We won’t have anything OFFICIAL SENSATIVE. Our business doesn’t tick the boxes. Won’t stop idiots using it though wanting to Walt-up their letters.
…or even SENS[color=#ff0000]I[/color]TIVE! 
I wouldn’t go so far as to say that we won’t have anything Official-Sensitive…
[quote]
A limited subset of OFFICIAL information could have more damaging consequences (for individuals, an organisation or government generally) if it were lost, stolen or published in the media. This subset of information should still be managed within the “OFFICIAL” classification tier, but may attract additional measures (generally procedural or personnel) to reinforce the “need to know”.
In such cases where there is a clear and justifiable requirement to reinforce the “need to know”, assets should be conspicuously marked: OFFICIAL-SENSITIVE[/quote]
Investigation of any child protection concerns for example would seem to be a good candidate.
I phone. Will be the downfall of someone one day.
[quote=“wdimagineer2b” post=16313]I wouldn’t go so far as to say that we won’t have anything Official-Sensitive…
[quote]
A limited subset of OFFICIAL information could have more damaging consequences (for individuals, an organisation or government generally) if it were lost, stolen or published in the media. This subset of information should still be managed within the “OFFICIAL” classification tier, but may attract additional measures (generally procedural or personnel) to reinforce the “need to know”.
In such cases where there is a clear and justifiable requirement to reinforce the “need to know”, assets should be conspicuously marked: OFFICIAL-SENSITIVE[/quote]
Investigation of any child protection concerns for example would seem to be a good candidate.[/quote]
Nope. We don’t “investigate” in the way that the document relates to “investigations”. It’s more along the lines of criminal activity and threats from OCGs. If the investigations I conduct in my day job are going to be covered under the OFFICIAL bracket and thus unmarked, i can’t see the ACO’s being marked up. Besides, as soon as you put OFFICIAL - SENSITIVE on it, you cannot transmit it via Bader email. It can only go by GSI or DII accounts with very few exceptions.
Who says you can’t send it via Bader email? Official Sensitive does not map directly to Restricted.
You probably won’t have seen it yet. When the new instructions are released from HQAC, it will say this.
[quote=“Plt Off Prune” post=16316]
Nope. We don’t “investigate” in the way that the document relates to “investigations”.It’s more along the lines of criminal activity and threats from OCGs.[/quote]
I wasn’t actually referring to any specific wording in the document. Let me reword what I’m saying.
“Correspondence/documentation relating to any child protection concerns for example would seem to be a good candidate.”
There isn’t a hard policy which states “The following will be marked as sensitive… and the following will not…” It’s up to the originator to decide whether to mark it OFFICIAL-SENSITIVE or not, if they have a genuine reason to feel that the “need to know” should be emphasised.
Frankly, let’s suppose a cadet approaches me and confides/alleges that Staff Member X has been behaving inappropriately with them…
That’s something which could cause significant distress for both parties if it were compromised and could reflect badly on the organization if the tabloids got hold of it for example.
Now that’s not to say that they would, but I’d be justified in marking it as sensitive if I believed it was appropriate.
You probably won’t have seen it yet. When the new instructions are released from HQAC, it will say this.[/quote]
I’ve seen the current “don’t put anything marked OFFICIAL-SENSITIVE on Bader until we get clarification”. This seems prudent until we have the official okay.
Though if you’re referring to a definitive policy that is soon to be issued then I’d argue that it shouldn’t say that.
The Bader Mail system, being a shared infrastructure and being secured via SSL/TLS should conform to the controls required for all OFFICIAL information (remembering that OFFICIAL-SENSITIVE isn’t a higher classification; it’s a sub-set of OFFICIAL).
Hell, you can email Sensitive information to an external third party so long as it’s done using SSL/TLS, etc. You can even fax sensitive information over the (unsecure) public telephone network so long as the recipient is waiting to receive it.
Any stipulation which says that OFFICIAL-SENSITIVE must not be sent from one Bader user to another would be overkill and would be clearly in excess of the Government approved controls.
The whole point of the new system is to make things easier whilst maintaining a proportionate security response.
I can really only foresee one issue with the new system…
Currently, if I’ve got a security document marked RESTRICTED for example, I know exactly what I need to do with that at a glance.
Under the new system, I’ll have to read the whole damn document to be able to decide for myself how it should be treated.
That might be fine if it’s a document I’m working with because naturally I’m likely to be reading it, but if it’s just something I need to file that’s more time/effort/work.
Precisely. I’d be very surprised indeed if the policy document I won’t have seen yet is backed up by a review of the accreditation document set by DSAS.
Anyone actually read that PDF guide?
It’s pretty clear that anything involving personal information will be OFFICIAL SENSITIVE, replacing PROTECT…
[quote=“tmmorris” post=16328]Anyone actually read that PDF guide?
It’s pretty clear that anything involving personal information will be OFFICIAL SENSITIVE, replacing PROTECT…[/quote]
Really?
[quote]If you treat OFFICIAL SENSITIVE material as you
used to treat RESTRICTED material you will avoid
security breaches. But remember the two are not
the same and there are new flexibilities you can use
if this helps deliver your business.[/quote]
[quote]ASK YOURSELF THIS HYPOTHETICAL QUESTION: If it
were to come to light that the information had fallen
into the into the wrong hands, would this lead to
significant criticism of the MOD at the national level? If
so, then a marking of OFFICIAL SENSITIVE is probably
right.
5. Do not mark OFFICIAL SENSITIVE just because you think it would
have been marked RESTRICTED under the old system. This may
give you some clues about its potential sensitivity, but you still
need to think about the issues under 4 above.[/quote]
[quote]Handling OFFICIAL
SENSITIVE information
Note: There are special rules for information exchanged
internationally. See page 12. [This detail will be added for the final
version.]
Physical documents or emails with this marking must be:
• locked in a secure container when you leave your place of work
for more than half an hour.
• disposed of by shredding, burning, tearing individual
documents into small pieces (at least 4 times) and disposed of
in normal waste/recycling bins at work (but not outside MOD)
along with unmarked information.
In addition, they can be:
• emailed within MOD and to other Departments across secure
systems (including DII(F) and GSI).
• on an exceptional basis, emailed over the internet to third
parties provided there is a business need, and subject to certain
strict conditions (see page 10).
• physically taken and worked on at non-MOD locations but
not read or worked on in public or otherwise in the sight of
unauthorised people.
• discussed on all types of phone, but not with (or within earshot
of) unauthorised persons.
Finally, if following the marking of OFFICIAL SENSITIVE there is
also a descriptor (see page 7), the information must be stored
electronically in locked down MOSS team sites.[/quote]
DII MOSS isn’t ACO SharePoint by the way.
Those “strict conditions” are indeed, very strict, and none of the governance factors are in place in the ACO yet.
Found it : p5 states information is sensitive if it is 'Threatening an individual’s privacy … (e.g. By compromising personal data)
That’s a given yes, but i don’t think people will realise the implications of what needs to happen. Typically the MOD are styling a different take on the Cabinet Office’s guidance which has muddied the waters somewhat. To be honest, part of me think it’s a smokescreen. Anything unmarked which accidentally ends up in the public domain can easily be watered down by media handlers and save face to the Government. The old system was fine until they introduced PROTECT.