Mark Brett IA Advisor May 2009 Introducing Protective Marking for Local Authority Use
The Urban Myth I need protective marking schemes for Government Connect CoCo The fact: Contrary –Compliance with the GCSX Code of Connection does not oblige an LA to adopt the Protective Marking system. The requirement is as follows: "Employees of the organisation who handle information carrying a protective marking of RESTRICTED MUST be made of aware of the impact of loss of such material and the actions to take in the event of any loss.” Source : CESG April 2009
Part 1
The Approach Step 1 Information Asset discovery Step 2 Determine Information Asset ownership. Step 3 Classification of Information Assets Step 4 Evaluation of Asset risk and value to determine the protective marking level. Step 5 Deployment of the information asset protective marking within the scheme.
The Process Refined 5-D’s Decision DiscoveryDeterminationDeploymentDestruction
Discovery A trawl of Information Assets What assets exist What are their inputs / outputs What linkages exist
Determination Who owns the asset? Who is responsible for the asset? Who controls the asset? Who can authorise the processing and disclosure?
Decision What is the business impact level of the asset? What is it’s Data Protection Status? Who is authorised to process the asset? What protective measures are required?
Deployment Where will the asset be created, stored and processed? Will the asset be transmitted? Will the asset be copied? Will the asset be controlled? Who will process it? Where? How? Compliance/monitoring/audit regime??
Destruction Who will authorise the destruction of the asset? How will you know if all copies are destroyed? Do you need to retain a copy for legal/compliance purposes? How will you destroy the asset?
Part 2 A Bit more detail
Stating the Obvious If you don’t mind it being in the local paper or on your website or in someone’s blog, then UNCLASSIFIED or NOT PROTECTIVELY MARKED Otherwise consider PROTECT PROTECT is NOT a national security marking; “It should be noted that the PROTECT marking is a non-National Security marking” Source: ( Under mandatory Green box 16) MANDATORY REQUIREMENT 18 Departments and Agencies must ensure that non-HMG material which is marked to indicate sensitivity is handled at the equivalent level within the Protective Marking System, or where there is no equivalence, to the level offered by PROTECT as a minimum.
Do also consider If the asset already has an external marking PROTECT/RESTRICTED/CONFIDENTIAL etc You MUST handle the information according to that level of protection. We advise you have an MOU in place with the owner of that asset to agree how you will handle it.
Still not sure? If the asset has some strange marking; Private and Confidential Commercial in confidence Confidential – addressee only Assume you’ll treat it as PROTECT according to your own policies and procedures.
ADVICE and GUIDANCE
PROTECT – How to decide Use the segmentation model DEFEND against a sophisticated attacker - the requirements needed to protect the very high value sovereign Public and Private Sector information and information systems; DETECT and resist an attack from a sophisticated attacker - the requirements needed to protect high-value Public and Private Sector information and information systems; DETER an attack from a skilled attacker - the requirements which support all valuable information and information system assets in the Public and Private Sectors; AWARE of public domain threats and vulnerabilities - the requirement of small companies (less than 20 employees) and individual citizens.
The four Principals Audit and Monitoring, Level of Protection, Basic Information Assurance Objectives and Access Control Requirements Impact Level Segment 1 Aware 2 Deter 3 Deter
The Assurance matrix Source: CESG IS1 Part 2 December p. D2
Threat Sources Source: CESG IS1 Part 1
Threat likelihood & Business Impact Source: CESG IS1 Part1
The business impact level (BIL)
PROTECT – What to do MANDATORY REQUIREMENT 19 Departments and Agencies must apply the following baseline controls to all protectively marked material: Access is granted on a genuine ‘need to know’ basis. Assets must be clearly and conspicuously marked. Where this is not practical (for example the asset is a building, computer etc) staff must still have the appropriate personnel security control and be made aware of the protection and controls required. Only the originator or designated owner can protectively mark an asset. Any change to the protective marking requires the originator or designated owner's permission. If they cannot be traced, a marking may be changed, but only by consensus with other key recipients. Assets sent overseas (including to UK posts) must be protected as indicated by the originator's marking and in accordance with any international agreement. Particular care must be taken to protect assets from foreign Freedom of Information legislation by use of national prefixes and caveats or special handling instructions. No official record, held on any media, can be destroyed unless it has been formally reviewed for historical interest under the provisions of the Public Records Act. A file, or group of protectively marked documents or assets, must carry the protective marking of the highest marked document or asset contained within it (eg. a file containing CONFIDENTIAL and RESTRICTED material must be marked CONFIDENTIAL).
PROTECT level is "sensitive" but below RESTRICTED Impact ( SPF page 27) Criteria for assessing PROTECT (Sub-national security marking) assets: cause distress to individuals; breach proper undertakings to maintain the confidence of information provided by third parties; breach statutory restrictions on the disclosure of information; cause financial loss or loss of earning potential, or to facilitate improper gain; unfair advantage for individuals or companies; prejudice the investigation or facilitate the commission of crime; disadvantage government in commercial or policy negotiations with others. The compromise of assets classified PROTECT would be likely to: Breach proper undertakings to maintain the confidence of information provided by third parties; Breach statutory restrictions on disclosure of information; Impede the effective development or operation of policies internal to the Department; Cause financial loss or loss of earning potential to, or facilitate improper gain or advantage for, individuals and sole traders up to £1,000 or large companies up to £10,000; Disadvantage government in commercial or policy negotiations with others resulting in loss to the public sector of up to £10,000. Examples Policy Information Procurement tenders/contracts and correspondence
Handling Marking Print in bold capitals, same size as body text, centre top of each page (header) or subject line of an , with additional 'descriptor'. Storage Physically protect by one barrier within a secure building, e.g. a locked container. Disposal of papers Place in a designated ‘secure disposal’ waste bin e.g. bins or sacks that must be locked when not in use. Disposal/re-use of magnetic data storage, including removable electronic, media Delete contents and re-use within the authority only. Media must be marked and treated as PROTECT. Deletion of information does not remove the associated protective marking. Can be destroyed by IT security if deemed appropriate (see Electronic Media Re-use and Disposal Security Policy). Internal distributionCommunications must be protectively marked as PROTECT and include a descriptor. Appropriate methods of internal distribution are: Using GCMAIL ; Sealed envelope / polylope through internal post; Sealed envelope / polylope delivered by hand. Postage Send in a sealed envelope, by post, after confirming correct full postal address including post code. No protective marking is needed on the envelope. Discussion by telephone or video conference Telephones can be used, Caller identity must be confirmed Details should be kept to the minimum necessary. Storage on authorities IT systems Permitted Storage on Removable Electronic Media PROTECT information may be stored on encrypted removable media. within GCSx Permitted outside GCSx (over internet) Information may be sent without additional protection, but confirm the address and keep sensitive details to a minimum. Fax Normal office fax may be used but confirm the fax number and keep sensitive details to a minimum. Ensure recipient is expecting and ready to receive. Photocopying Permitted but only make as many copies as you need and appropriately limit their distribution. Working at home or when travelling Permitted following security assessment, with the Senior Responsible Officer's approval and compliance with the above guidance. Note: o only the authorities supplied computer equipment and peripherals to be used o personal computer equipment and peripherals must not be used o ensure you cannot be overlooked if in public
QUESTIONS?