G-Cloud SME supplier Memset has applauded the Government on the recent changes to the security classifications which they believe demonstrates a desire to push more data and applications into the public cloud.
The changes in the security requirements for the ‘Secret’ and ‘Top Secret’ tiers are minimal, however, the changes to the lower tier are more significant as the new policy consolidates national ‘Not Protectively Marked’, ‘Protect’, ‘Restricted’, and some ‘Confidential’ information under GPMS into the single ‘Official’ tier.
The ‘Official’ tier allows for particularly sensitive ‘Official’ information to be identified using an additional handling caveat ‘Sensitive’.
Memset, who recently secured IL3 or ‘Official over PSN’ accreditation from CESG, welcome the changes from the Government. MD, Kate Craig-Wood, said: “The old impact levels system was hugely complex and poorly understood, which created a significant barrier to entry for many companies, especially SMEs. This simplification will greatly open up the public services ICT market.
Collapsing lower security tiers into one is also a clear indication from the Cabinet Office of an appetite to push more services into the public cloud. This is great news and is the only way the full potential savings of G-Cloud will be unlocked. In my expert opinion there is absolutely no reason why the majority of government ICT should not be conducted using British, high-security public cloud providers via the normal Internet, using existing encryption technologies.
As a pioneer in obtaining our IL3-PSN accreditation we were significantly hampered by a lack of transparency around requirements. The mooted publication of all non-protectively marked security guidance documents, previously hoarded by CLAS consultants and CESG, is most welcome. It is important that SMEs can assess the requirements rather than being scared off by fear, uncertainty and unnecessary complexity.
I also hope that they will work with Industry in developing the new standards, which I expect are quite "skeletal" at this stage. For example, do we need central accreditation at all? Banks have been managing ultra-high InfoSec for years without a central accreditor, instead relying on approaches including robust penetration testing to deliver provable security. This is a time of opportunity to do things better and cheaper."