Or for more information:

01488 648468 Have a chat with one of our team.
Need more information? Please get in touch.
Free Demo

All You Need To Know About UK Security Classifications – Official Sensitive Information


In  2014, the UK Government introduced the Government Security Classification (GSC), known as the “UK Security Classifications,” altering the previous Government Protective Marking Scheme. This policy provides a framework for classifying official and sensitive information, ensuring public sector organisations and their collaborative partners collect and store data appropriately.

Under the GSC, data can be categorised into three security levels: OFFICIAL, SECRET, and TOP SECRET. A small subset of OFFICIAL data is marked as OFFICIAL-SENSITIVE. While not a stand-alone classification, the term “OFFICIAL-SENSITIVE” is used when the official information requires a handling caveat due to its sensitive nature. Examples of OFFICIAL-SENSITIVE information might include data that, while not reaching SECRET or TOP SECRET classification, still needs careful handling and restricted access.

The distinction between OFFICIAL and OFFICIAL-SENSITIVE is vital in the context of the UK’s security classifications. It guides how organisations handle and protect various types of official data within the government security classifications policy.

 


 

Skip to Section:

What is OFFICIAL-SENSITIVE information?

What is the problem with OFFICIAL-SENSITIVE?

How does Kahootz support OFFICIAL-SENSITIVE information?

What does the future of the UK security classifications system look like?

 


What is OFFICIAL-SENSITIVE Information?

Although not an official classification, OFFICIAL-SENSITIVE refers to information that falls under the OFFICIAL classification which requires special handling by staff. In particular cases where the information is on a ‘need to know’ basis it becomes useful to mark the data as OFFICIAL-SENSITIVE.

In the case of storing and sharing of OFFICIAL-SENSITIVE information in the cloud, only the appropriate users should have permissions to access this data, and records of which must be kept. This means, that if there is ever a security breach, it becomes easier to pinpoint the source of the breach by finding out who has access to the specific information asset.

 

The Problem with OFFICIAL-SENSITIVE

As OFFICIAL-SENSITIVE is not, strictly, an official classification within the GSC framework, there are no pan-government accreditation schemes in place to officially certify IT systems or cloud security providers. Vendors are also restricted in promoting their systems as an ‘approved/accredited information technology service’ with the new classification system, making it increasingly difficult for users trying to locate solutions which can accommodate the secure sharing and storing of OFFICIAL-SENSITIVE information internally and externally. 

 

Kahootz and OFFICIAL SENSITIVE Information

Kahootz has many public sector clients and currently focuses on supporting the sharing of information marked as OFFICIAL, as this covers about 85% of all government information.

In 2015, Kahootz was selected by the Ministry of Defence (MOD) as the provider of their secure collaborative working environment to enable teamworking with external agencies and stakeholders over the public internet. After a meticulous amount of due diligence, the MOD departmentally accredited Kahootz to store and share information marked up to OFFICIAL-SENSITIVE, with the particular handling instructions.

The MOD accreditation issued to Kahootz has helped many defence primes, and others in MOD’s supply chain, to have confidence to adopt and use Kahootz to engage with their supply chain business partners. Kahootz having that level of departmental accreditation, also contributes to the high levels of trust for the platform for users looking for an OFFICIAL-SENSITIVE solution when working with the MOD, other government departments, and with their industry partners and key stakeholders.

In addition, Kahootz has also been able to help fast track many of these new defence clients through the DART process to obtain MOD accreditation of their Kahootz sites.

Is Kahootz the right platform for your defence collaboration? Try-before-you-buy with a no obligation 30-day free trial.

 

What does the future of the UK security classifications system look like?

For many organisations that need to work with government departments, searching for approved OFFICIAL-SENSITIVE (OS) collaboration software service can be problematic. However, the availability of sourcing pre-accredited commodity cloud services applies to all three classifications of OFFICIAL, SECRET, and TOP SECRET as the UK government and the UK security classification has no specified parameters or official methods for supplier IT systems and cloud services to obtain an accredited status.

