review of information classification, labelling and ... · nsw cyber security policy 3 3.3 classify...
TRANSCRIPT
![Page 1: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/1.jpg)
Review of Information Classification,
Labelling and Handling Guidelines
Records Managers’ Forum
27 November 2019
![Page 2: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/2.jpg)
Information classification, labelling and handling
Information compromise
• Loss
• Misuse
• Interference
• Unauthorised access
• Unauthorised modification
• Unauthorised disclosure
2
![Page 3: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/3.jpg)
NSW Cyber security policy
3
3.3 Classify information and systems according to their importance (i.e. the impact of
loss of confidentiality, integrity or availability), and
• assign ownership
• implement controls according to their classification and relevant laws and
regulations
• Identify the Agency’s “crown jewels” and report them to Cyber Security NSW as
per mandatory requirement 5.3.
![Page 4: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/4.jpg)
Why Review? Change to the Australian Government System
4
The Protective
Security Policy
Framework
NSW Government
Information
Classification,
Labelling and
Handling
Guidelines
https://www.protectivesecurity.gov.au/sites/default/files/2019-11/pspf-infosec-08-sensitive-classified-information.pdf
![Page 5: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/5.jpg)
Changes to Sensitive and security classified information
5
![Page 6: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/6.jpg)
What are the changes? Dissemination Limiting Markers (DLMs)
For Official Use Only
Sensitive
Sensitive: Personal
Sensitive: Legal
Sensitive: Cabinet*6
Legal Privilege
Legislative secrecy
Personal privacy
DLM
OFFICIAL: Sensitive
DLM IMM(Optional)
From To
* Caveat
![Page 7: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/7.jpg)
NSW – Dissemination Limiting Markers
7
For Official Use Only
Sensitive
Sensitive: Personal
Sensitive: Legal
Sensitive: Cabinet
Sensitive: NSW Government
Sensitive: NSW Cabinet
Sensitive: Law Enforcement
Sensitive: Health Information
OFFICIAL: Sensitive
OFFICIAL: Sensitive
OFFICIAL: Sensitive – Personal
OFFICIAL: Sensitive – Legal
No longer a DLM, now a caveat
OFFICIAL: Sensitive – NSW Government
OFFICIAL: Sensitive – NSW Cabinet
OFFICIAL: Sensitive – Law Enforcement
OFFICIAL: Sensitive – Health Information
DLM DLM
From To
![Page 8: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/8.jpg)
Other changes – Security classifications
8
TOP SECRET
SECRET
CONFIDENTIAL
PROTECTED
TOP SECRET
SECRET
Removed*
PROTECTED
Security Classification
From To
Security Classification
*Consider the harm and apply corresponding security classification marking
![Page 9: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/9.jpg)
Other changes – Other markings
9
UNCLASSIFIED
UNOFFICIAL*
OFFICIAL
UNOFFICIAL
Other marking(Optional)
From To
Other marking(Optional)
*Not currently used in NSW
![Page 10: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/10.jpg)
Overview – proposed application of changes in NSW
10
OFFICIAL: Sensitive
OFFICIAL: Sensitive – Personal
OFFICIAL: Sensitive – Legal
OFFICIAL: Sensitive – NSW Government
OFFICIAL: Sensitive – NSW Cabinet
OFFICIAL: Sensitive – Law Enforcement
OFFICIAL: Sensitive – Health Information
TOP SECRET
SECRET
PROTECTED
OFFICIAL
UNOFFICIAL
Security Classification DLM Other markings(Optional)
Caveat
Cabinet
![Page 11: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/11.jpg)
Assessing information sensitivity or security classification
• The Business Impact Levels are aligned with the protective markings, making them easier to
apply.
11
Now
Before
![Page 12: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/12.jpg)
Handling sensitive and security classified information
12
Protective markings
Access
Use
Storage
Carry
Transfer
Transmit
Official travel
Disposal
Preparation and handling
Removal and auditing
Copying, storage and destruction
Physical transfer
Creation and storage
Dissemination and use
Archiving and disposal
Security Classification
DLMs DLMs/Security Classification
NSW – current guidelines PSPF
![Page 13: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/13.jpg)
Next steps
Consult with Working Group about:
• Security classifications (PROTECTED and above)
• Handling guidelines for DLMs and Security Classifications
• email Protective Marking Standard
• Resources
• an electronic training module
• a user-friendly, web-based app
• a ‘memory jogger’ reference document that summarises the key points of the Guidelines
• Other suggestions welcome
• Timeframe and costs for implementation
Approvals
• Obtain endorsement of Guidelines from ICT Digital Leaders Group and Secretaries Board
• Issue Department of Customer Service Circular
13
![Page 14: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/14.jpg)
Transition timeline -
Commonwealth
14
https://www.protectivesecurity.gov.au/sites/def
ault/files/PSPF-fact-sheet-classification-
reforms.pdf
![Page 15: Review of Information Classification, Labelling and ... · NSW Cyber security policy 3 3.3 Classify information and systems according to their importance (i.e. the impact of loss](https://reader034.vdocument.in/reader034/viewer/2022051919/600c3512cf8d65584818431e/html5/thumbnails/15.jpg)
Proposed timeline
15
Oct 2020Feb 2020 Mar 2020
Working
Group
meeting
IDLG &
Secretaries
Board
Approval
Old
classification
ceases
Apr 2020
Guidelines
Published
Dec 2019 –
Jan 2020
Consultation
& drafting
Resources
available
Jun 2020