Government Security Classifications Policy

Last updated

The Government Security Classifications Policy (GSCP) is a system for classifying sensitive government data in the United Kingdom.

Contents

GPMS

Historically, the Government Protective Marking Scheme was used by government bodies in the UK; it divides data into UNCLASSIFIED, PROTECT, RESTRICTED, CONFIDENTIAL, SECRET and TOP SECRET. This system was designed for paper-based records; it is not easily adapted to modern government work and is not widely understood. [1]

Current classifications

The criteria for classifications are being adjusted too, so there is not always a perfect map from layer to layer. Government Security Classifications Policy.png
The criteria for classifications are being adjusted too, so there is not always a perfect map from layer to layer.

The GSCP uses three levels of classification: OFFICIAL, SECRET and TOP SECRET. [2] This is simpler than the old model and there is no direct relationship between the old and new classifications. "Unclassified" is deliberately omitted from the new model. Government bodies are not expected to automatically remark existing data, so there may be cases where organisations working under the new system still handle some data marked according to the old system.

Information Asset Owners continue to be responsible for information. The new policy does not specify particular IT security requirements – IT systems should be built and used in accordance with existing guidance from CESG. [3]

Everybody who works with government – including contractors and suppliers – is responsible for protecting information they work with, regardless of whether it has a protective marking.

Aggregation does not automatically trigger an increase in protective marking. For instance, a database with thousands of records which are individually OFFICIAL should not be relabeled as a SECRET database. Instead, information owners are expected to make decisions about controls based on a risk assessment, and should consider what the aggregated information is, who needs to access it, and how.

OFFICIAL

OFFICIAL includes most public-sector data, including a wide range of information on day-to-day government business. It is not subject to any special risks. Personal data would usually be OFFICIAL. [4] The data should be protected by controls based on commercial best practice instead of expensive, difficult specialist technology and bureaucracy. There is no requirement to mark every document as "OFFICIAL" – it is understood that this is the default for government documents. [5]

Organisations may add "descriptors" to highlight particular types of official data, for instance commercially sensitive information about contracts, or diplomatic data which should not be seen by locally hired embassy staff. These descriptors do not automatically require special controls. "OFFICIAL" will usually include the kinds of data that were previously UNCLASSIFIED, RESTRICTED, or CONFIDENTIAL; but this may vary.

The threat model for OFFICIAL data is similar to typical large private-sector organisations; it anticipates that individual hackers, pressure groups, criminals, and investigative journalists might attempt to get information. The threat model does not guarantee protection against very persistent and skilled attacks, for instance by organised crime groups or by foreign governments; these are possible, but normal controls would make them more difficult, and much stronger controls would be disproportionate. People with routine access to OFFICIAL information should be subject to BPSS screening.

OFFICIAL may include data which is subject to separate regulatory requirements, such as the Data Protection Act (personal data) or PCI DSS (card payments).

OFFICIAL-SENSITIVE

OFFICIAL-SENSITIVE is an additional caveat for OFFICIAL data where it is particularly important to enforce need to know rules. OFFICIAL-SENSITIVE documents should be marked, but they are not necessarily tracked.

It is not a classification. [6] ‘Sensitive’ is a handling caveat for a small subset of information marked OFFICIAL that require special handling by staff.

SECRET

"Very sensitive information", which might (for example) seriously harm national defence or crime investigations. Data should only be marked as SECRET if the Senior Information Risk Owner (which is a board level position in an organisation) agrees that it is high-impact and that the data must be protected against very capable attackers. Although some specialist technology might be used to protect the data, there is still strong emphasis on reuse of commercial security tools.

SECRET is a big step up from OFFICIAL; government bodies are warned against being overcautious and applying much stricter rules when OFFICIAL would be sufficient.

People with routine access to SECRET information should usually have SC clearance. SECRET data may often be exempt from FOIA disclosure.

