Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mark Brett IA Advisor May 2009 Introducing Protective Marking for Local Authority Use.

Published byFrancine Rich Modified over 8 years ago

Similar presentations

Presentation on theme: "Mark Brett IA Advisor May 2009 Introducing Protective Marking for Local Authority Use."— Presentation transcript:

1 Mark Brett IA Advisor May 2009 Introducing Protective Marking for Local Authority Use

2 The Urban Myth I need protective marking schemes for Government Connect CoCo The fact: Contrary –Compliance with the GCSX Code of Connection does not oblige an LA to adopt the Protective Marking system. The requirement is as follows: "Employees of the organisation who handle information carrying a protective marking of RESTRICTED MUST be made of aware of the impact of loss of such material and the actions to take in the event of any loss.” Source : CESG April 2009

3 Part 1

4 The Approach Step 1 Information Asset discovery Step 2 Determine Information Asset ownership. Step 3 Classification of Information Assets Step 4 Evaluation of Asset risk and value to determine the protective marking level. Step 5 Deployment of the information asset protective marking within the scheme.

5 The Process Refined 5-D’s Decision DiscoveryDeterminationDeploymentDestruction

6 Discovery A trawl of Information Assets What assets exist What are their inputs / outputs What linkages exist

7 Determination Who owns the asset? Who is responsible for the asset? Who controls the asset? Who can authorise the processing and disclosure?

8 Decision What is the business impact level of the asset? What is it’s Data Protection Status? Who is authorised to process the asset? What protective measures are required?

9 Deployment Where will the asset be created, stored and processed? Will the asset be transmitted? Will the asset be copied? Will the asset be controlled? Who will process it? Where? How? Compliance/monitoring/audit regime??

10 Destruction Who will authorise the destruction of the asset? How will you know if all copies are destroyed? Do you need to retain a copy for legal/compliance purposes? How will you destroy the asset?

11 Part 2 A Bit more detail

12

13 Stating the Obvious If you don’t mind it being in the local paper or on your website or in someone’s blog, then UNCLASSIFIED or NOT PROTECTIVELY MARKED Otherwise consider PROTECT PROTECT is NOT a national security marking; “It should be noted that the PROTECT marking is a non-National Security marking” Source: http://www.cabinetoffice.gov.uk/spf/sp2_pmac.aspx ( Under mandatory Green box 16) MANDATORY REQUIREMENT 18 Departments and Agencies must ensure that non-HMG material which is marked to indicate sensitivity is handled at the equivalent level within the Protective Marking System, or where there is no equivalence, to the level offered by PROTECT as a minimum.

14 Do also consider If the asset already has an external marking PROTECT/RESTRICTED/CONFIDENTIAL etc You MUST handle the information according to that level of protection. We advise you have an MOU in place with the owner of that asset to agree how you will handle it.

15 Still not sure? If the asset has some strange marking; Private and Confidential Commercial in confidence Confidential – addressee only Assume you’ll treat it as PROTECT according to your own policies and procedures.

16 ADVICE and GUIDANCE

17 PROTECT – How to decide Use the segmentation model DEFEND against a sophisticated attacker - the requirements needed to protect the very high value sovereign Public and Private Sector information and information systems; DETECT and resist an attack from a sophisticated attacker - the requirements needed to protect high-value Public and Private Sector information and information systems; DETER an attack from a skilled attacker - the requirements which support all valuable information and information system assets in the Public and Private Sectors; AWARE of public domain threats and vulnerabilities - the requirement of small companies (less than 20 employees) and individual citizens.

18 The four Principals Audit and Monitoring, Level of Protection, Basic Information Assurance Objectives and Access Control Requirements Impact Level Segment 1 Aware 2 Deter 3 Deter

19

20

21 The Assurance matrix Source: CESG IS1 Part 2 December 2008 3.4 p. D2

22 Threat Sources Source: CESG IS1 Part 1

23 Threat likelihood & Business Impact Source: CESG IS1 Part1

24 The business impact level (BIL)

25

26 PROTECT – What to do MANDATORY REQUIREMENT 19 Departments and Agencies must apply the following baseline controls to all protectively marked material: Access is granted on a genuine ‘need to know’ basis. Assets must be clearly and conspicuously marked. Where this is not practical (for example the asset is a building, computer etc) staff must still have the appropriate personnel security control and be made aware of the protection and controls required. Only the originator or designated owner can protectively mark an asset. Any change to the protective marking requires the originator or designated owner's permission. If they cannot be traced, a marking may be changed, but only by consensus with other key recipients. Assets sent overseas (including to UK posts) must be protected as indicated by the originator's marking and in accordance with any international agreement. Particular care must be taken to protect assets from foreign Freedom of Information legislation by use of national prefixes and caveats or special handling instructions. No official record, held on any media, can be destroyed unless it has been formally reviewed for historical interest under the provisions of the Public Records Act. A file, or group of protectively marked documents or assets, must carry the protective marking of the highest marked document or asset contained within it (eg. a file containing CONFIDENTIAL and RESTRICTED material must be marked CONFIDENTIAL).

