Presentation is loading. Please wait.

Presentation is loading. Please wait.

Government Security Classification (GSC) Review - Update

Published byMarshall Hamilton Modified over 6 years ago

Similar presentations

Presentation on theme: "Government Security Classification (GSC) Review - Update"— Presentation transcript:

1 Government Security Classification (GSC) Review - Update
Graham Gardiner and Gerard Oakes

2 Recap New GSC Policy issued to Government departments in Dec 12 (copy on DISA website) Part of the wider Civil Service Reform Plan Why Change? Current Government Protective Marking Scheme (GPMS) viewed as: Misunderstood, misused and burdensome Not geared to IT Inconsistently applied Providing a false level of assurance Timescales: New GSC Policy announced in December 2012 Draft Controls Framework published in April 2013 Civil Service policy launch expected October 2013 Anticipated Go-Live date – 2 April 2014

3 The New Classifications
Going from 6 markings: TOP SECRET, SECRET, CONFIDENTIAL, RESTRICTED, PROTECT and UNCLASSIFIED To 3 new classifications: OFFICIAL The majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile. SECRET Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threat actors. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime. TOP SECRET HMG’s most sensitive information requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.

4 GSC – Key Points No direct mapping between GPMS and GSC – “jagged edge” No expectation to retrospectively re-grade historic or legacy material No UNCLASSIFIED – all information generated by HMG has value and thus needs protection Cabinet Office view that vast majority of information (90%) will sit in OFFICIAL Step change in measures from OFFICIAL to SECRET TOP SECRET – no change Only 3 Descriptors to be used if needed Personnel Commercial Limited Circulation Security Caveats (e.g. UK EYES ONLY) can be used at TOP SECRET and SECRET

5 Implementation Cabinet Office have agreed that MOD will take lead for Industry GSC Security Working Group (SWG) comprising MOD, Cabinet Office and following Industry Associations representation: DISA (Graham Gardiner, Gerard Oakes)* UKCEB (Hugh Fraser)* ADMIE (Andy Thomas, Alex Graham)* ADS (Mark Phillips) Intellect (Gordon Morrison, Joe Taylor) Agreement that GSC SWG will be the sole route for communicating with Industry Working Group meets monthly to work on immediate concerns

6 Immediate Concerns Deterring wholesale migration of RESTRICTED to the SECRET Delineation between OFFICIAL and OFFICIAL-SENSITIVE Agreeing the way forward for defence industry IT systems currently accredited to operate at CONFIDENTIAL High level only Technical controls to be applied to OFFICIAL / OFFICIAL-SENSITIVE IT systems Impact on international collaboration and information exchanges

7 Wholesale Migration of RESTRICTED to SECRET
Risk mitigated in part by softening of original Cabinet Office stance (90% in the OFFICIAL category) Cabinet Office now acknowledge that MOD and some other Government Departments will have greater need to use OFFICIAL–SENSITIVE Procedural and technical controls to protect OFFICIAL-SENSITIVE have yet be agreed but: OFFICIAL-SENSITIVE information must be marked A Descriptor can be added

8 Way Ahead on CONFIDENTIAL High IT Systems
MOD anxious to validate record of industry IT systems accredited to process and store classified information at RESTRICTED/CONFIDENTIAL or CONFIDENTIAL only Intent is to issue Industry Security Notice (ISN) requesting companies to provide details of these systems Excludes SECRET or RESTRICTED systems Companies urged to respond accordingly General expectation that over time, i.e. at the next IT system refresh, CONFIDENTIAL IT systems will upgrade to the standard for SECRET systems Feedback from ISN request will inform review prioritisation Potential that review may conclude, under the new rules, that a CONFIDENTIAL system is now only processing OFFICIAL-SENSITIVE

9 OFFICIAL / OFFICIAL-SENSITIVE IT Systems Technical Controls
CESG working on revised technical controls for SECRET and OFFICIAL / OFFICIAL-SENSITIVE IT systems Unclear when CESG proposals will be available IT Security requirements / accreditation standards for OFFICIAL-SENSITIVE and OFFICIAL IT systems driven by CESG proposals Expect no change on Day 1 Accreditation requirements may differ depending on risk assessment of system processing OFFICIAL Could be mix of self accreditation, some form of ISO27001 certification or formal accreditation On-going review to determine potential plan for a common supplier assessment / assurance tool to determine risk level