TOP SECRET

Data with exceptionally high impact levels; compromise would have very serious impacts – for instance, many deaths. This requires an extremely high level of protection, and controls are expected to be similar to those used on existing "Top Secret" data, including CESG-approved products. Very little risk can be tolerated in TOP SECRET, although no activity is completely risk-free. [7]

People with routine access to TOP SECRET information should usually have DV clearance. TOP SECRET information is assumed to be exempt from FOIA disclosure. Disclosure of such information is assumed to be above the threshold for Official Secrets Act prosecution. [8]

Special handling instructions

Special handling instructions are additional markings which used in conjunction with a classification marking to indicate the nature or source of its content, limit access to designated groups, and / or to signify the need for enhanced handling measures. In addition to a paragraph near the start of the document special handling instructions include Descriptors, Codewords, Prefixes and national caveats. [2]

Descriptors

A DESCRIPTOR is used with the security classification to identify certain categories of sensitive information and indicates the need for common sense precautions to limit access. The normal descriptors are 'COMMERCIAL’, 'LOCSEN’ and 'PERSONAL’. [2]

Codewords

A Codeword is a single word expressed in CAPITAL letters that follows the security classification to providing security cover for a particular asset or event. They are usually only applied to SECRET and TOP SECRET assets. [2]

Prefixes and national caveats

The UK prefix is added to the security classification of all assets sent to foreign governments or international organisations. This prefix designates the UK as the originating country and that the British Government should be consulted before any possible disclosure. [2]

National caveats follow the security classification. Unless explicitly named, information bearing a national caveat is not sent to foreign governments, overseas contractors, international organisations or released to any foreign nationals. [2] Example

‘TOP SECRET – UK / US EYES ONLY’

With the exception of British Embassies and Diplomatic Missions or Service units or establishments, assets bearing the UK EYES ONLY national caveat are not sent overseas. [2]

New approach to handling classified information

As per the previous GPMS model, the choice of classification relates only to the data's confidentiality. Unlike the old model it replaces however, the GSCP does not consider the consequence of a compromise as the primary factor, but instead is based on the capability and motivation of potential threat actors (attackers) and the acceptability of that risk to the business.

Where a capable and motivated attacker such as a Foreign Intelligence Service, or Serious and Organised Crime are considered to be in scope of the data to be classified, the business must implicitly accept this risk to classify the data as OFFICIAL. If they do not or cannot accept this risk they must at least initially consider the data to be SECRET, though it may be reduced to OFFICIAL or increased to TOP SECRET later when the consequences of a compromise are also considered.

The implication of this approach and the binary nature of determining if a risk from capable and motivated attackers is acceptable or not, means that data cannot easily progress through the GSCP in a linear fashion as it did through GPMS.

This is a complexity often lost on Information Asset Owners previously used to the strictly hierarchical tiered rising structure of GPMS (e.g. UNCLASSIFIED, PROTECT, RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET).

By contrast GSCP data starts either with an OFFICIAL OR SECRET classification depending on the nature of threat and its acceptability to the business, and thereafter moves up or down accordingly based on consequence of compromise.

OFFICIAL data may therefore rise to TOP SECRET, but cannot be SECRET unless the risk previously accepted for a capable attacker is revised.

SECRET data may be reduced to OFFICIAL where no serious consequences can be identified from a potential breach, or SECRET can also rise to TOP SECRET if serious consequences could arise.

Impact levels also consider integrity and availability, but CESG's system of Business Impact Levels (BIL) is under review too and in most practical contexts have now fallen into disuse.

It is therefore no longer strictly the case that the greater the consequences if the data confidentiality were to be compromised, the higher the classification, since data with a high impact (including material which could result in threat to life) may still be classified as OFFICIAL if the relevant business owner believes it is not necessary to protect this from an attacker who has the capabilities of a Foreign Intelligence Service or Serious and Organised Crime.

Conversely some data with much lower consequences (for example ongoing Police investigations into a criminal group, or intelligence information relating to possible prosecutions) but where the business will not accept compromise from such an attacker could be classified as SECRET.

Guidance issued in April 2014 at the implementation of the GSCP and still available on Gov.UK sources [9] suggested that UK Government information systems would continue to be accredited much as before, normally using CESG Information Assurance Standard 1 & 2. This has however been progressively discarded through GDS and NCSC blog statements since May 2014 and the IS1 & 2 standard itself is no longer maintained or mandated. Accreditation has also been largely replaced by alternative models of assurance aligned to various commercial practices.

The NAO report "Protecting Information across Government" (Sep 2016) was somewhat critical of the move to this model and the adoption of GSCP overall [10]

Existing published guidance continues to suggest that storage media which hold UK government data should still be destroyed or purged according to HMG IA Policy No. 5, however terminology in this guidance and other material has not been updated fully to reflect the changes from GPMS protective markings to GSCP classifications and as such its value is now arguably somewhat reduced as a published standard.

Higher classifications still tend to require stricter personnel vetting.

