The Government Protective Marking System (GPMS) by Information Assurance v4 - last amended 18/01/11
Why The Need? In association with Government compliance requirements, the MCA must ensure its systems, processes and people protect valuable information assets in order to: • improve information asset awareness • promote information security • maintain business continuity
What’s The Purpose? To indicate that information stored electronically or contained in a document has a particular level of security, which … • needs to be protected to a certain standard The GPMS also, • ensures information receives a uniform level of protection and treatment within the MCA
What’s an Information Asset? This is a definable piece of information, stored in any manner which is recognized as ‘valuable’ to the MCA. For example: • files • system documentation • user manuals • procedures • archived information • personal data • USB Memory Sticks • DVDs • CDs
What are the correct protective markings to use? • TOP SECRET • SECRET • CONFIDENTIAL • RESTRICTED • PROTECT In order of sensitivity the MCA classifies information into five levels:
What about Unclassified Information? NOT PROTECTIVELY MARKED Certain information assets may be considered ‘unclassified’, but should still be marked with: This positively indicates that a protective marking is not needed
What needs marking? • Everything … • Paper files, e-mails (including attachments) • DVDs • CDs • USB Memory Sticks
Where to place a GPMS • paper assets top and bottom (back and front) of each page – in bold • CDs, DVDs and USB Memory Sticks permanent marker pen – in bold and before data is written to the media
Remember! Information Assets must be clearly marked at all times
What are Descriptors? • RESTRICTED STAFF • PROTECT PERSONAL • PROTECT COMMERCIAL These are supplementary markings applied to protectively marked assets to indicate additional information about contents, sensitivity or handling requirements. For example;
What is Personal Data? Personal data is viewed as any information that links one or more identifiable living person with information about them whose release would put them at significant risk of harm or distress. Correct application of a protective marking will ensure personal data is appropriately safeguarded.
Name & address (home, business or both) Postcode e-mail address Telephone Number Date of birth Driving Licence Number Financial data Tax information National Insurance Number Medical details Employment records PROTECT PERSONAL must be used when handling information which includes one of the following Combinedwith
For the handling of CONFIDENTIAL and above please contact the Data Handling Manager at MCA HQ
How can I apply a PM? • Use a ‘harm test’ to indicate likely impact if asset were compromised … • Assess asset against criteria for each PM • Too high PM = hinder use and cause business inefficiency • Too low PM = damaging consequences and asset compromise
Everyone needs to be aware of their responsibility towards protecting the confidentiality, integrity and availability of all information assets belonging to the MCA. Please refer to the Procedure on Information Security Classification for further guidance.
Link to M-net: Information Assurance http://m3net.mcga.gov.uk/c4mca/mnet-corporatesupport/mnet-corpdev/mnet-ia.htm PM