classifications remain as vital today as they were in Fleming’s day, providing an effective way to order, categorise and protect Government assets. But somewhere along the way, security classifications became somewhat disjointed. In addition to TOP SECRET, we have: SECRET, CONFIDENTIAL, RESTRICTED, PROTECT and UNCLASSIFIED and users are often confused as to how to differentiate between them. Moreover, the classification can change over the course of its lifetime as the value of Government information changes.
Clearly a rethink was needed to simplify the process and in June 2012 provision was made in the Civil Service Reform Plan for a streamlined security classifications system. This would see the existing six tiers reduced to just three: TOP SECRET, SECRET and OFFICIAL. Dubbed the Government Security Classifications Policy (GSCP), the new three tier system will to come into effect in April 2014, making it easier for Government Departments, Agencies and their public sector suppliers to work with security classifications easily and thus more diligently. Yet the new system is causing widespread concern and consternation across the public sector. Why?
Information Mismanagement
The answer lies in that original complex array of six layers and a serious mismanagement of Information Security. Many organisations saw the existing protective marking system and associated Business Impact Levels (ILs) as a quick risk management fix. By looking at both systems, organisations reasoned it would be possible to demark risk without the need to carry out independent assessments. After all, the data hierarchy and IL were related to the risks posed to the organisation so surely this made sense? There was a cost: tethering these strategies together led to rigidity and an inability to respond flexibly to emerging risks. But in the overall scheme of things, classification-driven risk ticked the right boxes… until the overhaul of the system and launch of the GSCP.
GSCP is not a radical undertaking. The plans are for it to be gradually phased in and applied to new assets, making it essentially a form of transition and change management. It will replace old protective markings when information and other assets naturally reach end-of-life; this will be a generational change. By managing information as a life-cycle process, the GSCP has the potential to create far more effective and efficient working practices across Central Government and bring about the necessary cultural change and reform that the policy is helping to deliver as part of the Civil Service Reform Plan.
Clearly the GSCP is not a case of ‘out with the old and in with the new’ and any organisation which conducts security classifications correctly has little to fear. The problem comes for those that have used security classifications as the sole basis for risk management. Such organisations may well feel the labels have been ripped off and they don’t know where to start.
Substitution
The temptation is to substitute one set of labels for another. The GSCP will include ‘applicable threat profiles’ (much like those used in the private sector) which will be very useful in informing risk management thinking. Those Government Departments and Agencies reliant upon ILs will no doubt find the threat profile concept confusing and the danger is that one set of criteria will simply be ‘swapped out’ for another rather than applied diligently and systematically, as they are meant to be. In many ways, public sector organisations will find it extremely difficult to make a straight forward swap. OFFICIAL assets, for instance, will not be labelled by default.
Security classifications alone will not be enough for Departments to employ an appropriate approach to risk management; consideration will also have to be given to, for example, business objectives, legal obligations, and social remit or operational requirements in order to provide the necessary context to support a truly informed risk-driven approach to management.
Transitioning to the GSCP should happen at all stages of the data lifecycle; from creation to realisation to cessation. By including all aspects of the data lifecycle when transitioning to the GSCP, its benefits can be further realised. Fundamentally this is about more effective risk management; organisations need to identify what is valuable and why, understand the associated risks, and employ appropriate and effective mitigations. Effective risk management is a complex business with the GSCP being but one (admittedly very important), consideration, instead of risk management being determined solely by classification.
What’s in a Name?
If good risk management is in place, GSCP should represent little more than a name change. Organisations which do conduct proper risk assessments and devise risk management strategies based upon the nuances of the organisation and its business objectives, much like in the private sector, will find GSCP easy to implement because it is viewed as standing alone as a method of security classification and access criteria.
Irrespective of previous misdemeanours, the GSCP presents a real opportunity to tackle risk management effectively. Security classifications and risk management policy, though interlinked, should never be synonymous. By distinguishing between security classifications and risk, management activities can become more responsive and agile, enabling the organisation to anticipate and counter threats more effectively. Truly capable risk management processes and practices are a fundamental aspect of the Government’s ICT, Cyber Security and Digital Strategies.
When all is said and done, a security classification label is finite, whereas risk is a constantly changing variable
Louise T. Dunne is Managing Director of Auriga (www.aurigaconsulting.com), the data, ICT and security consultancy, a G-Cloud supplier with additional expertise in PSN Onboarding.
Louise can be contacted at: louise.dunne@aurigaconsulting.com
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.