Scotland's Digital Future: Scottish public sector cloud computing guidance

Guidance and principles on cloud computing in the Scottish public sector.


Information Classification

All information that the public sector in Scotland needs to collect, store, process, generate or share to deliver services and conduct public business has intrinsic value and requires an appropriate degree of protection.

Security considerations are of paramount importance when selecting a hosting provider. It is therefore essential that any solution is approved to the impact level of the service you want to host there.

The various different data sensitivity requirements for organisations hosting their data have always been classified using the Government Security Classification scheme and or with a Business Impact Level ( BIL) which ranges from 0 (zero) to 6. Zero being the lowest if the data is compromised and has no impact on the organisation through to 6 which has critical impact.

On 2nd April 2014 the governments data classification scheme changed, the change saw the reduction from 6 existing classifications (unclassified, protect, restricted, confidential, secret, top secret) and the end of the BIL.

The new classification is

  • Official - The majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile.
  • Secret - Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threat actors. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime.
  • Top secret - HMG's most sensitive information requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.

Any solution for hosting data whether it's in the cloud or otherwise should be maintained to a standard that complies with the classification and impact level an organisation categorises their data or service at after an impact assessment.

For a full explanation of using a risk assessment to identify BIL's you can read them on the CESG website here

http://www.cesg.gov.uk/publications/Documents/is1_risk_assessment.pdf

Business Impact Level Assessment

There will however be a transition period but it is expected that hosting suppliers who deliver services using compliance at a particular BIL or IL level will continue to operate in that manner for the foreseeable future.

Therefore the existing Business Impact Level structure should continue to be used in the course of an information risk assessment process until new guidelines are published.

Further information on working with Government security classification and the use of impact levels can be found here

https://www.gov.uk/government/publications/government-security-classifications

Contact

Email: Philip Whitley

Back to top