Introducing Protective Marking for Local Authority Use

1. Introducing Protective Marking for Local Authority Use Mark Brett IA Advisor May 2009

2. The Urban Myth • I need protective marking schemes for Government Connect CoCo • The fact: Contrary • Compliance with the GCSX Code of Connection does not oblige an LA to adopt the Protective Marking system. The requirement is as follows: • "Employees of the organisation who handle information carrying a protective marking of RESTRICTED MUST be made of aware of the impact of loss of such material and the actions to take in the event of any loss.” Source : CESG April 2009

3. Part 1

4. The Approach • Step 1 Information Asset discovery • Step 2 Determine Information Asset ownership. • Step 3 Classification of Information Assets • Step 4 Evaluation of Asset risk and value to determine the protective marking level. • Step 5 Deployment of the information asset protective marking within the scheme.

5. The Process Refined 5-D’s

6. Discovery • A trawl of Information Assets • What assets exist • What are their inputs / outputs • What linkages exist

7. Determination • Who owns the asset? • Who is responsible for the asset? • Who controls the asset? • Who can authorise the processing and disclosure?

8. Decision • What is the business impact level of the asset? • What is it’s Data Protection Status? • Who is authorised to process the asset? • What protective measures are required?

9. Deployment • Where will the asset be created, storedand processed? • Will the asset be transmitted? • Will the asset be copied? • Will the asset be controlled? • Who will process it? • Where? • How? • Compliance/monitoring/audit regime??

10. Destruction • Who will authorise the destruction of the asset? • How will you know if all copies are destroyed? • Do you need to retain a copy for legal/compliance purposes? • How will you destroy the asset?

11. Part 2 A Bit more detail

13. Stating the Obvious • If you don’t mind it being in the local paper or on your website or in someone’s blog, then UNCLASSIFIED or NOT PROTECTIVELY MARKED • Otherwise consider PROTECT • PROTECT is NOT a national security marking; • “It should be noted that the PROTECT marking is a non-National Security marking” Source: http://www.cabinetoffice.gov.uk/spf/sp2_pmac.aspx ( Under mandatory Green box 16) • MANDATORY REQUIREMENT 18 • Departments and Agencies must ensure that non-HMG material which is marked to indicate sensitivity is handled at the equivalent level within the Protective Marking System, or where there is no equivalence, to the level offered by PROTECT as a minimum.

14. Do also consider • If the asset already has an external marking PROTECT/RESTRICTED/CONFIDENTIAL etc You MUST handle the information according to that level of protection. • We advise you have an MOU in place with the owner of that asset to agree how you will handle it.

15. Still not sure? • If the asset has some strange marking; • Private and Confidential • Commercial in confidence • Confidential – addressee only Assume you’ll treat it as PROTECT according to your own policies and procedures.

16. ADVICE and GUIDANCE

17. PROTECT – How to decideUse the segmentation model • DEFEND against a sophisticated attacker - the requirements needed to protect the very high value sovereign Public and Private Sector information and information systems; • DETECT and resist an attack from a sophisticated attacker - the requirements needed to protect high-value Public and Private Sector information and information systems; • DETER an attack from a skilled attacker - the requirements which support all valuable information and information system assets in the Public and Private Sectors; • AWARE of public domain threats and vulnerabilities - the requirement of small companies (less than 20 employees) and individual citizens.

18. The four Principals • Audit and Monitoring, • Level of Protection, • Basic Information Assurance Objectives and • Access Control Requirements • Impact Level Segment • 1 Aware • 2 Deter • 3 Deter

21. The Assurance matrix Source: CESG IS1 Part 2 December 2008 3.4 p. D2

22. Threat Sources Source: CESG IS1 Part 1

23. Threat likelihood & Business Impact Source: CESG IS1 Part1

24. The business impact level (BIL)

26. PROTECT – What to do MANDATORY REQUIREMENT 19 Departments and Agencies must apply the following baseline controls to all protectively marked material: Access is granted on a genuine ‘need to know’ basis. Assets must be clearly and conspicuously marked. Where this is not practical (for example the asset is a building, computer etc) staff must still have the appropriate personnel security control and be made aware of the protection and controls required. Only the originator or designated owner can protectively mark an asset. Any change to the protective marking requires the originator or designated owner's permission. If they cannot be traced, a marking may be changed, but only by consensus with other key recipients. Assets sent overseas (including to UK posts) must be protected as indicated by the originator's marking and in accordance with any international agreement. Particular care must be taken to protect assets from foreign Freedom of Information legislation by use of national prefixes and caveats or special handling instructions. No official record, held on any media, can be destroyed unless it has been formally reviewed for historical interest under the provisions of the Public Records Act. A file, or group of protectively marked documents or assets, must carry the protective marking of the highest marked document or asset contained within it (eg. a file containing CONFIDENTIAL and RESTRICTED material must be marked CONFIDENTIAL).

29. QUESTIONS? • www.idea.gov.uk/datahandling • Mark.brett@lga.gov.uk