New security classifications could confuse government departments
Public and private sector suppliers have been warned of the danger of 'data dumping', as they seek to comply with the new Government Security Classifications Policy (GCSP).
Under the new ruling, departments and associated parties have nine months to reclassify their data from using the current six tiers of protective markings to three, and should implement the changes systematically as part of a cohesive risk management program, said consultancy Auriga.
While presenting an opportunity for government departments, agencies and their private sector suppliers to simplify classification, the company warned that the process could prove painful in the short term, as organisations re-evaluate data, assign categories and adjust their risk management posture.
The GCSP will reduce the six tiers of the Government Protective Marking System (GPMS) of 'top secret, secret, confidential, restricted, protected and unclassified' to 'top secret, secret and official'. This has a proposed rollout date of April 2014. A taxonomy will need to be put in place to help direct the underpinning risk management processes and create a more informed risk-driven approach to management.
Geoff Eden, subject matter expert at Auriga, said that a data classification system should be an integral aspect of any organisation's data lifecycle processes, with the approach to risk management, and the necessary level of assurance, shaped by the characteristics of each classification.
“The GSCP can help departments and agencies realise the business and security benefits of this, but only if
data classification is well thought-through, effectively integrated with the organisation's data lifecycle processes, and not done in haste," he said.
Louise T. Dunne, managing director of Auriga, said: “Departmental planning will have to be meticulous where possible and involve substantial business and process change in order to realise more effective working practices and the required cultural change and reform that the policy is hoping to deliver. That takes time and patience but GSCP is essentially a form of transition and change management.”