Presentation is loading. Please wait.

Presentation is loading. Please wait.

Graham Gardiner and Gerard Oakes

Similar presentations


Presentation on theme: "Graham Gardiner and Gerard Oakes"— Presentation transcript:

1 Graham Gardiner and Gerard Oakes
Government Security Classification (GSC) Review - Update at 26 Nov 2013 Graham Gardiner and Gerard Oakes

2 Above indicates colour codes for media
Recap New GSC Policy issued to Government departments in Dec 12 Minister for Cabinet Office (Francis Maude) announced GSC changes as part Civil Service Reform policy on 17 Oct 2013 Anticipated go-live date is 2 April 2014 Going from current 6 markings to 3 classifications: OFFICIAL The majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile. SECRET Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threat actors. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime. TOP SECRET HMG’s most sensitive information requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations. (Buff) (Pink) (Red) Above indicates colour codes for media

3 GSC – Key Points No direct mapping between GPMS and GSC – “jagged edge” No expectation to retrospectively re-grade historic or legacy material but; need to manage existing RESTRICTED and CONFIDENTIAL until such time as it is ‘life expired’ No UNCLASSIFIED – all information generated by HMG has value and thus needs protection All HMG information will be at least OFFICIAL Government Departments can choose whether they mark OFFICIAL information MOD does not intend to do so Cabinet Office view that vast majority of information (90%) will sit in OFFICIAL

4 GSC – Key Points Step change in protection measures from OFFICIAL to SECRET Cabinet Office guidance for handling ‘New’ SECRET expected shortly TOP SECRET – no change Number of descriptors reduced to 3 Personnel Commercial Limited Circulation Descriptors can be used on OFFICIAL – SENSITIVE and above Security Caveats (e.g. UK EYES ONLY) can only be applied to information classified SECRET and above

5 Implementation Cabinet Office have agreed that MOD will take lead for Industry GSC Security Working Group (SWG) comprising MOD, Cabinet Office and following Industry Associations representation: DISA (Graham Gardiner, Gerard Oakes) UKCEB (Hugh Fraser) ADMIE (Andy Thomas, Alex Graham) ADS (Mark Phillips) TechUK (Gordon Morrison, Joe Taylor) Agreement that GSC SWG will be the sole route for communicating with Industry Working Group meets monthly to work on immediate concerns

6 Immediate Concerns Deterring wholesale migration of RESTRICTED to the SECRET Delineation between OFFICIAL and OFFICIAL-SENSITIVE Agreeing the way forward for defence industry IT systems currently accredited to operate at CONFIDENTIAL High level only Technical controls to be applied to OFFICIAL / OFFICIAL-SENSITIVE IT systems Impact on international collaboration and information exchanges

7 Wholesale Migration of RESTRICTED to SECRET
Risk mitigated in part by softening of original Cabinet Office stance (90% in the OFFICIAL category) Most MOD information that used to be marked RESTRICTED is likely to attract an OFFICIAL – SENSITIVE marking post 2 April 2014 Procedural and technical controls to protect OFFICIAL-SENSITIVE have yet be agreed but: OFFICIAL-SENSITIVE information must be marked One of the 3 Descriptors can be added to highlight sensitivity Security Caveats (e.g. UK EYES ONLY) must not be applied to OFFICIAL SENSITIVE or OFFICIAL information MOD require BPSS for access to OFFICIAL-SENSITIVE but not for OFFICIAL (different to Cabinet Office view)

8 Way Ahead on CONFIDENTIAL High IT Systems
MOD DSAS has analysed industry responses Industry Security Notice (ISN) on CONFIDENTIAL IT systems Problem not as large as originally envisaged Intent is to issue new ISN with guidance for companies – likely to be in New Year General expectation that over time, i.e. at the next IT system refresh, CONFIDENTIAL IT systems will upgrade to the standard for SECRET systems Way forward will be to manage systems under extant arrangements until major equipment refresh thereafter system needs to be accreditable as a SECRET system Potential that review may conclude, under the new rules, that a CONFIDENTIAL system is now only processing OFFICIAL-SENSITIVE

9 OFFICIAL / OFFICIAL-SENSITIVE IT Systems Technical Controls
CESG working on revised technical controls for SECRET and OFFICIAL / OFFICIAL-SENSITIVE IT systems CESG controls unlikely to be available until March 2014 therefore current controls remain in place until new ones are promulgated IT Security requirements / accreditation standards for OFFICIAL-SENSITIVE / OFFICIAL IT systems driven by CESG proposals Expect no change on Day 1 MOD studying variety of Accreditation requirements - may differ depending on risk assessment of system processing OFFICIAL MOD confident that assessment tool will process circa 80% of systems through the ‘Green Channel’ i.e. without further work or evidence required

10 International Collaboration / Information Exchanges
Government has written to the National Security Authorities of 40 partner countries to inform them of the GSC changes Clarification sought by some countries with ongoing negotiations with USA and France over specific concerns Further discussions with NATO and WEU Some nations (USA, Canada, Australia) pursuing similar reviews Intention is that ’foreign’ CONFIDENTIAL will be protected as UK SECRET On-going discussions regarding ‘classification escalation’, legacy data and impact on foreign industry No change to information marked ‘RESTRICTED USML’ under Defence Trade Cooperation Treaty (DTCT) UK required to demonstrate controls framework for OFFICIAL - SENSITIVE

11 Contractual Aspects MOD DE&S Commercial will be making changes to DEFCONs as a consequence of GSC DEFCON 659 and 531 will be amended but not totally re-written ‘Contract notices’ will be promulgated to explain the changes New Projects will use revised documents and SALs / Grading Guides reflecting new classifications Revised SALs / Grading Guides for existing contracts will not be available by 2 April 2014 but; ‘General guidance notice’ expected to be issued pre 2 April JSP 440 being rewritten to simplify content and reflect GSC changes CPNI expected to confirm that Physical Security requirements will conform to SAPMA baseline standards

12 Awareness and Education
Cabinet Office material available on their website but is lacking detail MOD training plan and material under development: Posters E-learning package Guides FAQs Detailed MoD training material expected to be available in Jan 14

13 DECS / DE&S Website Switched off in July 2013 without a replacement solution Intention was to eventually move to G-Cloud but timescales unknown MOD have a plan for interim solution that will provide a service for companies connected to RLI Expected to be in place in near future Currently no plans to introduce an interim electronic solution for companies who are not connected to the RLI MOD seeking agreement to circulate a CD ROM to industry in near future


Download ppt "Graham Gardiner and Gerard Oakes"

Similar presentations


Ads by Google