Government Security Classifications Policy

[4] The data should be protected by controls based on commercial best practice instead of expensive, difficult specialist technology and bureaucracy.

The threat model for OFFICIAL data is similar to typical large private-sector organisations; it anticipates that individual hackers, pressure groups, criminals, and investigative journalists might attempt to get information.

This requires an extremely high level of protection, and controls are expected to be similar to those used on existing "Top Secret" data, including CESG-approved products.

In addition to a paragraph near the start of the document special handling instructions include Descriptors, Codewords, Prefixes and national caveats.

[2] A DESCRIPTOR is used with the security classification to identify certain categories of sensitive information and indicates the need for common sense precautions to limit access.

[2] Example With the exception of British Embassies and Diplomatic Missions or Service units or establishments, assets bearing the UK EYES ONLY national caveat are not sent overseas.

Unlike the old model it replaces however, the GSCP does not consider the consequence of a compromise as the primary factor, but instead is based on the capability and motivation of potential threat actors (attackers) and the acceptability of that risk to the business.

The implication of this approach and the binary nature of determining if a risk from capable and motivated attackers is acceptable or not, means that data cannot easily progress through the GSCP in a linear fashion as it did through GPMS.

By contrast GSCP data starts either with an OFFICIAL OR SECRET classification depending on the nature of threat and its acceptability to the business, and thereafter moves up or down accordingly based on consequence of compromise.

It is therefore no longer strictly the case that the greater the consequences if the data confidentiality were to be compromised, the higher the classification, since data with a high impact (including material which could result in threat to life) may still be classified as OFFICIAL if the relevant business owner believes it is not necessary to protect this from an attacker who has the capabilities of a Foreign Intelligence Service or Serious and Organised Crime.

Conversely some data with much lower consequences (for example ongoing Police investigations into a criminal group, or intelligence information relating to possible prosecutions) but where the business will not accept compromise from such an attacker could be classified as SECRET.

The NAO report "Protecting Information across Government" (Sep 2016) was somewhat critical of the move to this model and the adoption of GSCP overall [10] Existing published guidance continues to suggest that storage media which hold UK government data should still be destroyed or purged according to HMG IA Policy No.

5, however terminology in this guidance and other material has not been updated fully to reflect the changes from GPMS protective markings to GSCP classifications and as such its value is now arguably somewhat reduced as a published standard.

The Government Security Classifications Policy was completed and published in December 2012; additional guidance and supporting processes were developed over time.

The criteria for classifications are being adjusted to, so there is not always a perfect map from layer to layer.