GSC - An MOD Brief Guide (DRAFT) v1.9 - DISA



DRAFT

A UK MOD Short Guide to

The UK Government’s New Security Classification System

The Old System:

|UNCLASSIFIED |PROTECT |RESTRICTED |CONFIDENTIAL |SECRET |TOP SECRET |

The New System:

|OFFICIAL[1] |SECRET |TOP SECRET |

Key Points:

o Going from six classifications to three.

o The removal of UNCLASSIFIED reasserts the fact that all Government information has value and should be handled with appropriate care.

o Individuals will have more discretion within OFFICIAL than in the old RESTRICTED domain.

o No direct read-across from old to new system within HMG.

o In certain areas a direct comparison is required for dealing with Industry, International Partners and legacy issues.

The New System (from 2 Apr 14):

|Tier One |Tier Two |Tier Three |

|OFFICIAL[2] |SECRET |TOP SECRET |

Information Handling Guidance – Marking, Sharing, Transmission and Storage (UK officials, partners, industry):

|MOD will not mark documents “OFFICIAL” |Marked “OFFICIAL - SENSITIVE” |Marked “SECRET” |Marked |

| | | |“TOP SECRET” |

|(However, other Government departments may. | | | |

|There is no difference in handling if marked or unmarked) | | | |

|Information to be handled with appropriate care. |Information to be handled with greater care. |Except for the reduction in ‘descriptors’ (detailed to the |As SECRET |

|The document does not normally carry any handling |Can include National caveats[3]. Can include only three additional |left) – No Change | |

|instructions but may do so if the originator thinks it is |descriptors if further handling instructions required |National caveats, codewords and any special handling | |

|needed. |PERSONAL[4] |instructions remain | |

| |COMMERCIAL[5] | | |

| |LIMITED CIRCULATION[6] | | |

|Sharing Information: Author/owner or recipient to determine.|Sharing (no descriptor): HMG author/owner or HMG recipient to |No change to current policy |No change to current policy |

| |determine on a clear ‘need to know’ basis. | | |

| |External organisations to seek HMG authority to share (or already | | |

|Remote working: User to determine but ensure information |authorised under MoU etc) | | |

|cannot be overlooked. | | | |

|IT Transmission of Information: User discretion but in most |Sharing (with descriptor): HMG author/owner to determine on a clear | | |

|circumstances HMG approved IT systems / devices. |‘need to know’ basis. | | |

| |All recipients to seek HMG author /owner authority to share (or | | |

|Storage: User discretion but in most circumstances, HMG |already authorised under MoU etc) | | |

|approved IT systems / devices. or physical ‘standard’ lock &| | | |

|key. | | | |

| | | | |

| | | | |

| | | | |

| |Remote working (All): User to determine but not normally allowed | | |

| |unless suitably configured devices/services are used; essential that | | |

| |information cannot be overlooked. | | |

| | | | |

| |Transmission: HMG approved IT systems / devices. or in priority | | |

| |circumstances, originator approval needed if no approved IT. | | |

| |Storage: HMG approved IT systems / devices, or physical ‘standard’ | | |

| |lock & key. If descriptor/caveat used then mandatory ‘locked-down’ | | |

| |team sites / folders with authorised access lists, are required. | | |

The New System (from 2 Apr 14):

|OFFICIAL[7] |SECRET |TOP SECRET |

LEGACY DOCUMENTS or LEGACY PHYSICAL ASSETS

|UNCLASSIFIED |PROTECT |RESTRICTED |CONFIDENTIAL |SECRET |TOP SECRET |

|Unless an HMG author / owner or HMG recipient reassesses the information, data or asset, it retains original |Unless originator reassesses information, data or asset, it retains original markings and handling caveats / |

|markings and handling caveats / descriptors, and Sy control measures |descriptors, and Sy control measures |

|Sharing Information: Any |Sharing Information: HMG author/owner or HMG recipient to determine. |Sharing Info: No change |No Change |No Change |

|author/owner or recipient to |External organisations to seek approval |Transmission of Information: |HMG approved IT systems / devices for Tier |HMG approved IT systems / |

|determine. |Transmission of Information: HMG approved IT systems / devices mandated.|Legacy[8] ‘CONFIDENTIAL’ system or |Two mandated. |devices for Tier Three |

|Transmission of Information: Over |Storage: Legacy (or post 2 Apr 14) HMG approved IT systems / devices |Tier Two IT system mandated. | |mandated. |

