Risk of ‘Data Dumping’ During Transition to Government Security Classifications Policy (GSCP)

Public and private sectors yet to embrace data reclassification and reap the benefits of risk management reform states Auriga

Online PR News – 06-August-2013 – London, UK – 5 August, 2013 – Auriga Consulting Ltd (Auriga), the expert data, ICT and security consultancy, today warned that public and private sector organisations could resort to reclassification in haste, or ‘data dumping’, in a bid to comply with the new new Government Security Classifications Policy (GSCP). Central Government and their private sector suppliers have just nine months to transition from using the current six tiers of protective markings to three. Although the new system promises to simplify classification, the process could prove painful in the short term as organisations reevaluate data, assign categories and adjust their risk management posture.

The GSCP forms part of the Civil Service Reform Plan published in June 2012 which includes provisions for the simplification of security classifications and their risk-informed application. The current Government Protective Marking System (GPMS) will be superseded by GSCP, with the six tiers of TOP SECRET, SECRET, CONFIDENTIAL, RESTRICTED, PROTECT and UNCLASSIFIED being replaced by three: TOP SECRET, SECRET and OFFICIAL. The GSCP aims to reduce the complexity of data classification for government Departments, Agencies and their private sector suppliers. Finalised by Francis Maude, Minister for the Cabinet Office, in December 2012 with an anticipated launch of summer 2013, the new classifications policy gives organisations less than a year to complete transition planning before the go-live date of April 2014.

Transition to GSCP is further complicated by an overreliance on existing protective markings which has seen the six tiers used as the basis for the formulation of Departmental risk management policy. Government Departments and Agencies that have used the current protective marking system to direct risk management processes will no longer be able to rely on this for OFFICIAL assets, which will not be labeled by default. A taxonomy will need to be put in place to help direct the underpinning risk management processes and create a more informed risk-driven approach to management. However, data-type alone will not be enough for Departments to employ an appropriate approach to risk management; consideration will also have to be given to, for example, business objectives, legal obligations, and social remit or operational requirements in order to provide the necessary context to support a truly informed risk-driven approach to management.

The GSCP presents a real opportunity for Government Departments, Agencies and their private sector suppliers. “A data classification system should be an integral aspect of any organisation’s data lifecycle processes, with the approach to risk management, and the necessary level of assurance, shaped by the characteristics of each classification. The GSCP can help Departments and Agencies realise the business and security benefits of this, but only if data classification is well thought-through, effectively integrated with the organisation’s data lifecycle processes, and not done in haste,” said Geoff Eden, Subject Matter Expert, Auriga.

“Departmental planning will have to be meticulous where possible and involve substantial business and process change in order to realise more effective working practices and the required cultural change and reform that the policy is hoping to deliver. That takes time and patience but GSCP is essentially a form of transition and change management. Transition, transformation and change management are a key part of what we do under our ShieldACL offering. We have engaged GSCP experts involved in the initial development of the new classifications policy and they, together with our complementary team of CLAS and CESG Certified Professional (CCP) consultants, Business Analysts and Technical Architects, are able to advise upon transition planning, assist with transitioning and provide effective risk-informed implementation,” said Louise T. Dunne, Managing Director, Auriga.

About Auriga
Auriga Consulting Ltd (Auriga) is an expert consultancy specialising in Data Management, Information Assurance, Corporate Governance, Business Process Modelling, Analysis, ICT and Security. We advocate data as the most valuable part of your business and combine superior security and assurance knowledge with a wealth of business management consultancy and efficiency skills. Using a unique set of methodologies we embed security by overlaying it onto business process and analysing data.

Auriga reported a turnover of more than £1million in its first full year of trading, cementing its reputation as one of the most dynamic and versatile solutions providers in the marketplace today. We have worked on some of the most demanding projects in the UK for customers from the public and private sectors, advising upon the architectures and business processes adopted for the G-Cloud project, NHS and social services databases, and leading the BSi’s largest audited UK organisation successfully through ISO 27001. To find out more, please go to www.aurigaconsulting.com or follow us on Twitter @AurigaConsult.