‘Classified Information’ … Can companies learn from Government?

Dr. Bernard Parsons, CEO, BeCrypt.

Historically, Governments has well understood the need for data classification as a tool for protecting information. The UK Government has a well established scheme of protective marking that applies from state secrets, to information that would cause only embarrassment if lost. However, systems and processes that have worked well for decades, have failed to meet today’s demands. In the UK Ministry of Defence report commissioned following last year’s data losses, Sir Edmund Burton describes how the well developed processes ingrained during the Cold War have not translated in to the Information Age.

The mind set of today’s “Face book Generation” is as applicable to the Public Sector as it is elsewhere, and they expect easy access to and sharing of data. However, even for those familiar with technology, security risks are non-intuitive: a single CD struggles to command the same respect as a box of paper personnel records.

The UK Government data security policies have historically prioritised confidentiality at the expense of availability and data integrity, with this in-balance frequently detracting from system usability. At the same time, there has been a growing need to store personally identifiable information. Much of this data has not fitted within existing data classification regimes, and significantly, there has been little inclination to consider the impact of the accumulation of large quantities of such data. As a consequence, many systems at the lower end of data sensitivity have not had adequate safeguards (both system and procedural) in place, creating a new and arguably more significant Information Assurance challenge to Government. Gartner highlight the relevance of this to the private sector by stating ‘Organizations that do not have an effective data classification program usually fail at their data encryption projects’.

A “critical mass” of public sector data breaches occurred in the UK around the beginning of ’08, typically relating to personal data, after which, events that would previously have gone un-noticed, caused public dismay. This provided a catalyst for change that has been seized upon by the Information Assurance community to drive home widespread improvements. Recognition that the solution was cultural and not prescriptive has lead to the establishment of a risk management culture aimed at rebuilding the citizens’ confidence in the storage and management of their data.

The risk management culture has involved a shift in focus from protective marking, to the consideration of business impact levels. This encourages consideration of the value of data; risks associated with loss of confidentiality, integrity or availability; and the corresponding impact to the business. With an inclusion of data accumulation and aggregation elements, personal data can now be required to receive the same treatment previously reserved for higher levels of classification.

A set of new minimum mandatory measures including reporting and compliance mechanisms is described within the recently published Government Security Policy Framework. As a public domain document, this replaces the protectively marked Manual of Protective Security. This underlines a new level of openness, as well as illustrating the increasing similarity in data and risks to data across the public and private sectors. A public domain Information Assurance Maturity Model has been published by Government, providing a practical framework for IA compliance. This is consistent with and builds upon existing standards and regulation relevant to the private sector, such as ISO 27001 and the UK Data Protection Act.

There is increasing commonality between assurance schemes for technological solutions between public and private sectors, allowing products to be developed and deployed for common goals. This factor assists in keeping solution costs low for Government. This is key, as the requirement for departments to comply has not been accompanied by additional budget.

An example of a common goal addressed at low-cost relates to the mandatory requirement to provide “Urgent consideration ….of simple, affordable solution to enable the safe, authorised, use of privately owned computers for limited Government tasks..”.

Through an agile public-private consultation process, technology has been developed and certified to allow the secure use of un-managed machines for remote working. CSC is an example of an organisation using this and Virtualisation technology to allow dynamic secure remote access to corporate resources.

Irrespective of the need to protect national secrets, intellectual property or personal information, today’s technology has placed similar demands on all sectors, and each sector has provided examples of best and worst practice. The UK Government reacted with a framework to encourage a culture change. This contains effective guidelines that are open to review by all, the lessons for Corporations are there to be learnt and adopted.

BeCrypt is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

Source: InfosecurityPR
<>