The annual IA (Information Assurance) Practitioners’ Event was held at York Racecourse over the 6 – 7 March. This was the 3rd year for the event, which provides updates, discussions and workshops on IA and ‘Cyber Security’ matters for IA professionals at a practical level.
The two day event included a busy agenda with back to back presentations, workshops and Q&A sessions, as well as the opportunity to find out more about what the event sponsors and other vendors had to offer.
From the numerous presentations, 2 topics have been chosen here for a very brief review and to push the messages further:
- The Government Protective Marking Scheme (GPMS).
- 10 Steps to Cyber Security.
The Government Protective Marking Scheme (GPMS).
The over-riding principles of Information Risk Management (IRM) don’t change but the details certainly do.
In the next few weeks, we will hear more about the way that the government is classifying its information and assets (the Government Protective Marking Scheme) â€” something that will have a direct impact on accreditation of the Public Services Network (PSN) and G-Cloud services.
The new GPMS
The big news is that the way in which the government classifies its information and assets is changing.
The “old way” used the Government Protective Marking Scheme (GPMS) and had six levels â€” Unclassified, Protect, Restricted, Confidential, Secret and Top Secret.
The new system has just three levels â€” Official, Secret and Top Secret. Official assets of a particularly sensitive nature will be classified as Official-Sensitive.
As the new approach has yet to go live, its name has not been finalised. At the moment, we’re talking about “the New GPMS” as well as “The Government Classification Policy” but there should be more clarity when the Cabinet Office announces a go-live date very soon.
We should be under no illusion that the change from the GPMS will be easy â€” it should not be underestimated by any organisation that works with government.
Particular areas of concern and potential confusion for many organisations will be the effect of the new scheme on how the accreditation of the Public Services Network (PSN) and G-Cloud services are managed. To date, these have been provided at Protect (IL2), Restricted (IL3) and Confidential (IL4) for confidentiality. Understanding what technical controls will be appropriate in the official space for PSN and G-Cloud will be part of the initial challenges. The latest views on the new scheme from the PSNGB can be found at GPMS Review .
10 steps to cyber security
The event also saw a presentation of a new guide â€” the 10 Steps to Cyber Security â€” part of the Cyber Security Guidance for Business, produced jointly by GCHQ, BIS (Department for Business Innovation & Skills) and CPNI (Centre for the Protection of National Infrastructure). You can read it at 10 Steps and there is also an accompanying Executive Companion .
One of the delegates asked a very interesting question at this session â€” should a business choose to follow some of the steps and do them well or is it better to follow all of the steps but in less detail?
Some interesting discussion followed and it resulted in the not unsurprising answer of “It depends”! And that’s simply because every business is different â€” there is no one-size-fits-all approach. That said, it was agreed that the most important step for businesses is to have an Information Risk Management regime â€” enabling them to make informed decisions on how to manage risk effectively and efficiently.
The 10 Steps to Cyber Security guide is certainly recommended reading. It provides excellent advice and offers a firm footing from which organisations can start to get the basics right.
Bert Curtin is Senior Information Assurance Consultant at Ascentor.
For more information on changes to the Government Protective Marking Scheme and its impact on GCloud and PSN, sign up to our newsletter â€” we will be explaining the latest developments as they happen.
Looking for support for your G-Cloud project?Find out how we can help
Do you need an Information Risk Health Check ?
Other articles by Bert Curtin