Many Government departments, agencies and associated suppliers are unprepared for the Government Security Classifications Policy (GSCP), due to come into force in April. So warns an IT security consultancy.
The GSCP requires newly created or amended data to be categorised under three new tiers in an official effort to simplify data classification and protection. A number of CESG Information Assurance Notices (CIAN) and CESG Information Assurance Top Tips (CIATT) which were due to be issued to help with implementation, as well as revisions to Baseline Security Objectives (BSO), have yet to emerge, warns Auriga Consulting Ltd.
Auriga says that it has developed the GSCP Transition Service as advice on how to navigate the transition, a process which is liable to be far more complex than many anticipate, the It firm says, as it will take in adjustments to data storage and risk management.
About the Government Security Classifications Policy
The GSCP is part of the Civil Service Reform Plan and was devised to reduce the complexity and costs of sharing and protecting data. The current Government Protective Marking System (GPMS) will be superseded by GSCP, with the six tiers of –
TOP SECRET, SECRET, CONFIDENTIAL, RESTRICTED, PROTECT and UNCLASSIFIED
– due to be replaced by TOP SECRET, SECRET and OFFICIAL. Government Departments and Agencies are obliged to apply the policy and ensure that consistent controls are implemented throughout their public sector delivery partners (that is, NDPBs and ‘Arms Length Bodies’) and wider supply chain and users are personally accountable for safeguarding marked assets in line with the policy.
According to the authorities, GSCP will streamline the classification process with up to 80 percent of data expected to be classified under the lowest OFFICIAL tier. There is also no requirement to mark routine OFFICIAL data. Legacy data can continue to stored and classified under the previous GPMS system unless it is amended or incorporated into another data set. HMG departments, agencies and their suppliers must therefore accommodate both the new and legacy marking systems and seek to develop any risk management processes that were reliant upon the classification system to assign risk.
Louise T Dunne, Managing Director, Auriga, says: “Data classification is just the tip of the iceberg; we must address the management processes that lurk beneath the waterline. HMG departments, agencies and suppliers will need to ensure data management is robust enough to accommodate both classification systems for some time to come and that means unpicking mistakes. Regrettably many have been ill advised in the past and have relied upon prescribed Impact Levels to determine information assessments. Consequently, what should have been a relatively simple transition to a new scheme can become a complete overhaul of the data management process.
“Recognising the need for guidance we have developed the GSCP Transition Service which enables public and private sector organisations to address baseline procedures and accommodate changes in classification once and for all, helping to resolve and overcome a legacy of data management issues and embed scalability.” Visit www.aurigaconsulting.com
