Guide To Official and Sensitive Document Marking

For anyone wondering or might find it handy to know:

Hmm, so merely putting the acronym ‘OS’ in the filename isn’t enough you say?

You shock me sir!

Other things OS could stand for:

Operating System
Official Secrets
Official Solicitor
Original Signed
Ordnance Survey
Open Source

Orifice sore

OpenStack

Offal Sausage

I’ve worked somewhere where documents were suffixed with the initials of the uploader.

Sorry to hear that.

Putting OS in the file name would be sufficient if we were trained to recognise it. Unfortunately there are a lot of permanent staff who forget that volunteers are Very Rarely Trained.

That’s not what the guidance says though.

It is important that we are able to identify
this type of information quickly and easily
so that it can be protected appropriately.
Sensitive OFFICIAL information should
always be clearly marked as:
OFFICIAL-SENSITIVE

I disagree, the issue is not with the training, it’s the poor practice.

Only putting it at the end of the subject line means its particularly hard to identify on mobile too. All I see is first half of subject line and the start of the email… could easily not spot it.

However, putting OS at the end of the filename or email subject is the standard defence naming convention.

Within Bader MS365 we also have the ability to electronically mark the documents as OFFICIAL-SENSITIVE as well.

This now provides a great opportunity for me to rant about my pet hate - People who mark their routine emails “-O” at the end. Gaaaaaah. Don’t do it!

(Also don’t put spaces between the hyphens and remember to put the date right at the beginning… )

But if we produce documents that are OS, it is still normal/required that it be put in the header and/or footer. I point to all the pers forms as examples of how it should be done!

Using -OS is just for the end of the email subject. If done properly by the book my understanding is that an email should have -OS at the end of the subject line and also OFFICIAL-SENSITIVE written at the start and end of the text body.

The guidance is abundantly clear that every page should have OFFICIAL SENSITIVE on its face.

Because filenames don’t show up when you print.

The guidance also says nothing about using the acronym ‘OS’ being convention. Its laziness, and to someone who has no experience of this convention, like a volunteer, it’s meaningless.

That is generic guidance which specifically says that it is the reader’s responsibility to find out how they are required to mark information.

The defence standard is to put the PM in the header and footer of documents and, iaw with the defence record naming policy, to put the abbreviated marking at the end of filenames and email subject lines.

It isn’t laziness, it’s protocol and it’s easy for anyone to learn, volunteer or not. I don’t see the issue.

The issue is, that someone didn’t follow either the quick guidance here, or the full policy, the document was not protected in accordance with the guidance, but in a lazy manner not even mentioned in the policy.

A volunteer saw the unmarked document, not knowing that a filename ending in ‘OS’ meant official sensitive. (when no guidance I have seen mentions that) and copied text from it.

And now we’re getting flak behind the scenes for their screw up.

(They referring to the document writer, not the volunteer.)

I’m sorry, I’ve got no idea what event you’re referring to. All I’ve seen is this topic.

We as an organisation must train people in things we want them to know. We can’t rely on people randomly deciding to google how the MOD marks documents. We also can’t expect them to trawl through hundreds of ACPs and ACTOs to ensure they know everything they need to know for their day-to-day business.

Yes we should. And defence writing is easy so it wouldn’t be difficult to do it.
We already have to complete protection of information training which should teach everyone that all information is ‘need to know’.
Adding on a simple expanded guide to protective marking would be a simple fix.