With regard to the plan for the security classification system, it is not anticipated that a pan-government issued certification scheme will become available in the future, due to the sheer volume and variety of cloud solutions and information technology providers that would need annual reviews and accreditations.

With that in mind the NCSC’s 14 Cloud Security Principles were created and introduced as a benchmark for organisations procuring cloud services to assess and compare how a cloud provider’s operational, technical and cyber security controls met their requirements. 

The work Kahootz does to support the operational processes, resilience and security controls required by the MOD (and many other government departments) has allowed us to position our cloud collaboration service as the type of OFFICIAL and OFFICIAL-SENSITIVE information management and collaboration solution that many organisations, working with the UK public sector, look for.

To find out more about our work in the public sector, download our guide, or visit our security page to learn more about what makes Kahootz an accredited official-sensitive collaboration software.

Frequently Asked Questions

What are the UK classification levels?

The UK Government Security Classification (GSC) system categorises information into three levels: Official, Secret, and Top Secret.

  • “Official” is the most common classification and applies to most information created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen, or published in the media.
  • “Official-Sensitive” is a subset of the “Official” classification. This label is used for particularly sensitive information but is not subject to the heightened threat profile that would warrant a “Secret” or “Top Secret” classification. This information requires stricter handling protocols, and the need-to-know principle must be rigorously enforced.
  • “Secret” is used for sensitive information that justifies heightened protective measures to defend against determined or highly capable threats. This may include information that could seriously damage military capabilities, international relations, or the investigation of serious organised crime.
  • “Top Secret” is used for the government’s most sensitive information, which requires the highest protection from the most severe threats. A compromise of this information might cause widespread loss of life or threaten the country’s or friendly nations’ security or economic well-being.

How is “Official Sensitive” information managed in cloud services like Kahootz?

In cloud services like Kahootz, ‘Official Sensitive’ information is managed with the utmost care and adherence to stringent security protocols to ensure data integrity and confidentiality. These protocols involve a range of security measures, from secure data storage and transmission to strict access controls and auditing capabilities. Kahootz, in particular, has been accredited by the Ministry of Defence (MOD) to handle ‘Official Sensitive’ information.

The platform provides secure collaboration tools tailored to the government and defence sectors. These tools include secure data encryption, multi-factor authentication, and activity log analysis to track data access and modifications. Additionally, Kahootz ensures that only authorised users have the necessary permissions to access ‘Official Sensitive’ data, thereby limiting the risk of unauthorised disclosure. Kahootz’s commitment to security and its MOD accreditation makes it a trusted platform for the management of ‘Official Sensitive’ information.

What is the difference between “Official” and “Official Sensitive”?

The primary distinction between “Official” and “Official Sensitive” lies in their handling requirements and the potential implications of unauthorised disclosure. Both classifications fall under the “Official” category, but “Official Sensitive” information is subject to stricter handling protocols. This is because “Official Sensitive” information, while not reaching the level of “Secret” or “Top Secret,” is still of such a nature that its unauthorised disclosure could have more severe consequences than general “Official” information.

For instance, “Official Sensitive” information might include certain critical business data, personnel records, or sensitive operational details that, if disclosed, could compromise the effectiveness of a program or operation or even potentially harm individuals involved. As such, it must be handled with a higher degree of care. This can involve tighter access controls, more rigorous data access and usage auditing, and potentially additional security measures such as enhanced encryption or physical security.

In contrast, general “Official” information tends to be less sensitive, and its unauthorised disclosure, while still undesirable, would typically have less severe repercussions. This type of information might include routine business communications, standard operational data, or other less sensitive information that is still important to protect but does not warrant the same level of protection as “Official Sensitive” information.

Start your FREE 30-day trial.

Join hundreds of thousands of people across public sector organisations, enterprises and not-for-profits
who are using Kahootz to collaborate anytime, anywhere. No upfront commitment required.