Dr Andrew Rogoyski, Vice President Cyber Security Services, CGI UK, talks about how to manage your organisation's valuable and sensitive data securely.
Ask any CEO what is top of their worry list and, after the immediacy of the next quarter's sales and profits, the chances are the topic will be cyber security. Hardly a day goes by without some high profile cyber breach making the front page of the daily press. Organisations are becoming increasingly digital and, as a result, are commensurately more vulnerable than ever before to attacks upon that digital infrastructure.
Whilst awareness of cyber threats is growing, defensive solutions getting more advanced and incident response becoming a well-honed art, there remains at the heart of cyber security one core problem: culture change.
Although cyber security training and awareness raising activities are increasingly widespread, what is missing is everyday use of security principles that can be applied by everyone within an organisation, thereby turning them into a real and highly motivated ‘first line of defence’. This is where BS10010 comes in.
BS10010 is a new specification that establishes best practice for information classification, marking and handling (ICMH). At its heart is the belief that once people start to think about the sensitivity of the information they create and use, on an everyday basis, they will start to understand and apply better behaviours, processes and systems to protect that information on behalf of their organisation. Cyber security will improve. The elusive desire to create security culture change will be driven by simple everyday acts to secure information.
At its simplest BS10010 sets out some basic stages that guide organisations to take better care of valuable ‘information assets’.
It starts with classification, the most important stage where people who create and use information assets, whether they be handwritten letters, documents, emails or web pages, have a process to guide their assessment of how sensitive the asset is.
Then a marking scheme is suggested, to ensure that it is immediately obvious to all users of an asset what the classification of the item is.
Finally, a handling scheme, to ensure that people know what precautions to take when using the asset, including how and when to dispose of it. Of course there are further subtleties, many of which are explored in the standard.
One of the most far-reaching consequences of BS10010 – something intrinsic to its design – is the idea that different organisations that use BS10010 will create ‘equivalences’ between their own in-house schemes. This means that when sensitive information is shared, the owner and the recipient both have a clear idea about how sensitive an asset is and will treat it in the same way, even if one company marks its most sensitive information as ‘red confidential’ and another as ‘company secret’.
This means that the use of ICMH schemes should almost self-propagate, as customers demand confirmation from their suppliers that their information is well cared for, flowing down through the supply chain to the smallest of businesses who themselves then benefit equally.
Implementing BS10010 may, or may not, be as straightforward as it first seems. An organisation needs to understand what information is important to it and what information it is prepared to share, both within and external to its organisation. As a result of gaining this understanding, it might want to better control where this important information resides and restrict who has access to it.
It might want to introduce systems to automate how assets are handled, for example ensuring that confidential emails cannot be sent outside the organisation without a formal check or that very sensitive documents can only be copied or printed in certain circumstances and/or certain places.
There are a multitude of things to think about and options to explore. What can be said is that implementing an ICMH system, using BS10010 as guidance, will, over time, create a more aware and more secure organisation because everyone will play a part and everyone will be reminded on a daily basis that keeping information secure is intrinsic to their job and to the future prosperity of their organisation.
Offerings and Services in Support of BS10010
The list below starts to explore some of the specific activities that might be undertaken in support of implementing an ICMH system (and dealing with the consequences of doing so):
- ICMH Audit. Assessing whether an organisation’s ICHM system meets the design aims of BS10010 and can therefore be considered to have a compliant system in place, or amending it if not.
- ICMH Maturity. Understanding the organisation’s current maturity in how it treats sensitive information. Examining an organisation’s existing ICMH systems and checking whether they are adequate and effective. Measuring an organisation’s ICMH maturity against industry norms and defining a roadmap for improvements.
- Security Risk Assessment. Understanding the security context of an organisation so that assessment of information sensitivity is undertaken in a context that recognises the threats to a business or organisation;
- ICMH Automation. The selection and use of systems that automate all or parts of the information asset lifecycle, from creation to sharing and eventual destruction.
- Training and Awareness. Ensuring that all members in an organisation understand the importance and the processes of classifying, marking and handling the information assets they use every day.
- Compliance Management. Facilitating the delivery of legal and regulatory formal obligations (such as GDPR) that an increasing number of organisations have to protect, disclose, retain or destroy specific information assets, according to industry sector, geographic location, customers and suppliers, and so on.
- Digital Strategy. Understanding how introducing IT systems can transform a business, focusing on the pieces of information that provide business advantage, learning how they are identified and protected, choosing the most appropriate platforms to enable the strategy (e.g. cloud), exploring how integrity of important data can be maintained, ensuring that organisations are resilient to disruption, amongst many other themes.
- and so on…
It is also probable that the existence of BS10010 will itself materially facilitate the development of new, functionally richer, automation products that in turn facilitate ICMH adoption.
Dr Andrew Rogoyski, Vice President Cyber Security Services, CGI UK
Andrew currently leads CGI’s cyber security business, joining in 2013 following an extended secondment to the Cabinet Office’s Office of Cyber Security and Information Assurance. At OCSIA, Andrew supported UKTI in the promotion of the UK’s cyber companies overseas and authored the UK’s Cyber Export Strategy, a technology review for the National Cyber Strategy, and guidance on export controls for cyber.