|any system |mandatory or legacy |Storage: Legacy ‘CONFIDENTIAL’ IT | | |

|Storage: Any system |RESTRICTED physical security measures. |system or Tier Two system mandated.| | |

| | | | | |

| | |Legacy Phys Sy measures, moving to | | |

| | |Tier Two as soon as practicable. | | |

SHARING WITH INTERNATIONAL PARTNERS

The New UK System (from 2 Apr 14):

|Tier One |Tier Two |Tier Three |

|OFFICIAL[9] |SECRET |TOP SECRET |

INTERNATIONAL CLASSIFICATIONS – International Information being received by UK

|UNCLASSIFIED |RESTRICTED |CONFIDENTIAL |SECRET |TOP SECRET |

| | |No UK equivalent |UK will treat as SECRET |UK will treat as TOP SECRET |

|UK will treat as OFFICIAL |UK will treat as OFFICIAL – SENSITIVE but with slightly less |UK will treat as SECRET[10] | | |

| |discretion (as mandated in international agreements (see below) | | | |

|Sharing Information: Author/owner or recipient to determine. |Sharing: HMG recipient to determine on a clear ‘need to know’ basis. |Sharing Info: No change |Sharing Info: No change |No Change |

| |External organisations to seek HMG authority to share |Transmission of Information: |. | |

|Remote working: User to determine but ensure information cannot | |Legacy[11] ‘CONFIDENTIAL’ |HMG approved IT systems / | |

|be overlooked. |Remote working: Not permitted unless suitably configured |system or Tier Two IT system |devices for Tier Two |HMG approved IT systems / |

|IT Transmission of Information: User discretion but in most |devices/services are used; essential that information cannot be |mandated. |mandated |devices for Tier Three |

|circumstances HMG approved IT systems / devices. |overlooked. |Storage: Legacy | |mandated |

|Storage: User discretion but in most circumstances, HMG approved| |‘CONFIDENTIAL’ IT system or | | |

|IT systems / devices. or physical ‘standard’ lock & key. |Transmission: Mandatory HMG approved IT systems / devices. |Tier Two system mandated. | | |

| |Storage: HMG approved IT systems / devices, or physical ‘standard’ |Legacy Phys Sy measures | | |

| |lock & key. |moving to Tier Two as soon as| | |

| | |practicable. | | |

-----------------------

[1] The majority of routine HMG business will be conducted in this space. The aim is to have all Tier 1 HMG IT to have Foundation Grade Encryption (or suitable alternative control) and allow considerably more remote working and use of additional mobile IT devices.

[2] The majority of routine HMG business will be conducted in this space. The aim is to have all Tier 1 HMG IT to have Foundation Grade Encryption (or suitable alternative control) and allow considerably more remote working and use of additional mobile IT devices.

[3] Eg: UK EYES ONLY, FIVE EYES, UK/US EYES ONLY etc

[4] OFFICIAL-SENSITIVE PERSONAL Information which MOD has a legal duty to protect under the Data Protection Act. Note: this does not mean that every individual piece of personal date is SENSITIVE. See GSC FAQ 3

[5] OFFICIAL-SENSITIVE COMMERCIAL Information which is SENSITIVE and can only be shared with appropriate contract companies under HMG contracting policies or legal requirement.

[6] The document circulation is limited to that described in the ‘distribution List’ and must be ‘locked down within a controls ‘team site or ‘file folder’

[7] The majority of routine HMG business will be conducted in this space. The aim is to have all Tier 1 HMG IT to have Foundation Grade Encryption (or suitable alternative control) and allow considerably more remote working and use of additional mobile IT devices.

[8] Legacy IT systems accredited for Confidential to be reassessed in line with CIO policy

[9] The majority of routine HMG business will be conducted in this space. The aim is to have all Tier 1 HMG IT to have Foundation Grade Encryption (or suitable alternative control) and allow considerably more remote working and use of additional mobile IT devices.

[10] When UK receive a CONFIDENTIAL document from an international partner it may require to be dual marked eg UK SECRET / NATO CONFIDENTIAL, in order that we do not potentially confuse our partners by sending back a document which they may interpret as INTERNATIONAL SECRET when it is in fact only INTERNATIONAL CONFIDENTIAL.

[11] Legacy IT systems accredited for Confidential to be reassessed in line with CIO policy

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download