Mark BrettIA Advisor May 2009

Introducing Protective Marking for Local Authority Use

The Urban Myth

• I need protective marking schemes for Government Connect CoCo

• The fact: Contrary– Compliance with the GCSX Code of Connection does not

oblige an LA to adopt the Protective Marking system. The requirement is as follows:

• "Employees of the organisation who handle information carrying a protective marking of RESTRICTED MUST be made of aware of the impact of loss of such material and the actions to take in the event of any loss.”

Source : CESG April 2009

Part 1

The Approach

• Step 1 Information Asset discovery• Step 2 Determine Information Asset

ownership.• Step 3 Classification of Information Assets• Step 4 Evaluation of Asset risk and value to

determine the protective marking level.• Step 5 Deployment of the information asset

protective marking within the scheme.

The Process Refined 5-D’s

Discovery

• A trawl of Information Assets• What assets exist• What are their inputs / outputs• What linkages exist

Determination

• Who owns the asset?• Who is responsible for the asset?• Who controls the asset?• Who can authorise the processing and

disclosure?

Decision

• What is the business impact level of the asset?

• What is it’s Data Protection Status?• Who is authorised to process the

asset?• What protective measures are

required?

Deployment

• Where will the asset be created, stored and processed?

• Will the asset be transmitted?• Will the asset be copied?• Will the asset be controlled?• Who will process it?• Where?• How?• Compliance/monitoring/audit regime??

Destruction

• Who will authorise the destruction of the asset?

• How will you know if all copies are destroyed?

• Do you need to retain a copy for legal/compliance purposes?

• How will you destroy the asset?

Part 2

A Bit more detail

Stating the Obvious

• If you don’t mind it being in the local paper or on your website or in someone’s blog, then UNCLASSIFIED or NOT PROTECTIVELY MARKED

• Otherwise consider PROTECT• PROTECT is NOT a national security marking;• “It should be noted that the PROTECT marking is a non-National

Security marking” Source: http://www.cabinetoffice.gov.uk/spf/sp2_pmac.aspx ( Under mandatory Green box 16)

• MANDATORY REQUIREMENT 18 • Departments and Agencies must ensure that non-HMG

material which is marked to indicate sensitivity is handled at the equivalent level within the Protective Marking System, or where there is no equivalence, to the level offered by PROTECT as a minimum.

Do also consider

• If the asset already has an external marking PROTECT/RESTRICTED/CONFIDENTIAL etc

You MUST handle the information according to that level of protection.

• We advise you have an MOU in place with the owner of that asset to agree how you will handle it.

Still not sure?

• If the asset has some strange marking;• Private and Confidential• Commercial in confidence• Confidential – addressee only

Assume you’ll treat it as PROTECT according to your own policies and procedures.

ADVICE and GUIDANCE

PROTECT – How to decideUse the segmentation model

• DEFEND against a sophisticated attacker - the requirements needed toprotect the very high value sovereign Public and Private Sector informationand information systems;• DETECT and resist an attack from a sophisticated attacker - the requirementsneeded to protect high-value Public and Private Sector information andinformation systems;

• DETER an attack from a skilled attacker - the requirements which support all valuable information and information system assets in the Public and Private Sectors;• AWARE of public domain threats and vulnerabilities - the requirement of smallcompanies (less than 20 employees) and individual citizens.

The four Principals

• Audit and Monitoring,• Level of Protection,• Basic Information Assurance Objectives

and• Access Control Requirements• Impact Level Segment• 1 Aware• 2 Deter• 3 Deter

The Assurance matrix

Source: CESG IS1 Part 2 December 2008 3.4 p. D2

Threat Sources

Source: CESG IS1 Part 1

Threat likelihood & Business Impact

Source: CESG IS1 Part1

The business impact level (BIL)

