GPMS Review – Work in progress

The following is an initial collation of comments/feedbacks/questions from the PSNGB Security Committee on the changes to the GPMS scheme, further feedback will be provided in due course.

Shared Services

Industry has invested significantly developing services for the Public Sector, consideration needed for how services are assured and ability for services to support controls across both, marking schemes, potential need to support IL2, IL3 and OFFICIAL as separate shared services, then run down IL2 and IL3 as customers transition to the new scheme.

The PSNGB is concerned the adoption of different technical controls could lead to HMG organisations being less willing to share information with other HMG organisations, as they will be unsure as to the protections that will be applied. While this has a direct impact on HMG efficiency (presumably an accepted consequence of the policy) it might also undermine the use of shared services. This is because the data separation measures of those shared services are designed on the assumption of all customers having the broadly the same level of technical controls.

Accreditation

It is understood that the new GPMS scheme objective is to save money and that PSN is intended to both save money and improve ability to share business information between public sector organisations (central government, local government, blue light services etc). Given this is recommended that there is no re-accreditation in line with the new GPMS of already accredited services as this will cost money. Such re-accreditation must therefore take place at natural points in the lifecycle for existing systems.

Education – Civil Servants & Industry

In the changed system, there is a far stronger emphasis on the personal responsibility of all civil servants to be able to determine the sensitivity of any information they come across in the course of their work and determine the appropriate handling. This is in part on the basis that civil servants will be fully aware of their business context. However, support staff will also come into contact with HMG information in the course of their duties, and will have little knowledge of the business context of that information.

For instance, IT support staff may be asked why a particular document does not load in an editor correctly, and they will need to have a copy of the document for analysis, without any sense at all of the business value within the document. Access may even be needed without the direct intervention of a civil servant, e.g. during problem solving. Without a granular protective marking system, and without business context, the support team members only have the option of treating the information as being at the top end of the OFFICIAL spectrum of sensitivities if they are not to risk mishandling. This could lead to considerable inefficiencies (and the resulting costs to HMG).

Personal Responsibilities

There is a great deal of emphasis on personal responsibility in making decisions as to the classification of data. Therefore Education, Training and Awareness materials are crucial. It has been mooted that Cabinet Office are producing a set of eLearning materials & other OGDs will be using this as a base to develop & customise their own. The assumption that *every* individual civil servant is truly capable of correctly assessing the sensitivity of every government piece of data they come across (including stuff sent to them by mistake) and then appropriately acting on that. It would only take a small percentage of the civil service to be incapable of this to invalidate approach.

Risk of over-classification

There is a risk that HMG Agencies could over classify their data, as an example an organisation such as MOD with large amounts of information at SECRET (albeit along with much CONFIDENTIAL & RESRICTED data) to issue a blanket statement that all their data to be classified at SECRET – therefore saving them huge costs & effort. This may be a small risk but any move in this direction would have huge time & cost impacts upon Service Providers.

Police Forces is an area that needs careful consideration, a number of forces are indicating that they believe they would need to operate in the Secret tier. This would introduce an additional level of challenge and cost for service providers which would translate into additional cost for the Police Forces. If Police Forces and similar organisations move to Secret, this is a danger of limiting the ability for SMEs and other Service Providers to operate in this market, reducing the number of suppliers that will be able to offer this service, which is in conflict with the government strategy to engage a wider range of suppliers.

Erring on the side of caution will force organisations to class everything as “official sensitive”.

Timeline and supporting both marking schemes

The adoption is supposed to be across government at more-or-less the same time. It is suspected that some departments will be unable to properly move to the new GPMS for some time because their contracts are fixed time and the costs of the transition whilst mid contract will be too high.

The potential situation where a service provider may need to support a mixed environment where some Public Sector organisations have moved to the new protective marking scheme whilst others remain on the old scheme will introduce significant additional cost to Service Providers which will result in additional costs for our customers.

Marking of Data

There is no clear mapping from old to new, and so sharing infrastructure between OFFICIAL and RESTRICTED (in particular) may be difficult, as the risk appetites are different. This may be manageable where there are clear boundaries between a customer and a service, but likely to be overly complex where there is an intention for multiple customers to share an infrastructure or service, and who are mixed between OFFICIAL and RESTRICTED.

Given the advice that there will be no requirement to re-mark protectively marked data to align with the new GPMS the reality is that most departments will need to run with both old and new schemes in tandem for the next 10 to 20 years. This will have implications for the systems and services that they will use and for the training needs for the staff.

Given the advice that when information is shared outside the departmental boundary (although what constitutes a department is not defined) that the information should be given a new GPMS marking prior to sharing it there is a likely impact on costs. Without a direct mapping from old schema markings to new schema markings this cannot be automated. However, some areas are already asking about label value translation capabilities. Without automation this will put a significant burden on staff and will lead to multiple copies of information being held with old and new markings. Storage cost implications.

Without mandatory minimum standards of protection that are defined and applied to OFFICIAL data many organisations will probably wall off their data as they will not be able to have confidence that others able to access it over PSN have not taken greater IA risks with the data that they use than the originator finds acceptable. This will work against the business information sharing driver.

Minimum Standards

Application of mandatory minimum standards of protection may significantly raise costs for some organisations (e.g. those that have traditionally operated at IL0).

Observations on commercial good practice and commercial best practice for Cyber Security

  1. There is no uniformly agreed standard of what constitutes either good or best practice. This varies between industries and between different sizes of organisation within a given industry sector. Good practice for a Tier 1 supplier is likely to be very different from that for an SME.  This is partly driven by cost, partly by level of understanding of threats and appropriate security measures. Organisation which lack expertise often think that anti-virus software is all that they need to protect them despite the fact that even the vendors are now saying it is not (recent comments on hacking of New York Times).
  2. What constitutes good practice for one organisation may be overly onerous to another. This is partly driven by the business need that is being supported. DWP has a need to interact with the majority of citizens the MOD does not; NHS has massive amounts of sensitive personally identifiable information whereas the Environment Agency probably does not. Attackers don’t care. They will come at you through the weakest link that they can find. Hence a greater risk appetite in one part of the PSN user base may have significant impact on more conservative (from an IA risk perspective) PSN users unless suitable information sharing control measures are available and applied.

Additional specific questions

  1. Please define what is meant by “dataset”.
  2. Please define what is meant by “sensitive” in principle three.
  3. The definitions for the three classifications should be at the beginning of the document, rather than in the middle
  4. Examples of the additional controls required for handling aggregated information or official-sensitive data would be helpful for Service Providers to anticipate potential requirements from customers.
  5. The current documentation does not give Service Providers sufficient information regarding their obligations to support the scheme.  There are some implicit requirements, but this needs to be more explicit and more detailed.
  6. At present, Service Providers are not allowed to have access to some of the supporting documentation, e.g. CESG GPGs.  This makes it extremely difficult for us to ensure that we meet all of the guidelines.
Admin - February 18, 2013