History

The Government Security Classifications Policy was completed and published in December 2012; additional guidance and supporting processes were developed over time. The policy came into effect on 2 April 2014. Government procurement procedures took account of the new policy from 21 October 2023 so that new security requirements could be taken into account in contracts let from that date. [11]

See also

Related Research Articles

<span class="mw-page-title-main">Information security</span> Protecting information by mitigating risk

Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible, or intangible. Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process that involves:

<span class="mw-page-title-main">Tempest (codename)</span> Espionage using electromagnetic leakage

TEMPEST is a U.S. National Security Agency specification and a NATO certification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations. TEMPEST covers both methods to spy upon others and how to shield equipment against such spying. The protection efforts are also known as emission security (EMSEC), which is a subset of communications security (COMSEC).

<span class="mw-page-title-main">Classified information</span> Material that government claims requires confidentiality

Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know, and mishandling of the material can incur criminal penalties.

A security clearance is a status granted to individuals allowing them access to classified information or to restricted areas, after completion of a thorough background check. The term "security clearance" is also sometimes used in private organizations that have a formal process to vet employees for access to sensitive information. A clearance by itself is normally not sufficient to gain access; the organization must also determine that the cleared individual needs to know specific information. No individual is supposed to be granted automatic access to classified information solely because of rank, position, or a security clearance.

<span class="mw-page-title-main">Sensitive compartmented information</span> Information relative to U.S. National Security

Sensitive compartmented information (SCI) is a type of United States classified information concerning or derived from sensitive intelligence sources, methods, or analytical processes. All SCI must be handled within formal access control systems established by the Director of National Intelligence.

<span class="mw-page-title-main">Information Security Oversight Office</span> Office of the National Archives of the United States

The Information Security Oversight Office (ISOO) is responsible to the President for policy and oversight of the government-wide security classification system and the National Industrial Security Program in the United States. The ISOO is a component of the National Archives and Records Administration (NARA) and receives policy and program guidance from the National Security Council (NSC).

<span class="mw-page-title-main">Sensitive but unclassified</span> American federal information sensitivity designation

Sensitive But Unclassified (SBU) is a designation of information in the United States federal government that, though unclassified, often requires strict controls over its distribution. SBU is a broad category of information that includes material covered by such designations as For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive Homeland Security Information, Sensitive Security Information (SSI), Critical Infrastructure Information (CII), etc. It also includes Internal Revenue Service materials like individual tax records, systems information, and enforcement procedures. Some categories of SBU information have authority in statute or regulation while others, including FOUO, do not.

<span class="mw-page-title-main">Security awareness</span>

Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization. However, it is very tricky to implement because organizations are not able to impose such awareness directly on employees as there are no ways to explicitly monitor people’s behavior. That being said, the literature does suggest several ways that such security awareness could be improved. Many organizations require formal security awareness training for all workers when they join the organization and periodically thereafter, usually annually. Another main force that is found to have a strong correlation with employees’ security awareness is managerial security participation. It also bridges security awareness with other organizational aspects.

The United States government classification system is established under Executive Order 13526, the latest in a long series of executive orders on the topic beginning in 1951. Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the regulations codified to 32 C.F.R. 2001. It lays out the system of classification, declassification, and handling of national security information generated by the U.S. government and its employees and contractors, as well as information received from other governments.

Special access programs (SAPs) in the U.S. Federal Government are security protocols that provide highly classified information with safeguards and access restrictions that exceed those for regular (collateral) classified information. SAPs can range from black projects to routine but especially-sensitive operations, such as COMSEC maintenance or presidential transportation support. In addition to collateral controls, a SAP may impose more stringent investigative or adjudicative requirements, specialized nondisclosure agreements, special terminology or markings, exclusion from standard contract investigations (carve-outs), and centralized billet systems. Within the Department of Defense, SAP is better known as "SAR" by the mandatory Special Access Required (SAR) markings.

Classified information in the United Kingdom is a system used to protect information from intentional or inadvertent release to unauthorised readers. The system is organised by the Cabinet Office and is implemented throughout central and local government and critical national infrastructure. The system is also used by private sector bodies that provide services to the public sector.

A cross-domain solution (CDS) is an integrated information assurance system composed of specialized software, and sometimes hardware, that provides a controlled interface to manually or automatically enable and/or restrict the access or transfer of information between two or more security domains based on a predetermined security policy. CDSs are designed to enforce domain separation and typically include some form of content filtering, which is used to designate information that is unauthorized for transfer between security domains or levels of classification, such as between different military divisions, intelligence agencies, or other operations which critically depend on the timely sharing of potentially sensitive information.

