HMG Unprepared for Government Security Classifications Policy warns Auriga

Auriga Consulting Ltd (Auriga), the expert data, ICT and security consultancy, has warned that many of Her Majesty’s Government (HMG) departments, agencies and associated suppliers are unprepared for the Government Security Classifications Policy (GSCP) due to come into force in April 2014. The GSCP requires newly created or amended data to be categorised under three new tiers in a bid to simplify data classification and protection. A number of CESG Information Assurance Notices (CIAN) and CESG Information Assurance Top Tips (CIATT) which were due to be issued to help with implementation, as well as revisions to Baseline Security Objectives (BSO), have yet to emerge. Auriga has developed the GSCP Transition Service to provide practical advice on how to navigate the transition, a process which is liable to be far more complex than many anticipate, as it will encompass adjustments to data storage and risk management.

The GSCP is part of the Civil Service Reform Plan and was devised to reduce the complexity and costs of sharing and protecting data. The current Government Protective Marking System (GPMS) will be superseded by GSCP, with the six tiers of TOP SECRET, SECRET, CONFIDENTIAL, RESTRICTED, PROTECT and UNCLASSIFIED due to be replaced by TOP SECRET, SECRET and OFFICIAL. Government Departments and Agencies are obliged to apply the policy and ensure that consistent controls are implemented throughout their public sector delivery partners (i.e. NDPBs and Arms Length Bodies) and wider supply chain and users are personally accountable for safeguarding marked assets in line with the policy.

GSCP will streamline the classification process with up to eighty percent of data expected to be classified under the lowest OFFICIAL tier. There is also no requirement to mark routine OFFICIAL data. Legacy data can continue to stored and classified under the previous GPMS system unless it is amended or incorporated into another data set. HMG departments, agencies and their suppliers must therefore accommodate both the new and legacy marking systems and seek to develop any risk management processes that were reliant upon the classification system to assign risk.

“Data classification is just the tip of the iceberg; we must address the management processes that lurk beneath the waterline. HMG departments, agencies and suppliers will need to ensure data management is robust enough to accommodate both classification systems for some time to come and that means unpicking mistakes. Regrettably many have been ill advised in the past and have relied upon prescribed Impact Levels to determine information assessments. Consequently, what should have been a relatively simple transition to a new scheme can become a complete overhaul of the data management process,” cautions Louise T. Dunne, Managing Director, Auriga. “Recognising the need for guidance we have developed the GSCP Transition Service which enables public and private sector organisations to address baseline procedures and accommodate changes in classification once and for all, helping to resolve and overcome a legacy of data management issues and embed scalability.”

Auriga is one of the first to market with a dedicated solution and has developed the GSCP Transition Service to assist Government Departments, Agencies and their suppliers as they seek to adjust to and implement the new classification system. The GSCP Transition Service is a risk management package that fulfils current and future requirements by using data life cycle management to manage data assets. Offered as a modular service, the GSCP Transition Service can be implemented end-to-end or used to augment existing data lifecycle processes and is delivered by a team of CLAS and CESG Certified Professional (CCP) consultants, Business Analysts and Technical Architects with risk management expertise and is available on the G-Cloud Cloudstore.