NOTE: The security levels mentioned in this article are specific to UK Government organisations - they may not mean anything to other business sectors or nationalities.
In April 2014, the Government Security Classifications Policy changed the way that the public sector classifies and protects its information assets. There are now just three levels of security classification: OFFICIAL, SECRET and TOP SECRET. OFFICIAL replaces everything up to and including IL3/RESTRICTED, and that includes the majority – or about 90% - of all information related to public sector activities.
OFFICIAL information does not need to be marked, aggregation does not automatically trigger an increase in protective marking and it can include personal data.
With this change came a recognition from CESG that business impact levels - such as IL2 and IL3 - are not an appropriate way to measure software security – and there is now clear mandate that business impact levels MUST NOT be used for that purpose. Kahootz was one of the few systems to formerly have pan-government accreditation up to IL2, but there is no equivalent pan-government accreditation for the new scheme - each department must make up its own mind about what solutions are suitable.
According to the Cabinet Office, “OFFICIAL information can be managed with good commercial solutions that mitigate the risks faced by any large corporate organisation”. That’s a pragmatic choice for modern government and a recognition that, for most Government information, the security requirements are equivalent to a private sector enterprise.
How do you know when a commercial solution is a good commercial solution and is sufficiently secure and well-managed to hold OFFICIAL data?
To help with this, the CESG created a list of 14 “essential security principles to consider when evaluating cloud services”. Between them, they cover all the security issues related to service provision. Supporting each principle is a set of guidance that explains what it means, why it is required, and a set of possible implementation approaches.
These security changes are reflected in the G-Cloud from iteration 6 onwards, in that the G-Cloud Digital Marketplace now asks suppliers approximately 80 detailed security questions that highlight each supplier’s implementation approach for each security principle, and the evidence they have to demonstrate that the approach is effective.
Kahootz has issued a detailed document explaining the security content of Kahootz and how it meets the 14 cloud security principles, it's been internally approved for use with OFFICIAL and OFFICIAL-SENSITIVE documents by a large number of government bodies. Full details are available on request via Kahootz Sales