The Joint Worldwide Intelligence Communication System is the United States Department of Defense's secure intranet system that houses top secret and sensitive compartmented information. JWICS superseded the earlier DSNET2 and DSNET3, the Top Secret and SCI levels of the Defense Data Network based on ARPANET technology.

<span class="mw-page-title-main">Sensitive security information</span>

Sensitive security information or SSI is a term used in the United States to denote sensitive but unclassified information obtained or developed in the conduct of security activities, the public disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. It is not a form of classification under Executive Order 12958 as amended. SSI is not a security classification for national security information. The safeguarding and sharing of SSI is governed by Title 49 Code of Federal Regulations (CFR) parts 15 and 1520. This designation is assigned to information to limit the exposure of the information to only those individuals that "need to know" in order to participate in or oversee the protection of the nation's transportation system. Those with a need to know can include persons outside of TSA, such as airport operators, aircraft operators, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, foreign vessel owners, and other persons.

National intelligence programs, and, by extension, the overall defenses of nations, are vulnerable to attack. It is the role of intelligence cycle security to protect the process embodied in the intelligence cycle, and that which it defends. A number of disciplines go into protecting the intelligence cycle. One of the challenges is there are a wide range of potential threats, so threat assessment, if complete, is a complex task. Governments try to protect three things:

<span class="mw-page-title-main">Controlled Unclassified Information</span> US government information category

Controlled Unclassified Information (CUI) is a category of unclassified information within the U.S. Federal government. The CUI program was created by President Obama’s Executive Order 13556 to create a streamlined method for information sharing and safeguarding. The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA) of the National Archives and Records Administration (NARA), and is responsible for oversight of the CUI program. The ISOO monitors the implementation of the CUI program by executive branch agencies. CUI will replace agency specific labels such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES) on new data and some data with legacy labels will also qualify as Controlled Unclassified Information. Federal contractors who handle CUI will be required to self-assess with the Cybersecurity Maturity Model Certification (CMMC) under the Cyber AB.

HMG Information Assurance Standard No.1, usually abbreviated to IS1, was a security standard applied to government computer systems in the UK.

The Security Policy Framework is a set of high-level policies on security, mainly affecting the UK government and its suppliers.

Data sanitization involves the secure and permanent erasure of sensitive data from datasets and media to guarantee that no residual data can be recovered even through extensive forensic analysis. Data sanitization has a wide range of applications but is mainly used for clearing out end-of-life electronic devices or for the sharing and use of large datasets that contain sensitive information. The main strategies for erasing personal data from devices are physical destruction, cryptographic erasure, and data erasure. While the term data sanitization may lead some to believe that it only includes data on electronic media, the term also broadly covers physical media, such as paper copies. These data types are termed soft for electronic files and hard for physical media paper copies. Data sanitization methods are also applied for the cleaning of sensitive data, such as through heuristic-based methods, machine-learning based methods, and k-source anonymity.

References

  1. An Introduction to Government Security Classifications. Page 1. Cabinet Office, April 2013
  2. 1 2 3 4 5 6 7 Government Security Classifications (PDF) (Version 1.0 – October 2013 ed.). HMG Cabinet Office. April 2014. Retrieved September 10, 2014.
  3. Government Security Classifications FAQ Sheet 2: Managing Information Risk at OFFICIAL. Cabinet Office, April 2013
  4. An Introduction to Government Security Classifications, Cabinet Office, April 2013
  5. Government Security Classifications FAQ Sheet 1: Working with OFFICIAL Information (PDF). HMG Cabinet Office. April 2013.Government Security Classifications FAQ Sheet 1: Working with OFFICIAL Information. Cabinet Office, April 2013
  6. "'OFFICIAL-SENSITIVE' data and IT". GOV.UK. Retrieved 2023-08-24.
  7. Government Security Classifications: Security Controls Framework. Cabinet Office, April 2013
  8. Government Security Classifications: Security Controls Framework, page 19. Cabinet Office, April 2013
  9. "Government Security Classifications".
  10. "Protecting information across government – National Audit Office (NAO) Report".
  11. Cabinet Office, Procurement Policy Note – Implementing the New Classifications Policy, Information Note 9/13, published 21 October 2013, accessed 24 March 2023
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.