Top secret documents only for the eyes of those with the requisite security clearance never fail to elicit a James Bond-esque thrill. Security classifications are synonymous with privilege, providing access on a need-to-know basis. Yet government assets seldom self-destruct in 60 seconds and need effective management from the cradle to the grave. Such data may even present a risk to the organisation if it falls into the wrong hands, as a result of which security classifications are often closely linked with risk management.
Security classifications remain as vital today as they were in Fleming’s day, providing an effective way to order, categorise and protect data assets. But somewhere along the way, security classifications became disjointed. In addition to ‘top secret’, we had ‘secret’, ‘confidential’, ‘restricted’, ‘protect’ and ‘unclassified’, and users were often confused as to how to differentiate between them. Moreover, classification could change over the course of its lifetime as the value of information changed.
Clearly a rethink was needed to simplify the process, and in June 2012 provision was made in the Civil Service Reform Plan for a streamlined security classifications system. This saw the existing six tiers reduced to just three: ‘top secret’, ‘secret’ and ‘official’. Dubbed the Government Security Classifications Policy (GSCP), the three-tier system came into effect in April 2014, making it easier for government departments, agencies and their public sector suppliers to work with security classifications easily and thus more diligently. Yet the new system has caused widespread concern and consternation across the public sector. Why?
The answer lies in that original complex array of six layers and a serious mismanagement of information security. Many organisations saw the existing protective marking system and associated business impact levels (ILs) as a quick risk management fix. By looking at both systems, organisations reasoned it would be possible to demark risk without the need to carry out independent assessments. After all, the data hierarchy and IL were related to the risks posed to the organisation, so surely this made sense? There was a cost: tethering these strategies together led to rigidity and an inability to respond flexibly to emerging risks. But in the overall scheme of things, classification-driven risk ticked the right boxes… until the overhaul of the system and launch of the GSCP.
GSCP is not a radical undertaking. The plans are for it to be gradually phased in and applied to new assets, making it essentially a form of transition and change management. It will replace old protective markings when information and other assets naturally reach end of life; this will be a generational change. By managing information as a lifecycle process, the GSCP has the potential to create far more effective and efficient working practices across government and bring about the necessary cultural change and reform that the policy is helping to deliver as part of the Civil Service Reform Plan.
Clearly the GSCP is not a case of ‘out with the old and in with the new’, and any organisation or supplier which conducts security classifications correctly has little to fear. The problem comes for those that have used security classifications as the sole basis for risk management. Such organisations may well feel the labels have been ripped off and they don’t know where to start.
The temptation is to substitute one set of labels for another. The GSCP will include ‘applicable threat profiles’ (much like those used in the private sector), which will be very useful in informing risk management thinking. Organisations reliant on ILs will no doubt find the threat profile concept confusing and the danger is that one set of criteria will simply be swapped out for another rather than applied diligently and systematically, as they are meant to be. In many ways, public sector organisations will find it extremely difficult to make a straight forward swap. ‘Official’ assets, for instance, will not be labelled by default.
Security classifications alone will not be enough for these organisations to employ an appropriate approach to risk management. Consideration will also have to be given to, for example, business objectives, legal obligations and social remit or operational requirements to provide the necessary context to support a truly informed risk-driven approach to management.
Transitioning to the GSCP should happen at all stages of the data lifecycle, from creation to
realisation to cessation. By including all aspects of the data lifecycle when transitioning to the
GSCP, its benefits can be further realised. Fundamentally, this is about more effective risk
management. Organisations need to identify what is valuable and why, understand the associated
risks, and employ appropriate and effective mitigation. Effective risk management is a complex
business, with the GSCP being but one (admittedly very important)x consideration, instead of risk
management being determined solely by classification.
What’s in a name?
If good risk management is in place, GSCP should represent little more than a name change. Organisations which do conduct proper risk assessments and devise risk management strategies based on the nuances of the organisation and its business objectives, much like in the private sector, will find GSCP easy to implement because it is viewed as standing alone as a method of security classification and access criteria.
Irrespective of previous misdemeanours, the GSCP presents a real opportunity to tackle risk management effectively. Security classifications and risk management policy, though interlinked, should never be synonymous. By distinguishing between security classifications and risk, management activities can become more responsive and agile, enabling the organisation to anticipate and counter threats more effectively. Truly capable risk management processes and practices are a fundamental aspect of the government’s ICT, cyber security and digital strategies.
When all is said and done, a security classification label is finite, whereas risk is a constantly changing variable.
This was first published in May 2014