A BSI standard which promises to end inadvertent data leakage is available for public consultation.
The aptly binary standard, BS 10010 “Information classification, marking and handling (ICMH)”, is designed to ensure that people within organisations who are sharing information will automatically mark the data with its information classification – such as sensitive, secret or top secret.
If sharing information with another BS 10010 compliant organisation, the sender would be assured that the recipient would follow the same procedures for handling that information.
“It's designed to make people think carefully about how they classify information,” said Dr Andrew Rogoyski, vice president of cyber security services at CGI UK, who initiated the development of the standard with the British Standards Institute (BSI) two years ago.
He said the reception to the proposal had been positive. The BSI set up a committee to create the standard and a draft for public consultation has been published on its website. The consultation will remain open until 27 December 2016.
The standard doesn't prescribe specific solutions, but Rogoyski hopes that it will prompt developers to create word processing and email software that will automatically prompt users to classify documents as they produce them.
Such systems already exist as add-ons to existing software but he said they lacked coherence. BS 10010 would help standardise the implementation of the systems and ensure compatibility within organisations and between third parties.
“It would have a huge impact on the way we handle the security of information – which is the end target,” he said.
Rogoyski, who has consulted for government where the classification of information is standard practice, dismissed the idea that users would resist the standard. “I have worked in organisations where there are solutions like this and it adds almost nothing to your thought process,” he said. “It just forms the question in your mind: how sensitive is this? If it takes 10 seconds, then that's time well spent.”
With the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, BS 10010 may have come at just the right time. National information regulators such as the UK's ICO will be empowered to levy fines of up to four percent of an organisation's global turnover. One estimate following the recent Tesco Bank breach put the potential cost to Tesco (as the parent company of Tesco Bank) at as much as £1.9 billion if GDPR had been in effect.
Rogoyski hopes that BS 10010 will be adopted by organisations keen to tighten up their data classification systems. Then he hopes there will be a drive to spread it to supplier organisations, in the same way that the ISO 9001 management systems standard spread through the business ecosystem.
BS 10010 is open for public comment on the BSI website until 27 December 2016.