Security classifications - public sector responsibility

Published on Monday, 08 September 2014 11:35
Written by Adele Parker

The new Government Security Classification Policy came into force in April 2014. It includes very subtle changes that strengthen PSN as a platform for innovation and reform in public sector.

Firstly, the classifications themselves, those six 'tags' that we all know for sharing information such as Confidential, Restricted and Protect have been reduced to three with the aim of decreasing complexity.

We now have Official, Secret and Top Secret, plus a subset of Official for information, which could have more damaging consequences if it were lost, stolen or published in the media. It's called Official-Sensitive.

Under the new classifications, the majority of public sector information will find itself in the Official category – this is information derived from routine business operations and services. The government's ICT Strategy anticipates that the PSN will be the primary network bearer for Official information.

This makes sense - PSN is the trusted way of sharing Official information because its already being tested, reviewed and checked against compliance regimes; it demonstrates solid management processes and it is being readily audited.

PSN consuming organisations already comply with the PSN Information Assurance regulations. The PSN platform comes with agreed levels of service, integrity and a built-in level of security that's appropriate for most government business. It is already the trusted platform for sharing information across the public sector.

Responsibility and safeness

The second subtle change is that the new rules leave information originators, or 'owners' themselves, with the responsibility for classifying the information. Only they can change the classification, although others may challenge the classification. For example, through the Freedom Of Information Act, a member of the public may challenge a Official-Sensitive classification of a document, which they would like to read. On the face of it, this could be quite daunting, but most information owners in public sector will already be working using the CIA principles of Confidentiality, Integrity, and Availability (not the other CIA!) and, armed with this knowledge, classifying information should be relatively straight-forward.

PSN has a role to play here. In technology age, we cannot have a system where information owners can classify information without a secure method of transporting it. The PSN, as a trusted environment, provides the transport mechanism. Additionally, because of its trusted status, information owners will see less risk when sharing data. If they were to mistakenly under-classify a document for example, the risk of making that wrong judgment call is reduced because of the safeness of the network.

Perhaps more importantly, under the new rules with responsibility falling to the individual, I think we need to focus more on safeness of information. Information owners will need to acknowledge they have information that needs to be managed; they'll need to understand what they're managing and really think about the safeness of information.
For example, a user needs to send information from A to B and might also need to share the information with others. The information owner needs to go to the proverbial door and know what's behind it before sharing information. They'll need to ask themselves the question, is the information being sent going to be safe? How should I classify it? Again, PSN has a role to play by reducing risk and keeping Official information safe.

Hygiene factor

PSN provides a safe environment, a trusted platform for innovation that reduces the cost and risk of experimentation. Eventually, for sharing Official information at least, PSN will become the 'hygiene factor'; information owners will expect it to be the transportation method for information. They need it to be in place. After all, other industry sectors have trusted environments, why shouldn't the public sector?

The new Government Security Classification Policy is a change we welcome and, combined with a new trusted network for the public sector, we will soon see how information owners can do things differently, how together we can reform the public sector for good.

Add comment