27 PROTECT level is "sensitive" but below RESTRICTED Impact ( SPF page 27) Criteria for assessing PROTECT (Sub-national security marking) assets: cause distress to individuals; breach proper undertakings to maintain the confidence of information provided by third parties; breach statutory restrictions on the disclosure of information; cause financial loss or loss of earning potential, or to facilitate improper gain; unfair advantage for individuals or companies; prejudice the investigation or facilitate the commission of crime; disadvantage government in commercial or policy negotiations with others. The compromise of assets classified PROTECT would be likely to: Breach proper undertakings to maintain the confidence of information provided by third parties; Breach statutory restrictions on disclosure of information; Impede the effective development or operation of policies internal to the Department; Cause financial loss or loss of earning potential to, or facilitate improper gain or advantage for, individuals and sole traders up to £1,000 or large companies up to £10,000; Disadvantage government in commercial or policy negotiations with others resulting in loss to the public sector of up to £10,000. Examples Policy Information Procurement tenders/contracts and correspondence

28 Handling Marking Print in bold capitals, same size as body text, centre top of each page (header) or subject line of an email, with additional 'descriptor'. Storage Physically protect by one barrier within a secure building, e.g. a locked container. Disposal of papers Place in a designated ‘secure disposal’ waste bin e.g. bins or sacks that must be locked when not in use. Disposal/re-use of magnetic data storage, including removable electronic, media Delete contents and re-use within the authority only. Media must be marked and treated as PROTECT. Deletion of information does not remove the associated protective marking. Can be destroyed by IT security if deemed appropriate (see Electronic Media Re-use and Disposal Security Policy). Internal distributionCommunications must be protectively marked as PROTECT and include a descriptor. Appropriate methods of internal distribution are: Using GCMAIL email; Sealed envelope / polylope through internal post; Sealed envelope / polylope delivered by hand. Postage Send in a sealed envelope, by post, after confirming correct full postal address including post code. No protective marking is needed on the envelope. Discussion by telephone or video conference Telephones can be used, Caller identity must be confirmed Details should be kept to the minimum necessary. Storage on authorities IT systems Permitted Storage on Removable Electronic Media PROTECT information may be stored on encrypted removable media. Email within GCSx Permitted Email outside GCSx (over internet) Information may be sent without additional protection, but confirm the email address and keep sensitive details to a minimum. Fax Normal office fax may be used but confirm the fax number and keep sensitive details to a minimum. Ensure recipient is expecting and ready to receive. Photocopying Permitted but only make as many copies as you need and appropriately limit their distribution. Working at home or when travelling Permitted following security assessment, with the Senior Responsible Officer's approval and compliance with the above guidance. Note: o only the authorities supplied computer equipment and peripherals to be used o personal computer equipment and peripherals must not be used o ensure you cannot be overlooked if in public

29 QUESTIONS? www.idea.gov.uk/datahandling Mark.brett@lga.gov.uk

Download ppt "Mark Brett IA Advisor May 2009 Introducing Protective Marking for Local Authority Use."

Similar presentations

Chapter 5: Asset Classification

Chapter 5: Asset Classification
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
IS Audit Function Knowledge

IS Audit Function Knowledge
1 Record Management Medical Center Administrative Group Fall Symposium November 15, 2000 University Audit.

1 Record Management Medical Center Administrative Group Fall Symposium November 15, 2000 University Audit.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Department of Commerce Records Management Training.

Department of Commerce Records Management Training.
Data Protection Recruitment Process

Data Protection Recruitment Process
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.

CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Practical Information Management

Practical Information Management
Information Assurance and Information Sharing IMKS Public Sector Forum 7 February 2011 Clare Cowling, Senior Information Governance Adviser Transport for.

Information Assurance and Information Sharing IMKS Public Sector Forum 7 February 2011 Clare Cowling, Senior Information Governance Adviser Transport for.
Information Legislation and BU Committees Policy and Committees (Student and Academic Services) and Legal Services July 2011.

Information Legislation and BU Committees Policy and Committees (Student and Academic Services) and Legal Services July 2011.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
1 Freedom of Information (Scotland) Act 2002 A strategic view.

1 Freedom of Information (Scotland) Act 2002 A strategic view.

Similar presentations

Ads by Google