‘Information Security’ and ‘Protective Marking’ – two sides of the same coin
I enjoyed reading The Black Door on a recent vacation. Written by Richard Aldrich and Rory Cormac it is the story of spies, secret intelligence and British Prime Ministers from 1908 to 2017. Many of the themes in the book mirror those in any organisation, such as defining who is an ‘expert’ in a particular area, and how to bring together and assess sources of information and knowledge from a wide range of organisations, each with their own reasons for taking a particular line on a topic because of corporate interests. Today marks the first anniversary of the publication of the Chilcott Inquiry into the involvement of the UK Government in the Iraq war and in particular the dossier on the existence (or non-existence as it turned out) of Weapons of Mass Destruction. This of course highlights the issue of information quality, as a substantial element of the dossier was plagiarized from publicly-available material. Another theme of the book is the extent to which supposedly secret documents end up being made public, and not just by Edward Snowden.
Recent ransom-ware attacks have highlighted the need for IT teams to ensure that corporate systems are safe from any form of external threats and also to ensure that information held by the organisation is not transmitted digitally to unauthorised people outside of the organisation. There is also a need to ensure that internally employees cannot gain digital access to information that they do not have permission to see. An important feature of a search application is ensuring that employees cannot gain access to limited circulation information.
I have added the word ‘digitally’ in the above paragraph for the reason that information can easily be circulated in a paper format once it has been downloaded. This is where protective marking becomes so important as it should ensure that every document or data item is visibility tagged in a way that there can be no dispute about the permitted readership of the document. Protective marking schemes should be set out in a corporate information security policy (ideally compliant with ISO 27001) but the question then is who decides on the circulation of a document. (NB I’m using ‘document’ in a generic way). The critical issue is whether the labelling on the document defines unambiguously who has access to the information. Role-based labeling (“Heads of HR”) is of no value. Someone may be the local manager for HR and so regard themselves as Head of HR in the office, but that is almost certainly not the readership that the author envisaged.
A good starting point for understanding the scope of a protective marking scheme is the UK Government policy document, especially as many public sector organisations in the UK base their own policies on the UK Government document. This document also sets out how ‘paper’ versions of documents should be managed from a protective marking perspective. The current policy dates from April 2014, In addition there is a very good overview document on government information security management published in 2016 by National Audit Office.
The point I want to make is that just seeing information security as a digital asset management topic owned by IT is to totally miss the point. The damage that printed, or printed-out, information can do in the wrong hands can not only be embarrassing but very difficult to pin down the route by which the information broke out of its cage, a cage often no stronger that as an attachment to an email that says ‘Keep this to yourself’. As with so many aspects of the digital workplace policies have to be developed, implemented and reviewed as a combined effort of IT and the business. How quickly can you find the current version of your organisation’s protective marking policy?