Doubts exist about new GSC security labelling scheme

It is said to be, in many ways, a good simplification of the old GPMS system that will help take it into business markets as well as Government, but it has some weak-spots that will not help improve security in some areas

  • 10 years ago Posted in

The parallels that are appearing between what Governments require in the way they manage and secure their data and what businesses require in managing data are very clear to see, and the solutions required are now increasingly the same.

The latest instance of this is to be seen with the new Government Security Classification (GSC) structure which comes into force next week. This replaces the outdated, six-level Government Protective Marking Scheme (GPMS), with three new marking classification levels; Official, Secret, and Top Secret.

All UK Government and public sector organisations must currently comply with the Government Security Policy Framework, which requires the use of security classifications to all government information assets including emails, electronic and paper documents, as well as database records. 

Though intended specifically for use by departments in central and local government, as well as the agencies that provide them services, interest in the new, simplified classification structure is already growing in many sectors of business and commerce, according to the CEO of Boldon-James, Martin Sugden. He estimates that within two years, his company’s business will be roughly divided equally between government and business sales.

Boldon James, now part of the QinetiQ group, specialises in producing data classification and secure messaging solutions.

The new classification divides information into three broad categories, and just about every document (in the widest sense of that word) can fit into one of them. According to Sugden the change will make the system easier to work with, though it will create short-term difficulties for those currently used to defining the security of documents across six bands.

“For example, what was `restricted’ is now classified as `official sensitive’,” he said, noting the fact that this does rather make the three-band system a three-and-a-half band system in practice.

He did observe that there are still what he would consider to be weaknesses with the new classifications. For example there is no classification for those documents that are official, but are required to be as widely disseminated as possible.

“It is possible that a document can be left unmarked because it is intended for the public domain and should not be marked, or left unmarked because it should have been marked, but was sent to a recipient through some `other route’. There is no equivalent of a page that has `this page intentionally left blank’ written on it,” he observed.

By the same token there seems to be something of a weakness in the ability of the classification approach to build audit trails of what happens to a document.

“There is no necessity to do this automatically,” Sugden said. “For instance, if you take a confidential, ITIL-related document, a trading document of some kind, most companies that receive those have to keep a record of where that document is within their organisation. Often that is a manual process. The intelligence community, or the MoD, would have something that stops something that is appropriately marked and shouldn’t go across the mountain from going across the mountain. But there are still lots of areas where this type of technology is not properly implemented.

“Lots of local authorities haven’t put in automated tools. We haven’t seen too many starting to use either the labelling of documents or cloud-based solutions. What’s happening is shortage of funds,” he added.

In practice, austerity measures mean that no extra funding is being made available to implement the new classification processes, either in the form of training for staff expected to handle the new classifications or the technologies that could automate many of the processes. It could be argued, of course, that this rather negates the investment made in developing the new classification in the first place, especially as local authorities are certainly organisations that could make good use of it.

“So while some of the local authorities won’t be doing this is a bit of a negative, there will be a very [good] market in the commercial space,” he said. “The biggest take up at the moment is in the financial services industry. It is also embedded in ISO 27001. And it is possible for a company to build a classification labelling policy that suits its particular business. They can take our product and build it to meet their particular requirements.

“The commercial world comes at the labelling issue from a different perspective. They don’t come from a security perspective but one of `what is best for my business’. And staff  understand what the labels mean and respect them. It also helps in managing expenses such as archiving costs, because if you know that only 10 percent of your data is of the highest secrecy ranking, that can mean 90 percent of your data can go into lower cost cloud storage.”

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.