In April 2014, the UK Government changed the original Government Protective Marking Scheme and published a new classification system called the Government Security Classification (GSC). The GSC, also known more colloquially as the “UK Security Classifications” outlines a way to classify information and ensures that all public sector organisations, and external parties they collaborate with, collect and store information appropriately.
Under the new GSC, information can be classified under three types of security levels: OFFICIAL, SECRET, and TOP SECRET. Within that, a small subset of OFFICIAL information is marked as OFFICIAL-SENSITIVE, which in itself is not a classification, but referenced to if the information requires a handling caveat.
Skip to Section:
What is OFFICIAL-SENSITIVE information?
What is the problem with OFFICIAL-SENSITIVE?
How does Kahootz support OFFICIAL-SENSITIVE information?
What does the future of the UK security classifications system look like?
What is OFFICIAL-SENSITIVE Information?
Although not an official classification, OFFICIAL-SENSITIVE refers to information that falls under the OFFICIAL classification which requires special handling by staff. In particular cases where the information is on a ‘need to know’ basis it becomes useful to mark the data as OFFICIAL-SENSITIVE.
In the case of storing and sharing of OFFICIAL-SENSITIVE information in the cloud, only the appropriate users should have permissions to access this data, and records of which must be kept. This means, that if there is ever a security breach, it becomes easier to pinpoint the source of the breach by finding out who has access to the specific information asset.
The Problem with OFFICIAL-SENSITIVE
As OFFICIAL-SENSITIVE is not, strictly, an official classification within the GSC framework, there are no pan-government accreditation schemes in place to officially certify IT systems or cloud security providers. Vendors are also restricted in promoting their systems as an ‘approved/accredited information technology service’ with the new classification system, making it increasingly difficult for users trying to locate solutions which can accommodate the secure sharing and storing of OFFICIAL-SENSITIVE information internally and externally.
Kahootz and OFFICIAL SENSITIVE Information
Kahootz has many public sector clients and currently focuses on supporting the sharing of information marked as OFFICIAL, as this covers about 85% of all government information.
In 2015, Kahootz was selected by the Ministry of Defence (MOD) as the provider of their secure collaborative working environment to enable teamworking with external agencies and stakeholders over the public internet. After a meticulous amount of due diligence, the MOD departmentally accredited Kahootz to store and share information marked up to OFFICIAL-SENSITIVE, with the particular handling instructions.
The MOD accreditation issued to Kahootz has helped many defence primes, and others in MOD’s supply chain, to have confidence to adopt and use Kahootz to engage with their supply chain business partners. Kahootz having that level of departmental accreditation, also contributes to the high levels of trust for the platform for users looking for an OFFICIAL-SENSITIVE solution when working with the MOD, other government departments, and with their industry partners and key stakeholders.
In addition, Kahootz has also been able to help fast track many of these new defence clients through the DART process to obtain MOD accreditation of their Kahootz sites.
What does the future of the UK security classifications system look like?
For many organisations that need to work with government departments, searching for approved OFFICIAL-SENSITIVE (OS) collaboration software service can be problematic. However, the availability of sourcing pre-accredited commodity cloud services applies to all three classifications of OFFICIAL, SECRET, and TOP SECRET as the UK government has not specified any parameters or official methods for supplier IT systems and cloud services to obtain an accredited status.
With regard to the plan for the security classification system, it is not anticipated that a pan-government issued certification scheme will become available in the future, due to the sheer volume and variety of cloud solutions and information technology providers that would need annual reviews and accreditations.
With that in mind the NCSC’s 14 Cloud Security Principles were created and introduced as a benchmark for organisations procuring cloud services to assess and compare how a cloud provider’s operational, technical and cyber security controls met their requirements.
The work Kahootz does to support the operational processes, resilience and security controls required by the MOD (and many other government departments) has allowed us to position our cloud collaboration service as the type of OFFICIAL and OFFICIAL-SENSITIVE information management and collaboration solution that many organisations, working with the UK public sector, look for.
To find out more about our work in the public sector, download our guide, or visit our security page to learn more about what makes Kahootz an accredited official-sensitive collaboration software.
