*** Welcome to piglix ***

Government Security Classifications Policy


The Government Security Classifications Policy (GSCP) is a new system for classifying sensitive government data in the United Kingdom.

Historically, the Government Protective Marking Scheme was used by government bodies in the UK; it divides data into UNCLASSIFIED, PROTECT, RESTRICTED, CONFIDENTIAL, SECRET and TOP SECRET. This system was designed for paper-based records; it is not easily adapted to modern government work and is not widely understood.

The GSCP uses three levels of classification: OFFICIAL, SECRET and TOP SECRET. This is simpler than the old model and there is no direct relationship between the old and new classifications. "Unclassified" is deliberately omitted from the new model. Government bodies are not expected to automatically remark existing data, so there may be cases where organisations working under the new system still handle some data marked according to the old system.

Information Asset Owners continue to be responsible for information. The new policy does not specify particular IT security requirements - IT systems should be built and used in accordance with existing guidance from CESG.

Everybody who works with government - including contractors and suppliers - is responsible for protecting information they work with, regardless of whether it has a protective marking.

Aggregation does not automatically trigger an increase in protective marking. For instance, a database with thousands of records which are individually OFFICIAL should not be relabelled as a SECRET database. Instead, information owners are expected to make decisions about controls based on a risk assessment, and should consider what the aggregated information is, who needs to access it, and how.

OFFICIAL includes most public-sector data, including a wide range of information on day-to-day government business. It is not subject to any special risks. Personal data would usually be OFFICIAL. The data should be protected by controls based on commercial best practice instead of expensive, difficult specialist technology and bureaucracy. There is no requirement to mark every document as "OFFICIAL" - it is understood that this is the default for government documents.


...
Wikipedia

...