Consultation opens on BS 10010 which seeks to bring government-style information classification schemes to public organisations and end inadvertent data leakage.
Classified? BS 10010 says, think before you send.
A BSI standard which promises to end inadvertent data leakage is available for public consultation. The aptly binary standard, BS 10010 “Information Classification, Marking and Handling (ICMH)”, is designed to ensure that people within organisations who are sharing information will automatically mark the data with its information classification – such as sensitive, confidential, company confidential.
If sharing information with another BS 10010 compliant organisation, the sender would be assured that the recipient would follow the same procedures for handling that information.
“It’s designed to make people think carefully about how they classify information,” said Dr Andrew Rogoyski, vice president of cyber security services at CGI UK, who initiated the development of the standard with the British Standards Institute (BSI) two years ago.
“When people start realising that the stuff they are generating – whether it’s pictures or words – has some sensitivity, they will have to think, how am I protecting it and how do I ensure that only the right people get access to it?”
The BSI set up a committee to create the standard and a draft for public consultation has been published on its website. The consultation will remain open until 27 December 2016.
The standard doesn’t prescribe specific solutions, hopes are that it will prompt developers to create word processing and email software that will automatically prompt users to classify documents as they produce them. Such systems already exist as add-ons to existing software but he said they lacked coherence. BS 10010 would help standardise the implementation of the systems and ensure compatibility within organisations and between third parties.
With the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, BS 10010 may have come at just the right time. National information regulators such as the UK’s ICO will be empowered to levy fines of up to four percent of an organisation’s global turnover. One estimate following the recent Tesco Bank breach put the potential cost to Tesco (as the parent company of Tesco Bank) at as much as £1.9 billion if GDPR had been in effect.
It is hoped that BS 10010 will be adopted by organisations keen to tighten up their data classification systems.
BS 10010 is open for public comment on the BSI website until 27 December 2016.
JP Norman, Director of Technology, Security & Governance, “It will be interesting to see if there is a similar drive to spread it to supplier organisations, in the same way that the ISO 9001 management systems standard spread through the business ecosystem.”