10 International Collaboration / Information Exchanges
Government has written to the National Security Authorities of 40 partner countries to inform them of the GSC changes Very few concerns raised by nations so far Some nations (US, Canada, Australia) pursuing similar reviews Intention is that ’foreign’ CONFIDENTIAL will be protected as UK SECRET On-going discussions regarding ‘classification escalation’, legacy data and impact on foreign industry No change to information marked ‘RESTRICTED USML’ under Defence Trade Cooperation Treaty (DTCT) Effectively seen as international classification

11 Contractual Aspects MOD DE&S Commercial will be making changes to DEFCONs as a consequence of GSC DEFCON 659 and 531 will be amended but not totally re-written ‘Contract notices’ will be promulgated to explain the changes New Projects will use revised documents and SALs / Grading Guides reflecting new classifications Arrangements and timescales for revising existing SALs / Grading Guides unclear at present

12 Awareness and Education
Cabinet Office is producing a range of education and awareness materials: Will be shared with Industry as well as government departments CO have shared some material with MOD already and given dispensation to commence training staff Industry seeking similar agreement to start training early Have had early sight of MOD training plan and material: Posters E-learning package Guides FAQs

13 DECS / DE&S Website Switched off in July 2013 without a replacement solution Intention was to eventually move to G-Cloud but timescales unknown MOD have a plan for interim solution that will provide a service for companies connected to RLI Expected to be in place in near future Currently no plans to introduce an interim electronic solution for companies who are not connected to the RLI MOD will rely on postal means until such time as an electronic solution is found Essential that companies keep contact information up to date with DE&S Security Advice Centre DISA has formally raised its concerns with Head of Defence Security and requested an early resolution

Download ppt "Government Security Classification (GSC) Review - Update"

Similar presentations

National Infrastructure Security Co-ordination Centre

National Infrastructure Security Co-ordination Centre
Data-Sharing and Governance Consultation ANALYSIS OF RESPONSES.

Data-Sharing and Governance Consultation ANALYSIS OF RESPONSES.
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
UK Office for Security & Counter Terrorism Future threats and the potential role of the CBRN Action plan in supporting the BTWC Dr Catherine Terry International.

UK Office for Security & Counter Terrorism Future threats and the potential role of the CBRN Action plan in supporting the BTWC Dr Catherine Terry International.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
The Crown and Suppliers: A New Way of Working People & Security15:35 – 16:20 Channels & Citizen Engagement Social Media ICT Capability Risk Management.

The Crown and Suppliers: A New Way of Working People & Security15:35 – 16:20 Channels & Citizen Engagement Social Media ICT Capability Risk Management.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Mark Brett IA Advisor May 2009 Introducing Protective Marking for Local Authority Use.

Mark Brett IA Advisor May 2009 Introducing Protective Marking for Local Authority Use.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.

1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
© 2007 Her Majesty the Queen in Right of Canada (Canadian Food Inspection Agency), all rights reserved. Use without permission is prohibited. The New US.

© 2007 Her Majesty the Queen in Right of Canada (Canadian Food Inspection Agency), all rights reserved. Use without permission is prohibited. The New US.
OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil March 20, 2015 UNCLASSIFIED Industrial Security.

OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil March 20, 2015 UNCLASSIFIED Industrial Security.
Creating the global research village EU Procurement Nicola Anson, DANTE TF-MSP Meeting, 1 March 2011.

Creating the global research village EU Procurement Nicola Anson, DANTE TF-MSP Meeting, 1 March 2011.
Legacy Records Programme Update on the Legacy Records Programme Auckland Government Recordkeeping Forum 17/11/2009 Cheryl Pointon, Acting Manager Appraisal.

Legacy Records Programme Update on the Legacy Records Programme Auckland Government Recordkeeping Forum 17/11/2009 Cheryl Pointon, Acting Manager Appraisal.
SECURITY BRIEFING A threat awareness briefing A defensive security briefing An overview of the security classification system Employee reporting obligations.

SECURITY BRIEFING A threat awareness briefing A defensive security briefing An overview of the security classification system Employee reporting obligations.
SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.

SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.
National INFOSEC Organisations and INFOSEC Management in Hungary.

National INFOSEC Organisations and INFOSEC Management in Hungary.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.

Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
Tony Whitehead TW3 Programme Director 4 December 2013 UNCLASSIFIED.

Tony Whitehead TW3 Programme Director 4 December 2013 UNCLASSIFIED.
FTR & ACE Transition Update Theresa Gordon International Trade Management Division U.S. Census Bureau.

FTR & ACE Transition Update Theresa Gordon International Trade Management Division U.S. Census Bureau.

Similar presentations

Ads by Google