PROTECT – What to do

MANDATORY REQUIREMENT 19 Departments and Agencies must apply the following baseline controls to all protectively marked material: Access is granted on a genuine ‘need to know’ basis. Assets must be clearly and conspicuously marked. Where this is not practical (for example the asset is a building, computer etc) staff must still have the appropriate personnel security control and be made aware of the protection and controls required. Only the originator or designated owner can protectively mark an asset. Any change to the protective marking requires the originator or designated owner's permission. If they cannot be traced, a marking may be changed, but only by consensus with other key recipients. Assets sent overseas (including to UK posts) must be protected as indicated by the originator's marking and in accordance with any international agreement. Particular care must be taken to protect assets from foreign Freedom of Information legislation by use of national prefixes and caveats or special handling instructions. No official record, held on any media, can be destroyed unless it has been formally reviewed for historical interest under the provisions of the Public Records Act. A file, or group of protectively marked documents or assets, must carry the protective marking of the highest marked document or asset contained within it (eg. a file containing CONFIDENTIAL and RESTRICTED material must be marked CONFIDENTIAL).

PROTECTlevel is "sensitive" but below RESTRICTED

Impact (SPF page 27) Criteria for assessing PROTECT

(Sub-national security marking) assets:

• cause distress to individuals;

• breach proper undertakings to maintain the confidence of information provided by third parties;

• breach statutory restrictions on the disclosure of information;

• cause financial loss or loss of earning potential, or to facilitate improper gain;

• unfair advantage for individuals or companies;

• prejudice the investigation or facilitate the commission of crime;

• disadvantage government in commercial or policy negotiations with others.

The compromise of assets classified PROTECT would be likely to:

Breach proper undertakings to maintain the confidence of information provided by third parties;

Breach statutory restrictions on disclosure of information;

Impede the effective development or operation of policies internal to the Department;

Cause financial loss or loss of earning potential to, or facilitate improper gain or advantage for, individuals and sole traders up to £1,000 or large companies up to £10,000;

• Disadvantage government in commercial or policy negotiations with others resulting in loss to the public sector of up to £10,000.

Examples • Policy Information

• Procurement tenders/contracts and correspondence

Handling

Marking • Print in bold capitals, same size as body text, centre top of each page (header) or subject line of an email, with additional 'descriptor'.

Storage • Physically protect by one barrier within a secure building, e.g. a locked container.

Disposal of papers • Place in a designated ‘secure disposal’ waste bin e.g. bins or sacks that must be locked when not in use.

Disposal/re-use of magnetic data storage, including removable electronic, media • Delete contents and re-use within the authority only.

• Media must be marked and treated as PROTECT.• Deletion of information does not remove the associated protective marking.

• Can be destroyed by IT security if deemed appropriate (see Electronic Media Re-use and Disposal Security Policy).

Internal distribution Communications must be protectively marked as PROTECT and include a descriptor. Appropriate methods of internal distribution are:

• Using GCMAIL email; • Sealed envelope / polylope through internal post;• Sealed envelope / polylope delivered by hand.

Postage • Send in a sealed envelope, by post, after confirming correct full postal address including post code. No protective marking is needed on the envelope.

Discussion by telephone or video conference • Telephones can be used,

• Caller identity must be confirmed• Details should be kept to the minimum necessary.

Storage on authorities IT systems • Permitted Storage on Removable Electronic Media • PROTECT information may be stored on encrypted removable media.

Email within GCSx • PermittedEmail outside GCSx (over internet) • Information may be sent without additional protection, but confirm the email address and keep sensitive

details to a minimum.Fax • Normal office fax may be used but confirm the fax number and keep sensitive details to a minimum.

• Ensure recipient is expecting and ready to receive.Photocopying • Permitted but only make as many copies as you need and appropriately limit their distribution.

Working at home or when travelling • Permitted following security assessment, with the Senior Responsible Officer's approval and compliance with the above guidance. Note:

o only the authorities supplied computer equipment and peripherals to be used

o personal computer equipment and peripherals must not be usedo ensure you cannot be overlooked if in public

QUESTIONS?

• www.idea.gov.uk/datahandling• Mark.brett@lga.gov.uk