Government classification scheme acts as learning point

If you don't classify your data, you don't know what needs protecting says Martin Sugden, suggesting the latest GSC scheme emphasises the importance of data.

Martin Sugden
Martin Sugden

Last month the Cabinet Office launched the Government Security Classification (GSC) scheme, which replaced the Government Protective Marking Scheme (GPMS).  All information that government and public sector organisations need to collect, store, process, generate or share has intrinsic value and requires an appropriate degree of protection.  Security classifications indicate the sensitivity of information in terms of the likely impact of compromise, loss or misuse and the need to defend against a broad profile of applicable threats.

The government has quite rightly identified that data classification is increasingly important, with the simple fact being that without it, organisations don't know the value of data to themselves, customers, and partners.   As a good example of the importance of data classification; local authorities must comply with Freedom of Information (FOI) requests.  Without data classification in place, you need to find the originator of the information, get them back up to speed on the issues and ask them if it can be released. With data classification in place, information that has been requested can easily be identified as something that can, or cannot, be shared publicly, thus reducing the time and expense in dealing with these requests

Businesses take note

The existence of a requirement for government to classify their information assets and protectively-mark documents has been around for several years and the new GSC updates and aims to simplify the old scheme.  What is important about the new GSC is that it shows a commitment by the Cabinet Office to data security and this commitment should be echoed by businesses.  Current legislation means that government organisations must classify their data but, quite simply, it makes good data security sense irrespective of the different legislations in place. 

Data classification empowers an organisation's users and essentially recruits them as additional members of the security team.  Employees are on the front line and they're the ones creating that data and therefore they have the knowledge of the context in which the data has been created, its business value and the potential impact of sharing it with the wrong groups.

There is a multitude of advice and guidance on the latest security technologies that are required to protect an organisation and data classification can tie into those systems and technologies, which can significantly improve the return on investment of those tools.  One of the biggest issues with security technologies is the problem of false positive and negatives which costs time and money to resolve, which data classification can help to rectify.  In the simplest terms, data classification distinguishes between data that requires protection and that which doesn't and what level of protection is needed.

One of the biggest challenges being faced by businesses today is securing their data.  Many businesses see the best way to use information technology is to make it user friendly, open and easy to access.  This way of thinking makes protecting information created on those systems far harder and it creates a mind-set where employees believe it is the organisation that must protect the data they are creating and not the other way round.  As an overstressed IT function there often isn't the room to invest in the latest security technologies, but organisations can make use of the resources they already have – their employees.  User-driven data classification is the simplest and most cost-effective way to improve data security standards.

All government and public sector organisations must classify their data under the new GSC so the value for them is immediate and clear, but Data Classification brings many additional benefits over and above compliance.  It is fast becoming best practice as part of a layered security approach, and as has been proven can have the single biggest impact on security performance if implemented successfully.  Irrespective of the legislation an organisation is subject to, data classification just makes good data security and business sense.

Contributed by Martin Sugden, CEO of Boldon James