Facilitating Information Management Through the Use of Protective Markings in s. Better Practice in egovernment Seminar

Size: px

Start display at page:

Download "Facilitating Information Management Through the Use of Protective Markings in Emails. Better Practice in egovernment Seminar"

Rosaline Palmer
8 years ago
Views:

1 Facilitating Information Management Through the Use of Protective Markings in s Better Practice in egovernment Seminar Thursday 10 November 2005

2 The Australian Government Information Management Office Presented by Bricet Klören Team Leader, Frameworks Branch Australian Government Information Management Office Department of Finance and Administration

Frameworks Branch Australian Government Information

3 What will I be talking about? Protective Markings what are they, why do we need them, what are the rules BlackBerry - what are the rules Lessons learnt, more reference material

4 Protective Markings What is a Protective Marking? The combined set of Security Classification, Caveats and other indicators applied to information to indicate the information has been security classified; whether it is national security or non-national security information; and the level of protective procedures that should be used over the information's lifetime.

information to indicate the information has been security classified; whether it is

5 Why do we need Protective Markings Protective Security Manual 2005, Part C, Section 6.5 (AGD) All official information..must have a security classification Protective Markings MUST be implemented by March 2007 (ACSI 33 DSD)

6 Internet Structure

7 Protective Markings in Format Standard and Location 1. Marking Visibility visible to the user, irrespective of the client or device (e.g. Lotus Notes, MS Exchange/Outlook, Web Browser, PDA, BlackBerry) 2. Location At end of Subject: line Headers 3. Format Subject Field Marking 4. Security Classification - UNCLASSIFIED, IN-CONFIDENCE, PROTECTED, HIGHLY-PROTECTED, RESTRICTED, CONFIDENTIAL, SECRET, TOP-SECRET

Location At end of Subject: line Email Headers 3. Format Subject Field Marking 4.

8 Protective Marking Attached with Protective Marking

9 Architecture

10 Protective Markings in Transmission Control / Blocking Block Outbound Agencies MUST configure systems to block any outbound s with a valid protective marking indicating that the content of the exceeds the classification of the: Receiving system, and/or The patch over which the would be transferred (Public networks e.g. Internet, or Private networks e.g. FedLink) Block Inbound Agencies SHOULD configure systems to reject and log inbound s with protective markings indicating that the content of the exceeds the accreditation of the receiving system

email would be transferred (Public networks e.g.

11 Summary - Inbound and Outbound Server Behaviour OUTBOUND INBOUND IF MESSAGE CLASSIFICATION IS: IF MESSAGE IS BEING DELIVERED TO A NETWORK WHOSE CLASSIFICATION IS: IF RECIPIENT (MY) AGENCY NETWORK AGENCY CLASSIFICATION IS: UNCLASSIFIED IN-CONFIDENCE PROTECTED UNCLASSIFIED IN-CONFIDENCE PROTECTED UNCLASSIFIED Deliver Deliver Deliver Deliver Deliver Deliver IN-CONFIDENCE Reject Deliver Deliver Reject Deliver Deliver PROTECTED Reject Reject Deliver Reject Reject Deliver HIGHLY PROTECTED RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET Reject Reject Reject Reject Reject Reject Reject Reject Reject Reject Reject Reject NOT LABELLED Reject Reject Reject Deliver Deliver Deliver

Deliver Deliver Deliver Deliver IN-CONFIDENCE Reject Deliver Deliver Reject Deliver Deliver PROTECTED Reject Reject Deliver Reject Reject Deliver HIGHLY PROTECTED

12 Guidance and Standards Implementation Guide for Protective markings for Australian Government Agencies Protective Standard for the Australian Government

13 Protective Markings in Next Steps Agencies implementation of protective marking requirements, in accordance with the policies, guidance and standards AGIMO - Agency Lookup Table Specifications for Protective Markings in Clients Specification for a protective marking certification test reference server

AGIMO - Agency Lookup Table Specifications for Protective Markings in Email

14 BlackBerry Policy DSD ICT Security Policy for the Use of BlackBerry by the Australian Government (July 2005) ACSI 33 Telephones and Pagers (3.8.60) Electronic Mail Security (3.5.31) Electronic Mail Protective Marking Policy (3.5.41) Data Transfer ( ) Portable Computers and Personal Electronic Devices (3.4.51) Password Selection Policy (3.6.11)

60) Electronic Mail Security (3.5.31) Electronic Mail Protective Marking Policy (3.5.41) Data Transfer (3.

15 Additional Instructions & Guidance Instructions on the Allocation and Use of BlackBerry in the Australian Government Better Practice Guidance No.23 Use of BlackBerry Devices Better Practice Guidance No.24 User Requirements of BlackBerry Devices

16 BlackBerry Policy Agencies may use BlackBerry versions 3.6 to 4.x for the transmission and storage of X-In-Confidence and Restricted information. Agencies MUST NOT use BlackBerry for the transmission or storage of Cabinet-In-Confidence, Protected, Highly Protected, Confidential, Secret or Top Secret information.

17 START DSD s BlackBerry policy states: Are your agency s ICT facilities accredited to store, process or transmit information classified at the levels of: CONFIDENTIAL SECRET TOP SECRET YES BlackBerry MUST NOT be used to: Store ; Transmit ; or Be used with ICT systems processing THEN Agencies MUST NOT use BlackBerry this level of classified material NO Are your agency s ICT facilities accredited to store, process or transmit information at the levels of: CABINET-IN-CONFIDENCE PROTECTED HIGHLY PROTECTED YES DSD s BlackBerry policy states: BlackBerry MUST NOT be used to: Store ; or Transmit ; this level of classified information THEN Agencies MUST NOT use BlackBerry to: Store ; or Transmit ; this level of classified information NO AND Are your agency s ICT facilities accredited to store, process or transmit information classified at the levels of: UNCLASSIFIED X-IN-CONFIDENCE RESTRICTED BlackBerry SHOULD NOT be used with ICT systems processing this level of classified information. THEN If BlackBerry is used with an agency s ICT facilities that store, process or transmit information classified at the level YES THEN DSD s BlackBerry policy states: BlackBerry may be used to: Store ; Transmit ; and Be used with ICT systems processing THEN this level of classified material Note: This figure must be read in conjunction with the: PSM; ACSI 33; and the requirements under When BlackBerry may, should not and must not be used in this Guide. Agency s MUST implement this minimum set of requirements: Agency head must approve the requirement and use of BlackBerry Agencies must undertake a Threat and Risk Assessment as defined by ACSI 33 BlackBerry devices must be supplied, supported, managed, and used in accordance an agency s ICT policy Comply with the policy requirements and BES IT settings of DSD s ICT Security Policy for the use of BlackBerry Implement all relevant requirements of the March 2005 (or later) release of ACSI 33 including, but not limited to: Electronic Mail Protective Markings Electronic Mail Security Telephones and Pagers Password Selection Implement protective markings in accordance with the: Implementation Guide for Protective Markings for Australian Government Agencies ; and Protective Marking Standard for the Australian Government Additional mandatory requirements if used with : CABINET-IN-CONFIDENCE PROTECTED HIGHLY PROTECTED ICT systems Satisfy all requirements as described in ACSI 33 for deviating from a SHOULD NOT Agency systems must meet the relevant requirements of ACSI 33, there must be no waivers in place There must be no relevant outstanding issues from system security reviews or security audit reports ICT systems must be certified and accredited in accordance with requirements of ACSI 33 Agencies must undertake an independent (DSD or I-RAP) post implementation review of BlackBerry including: Risk Mitigation Plan, System Security Plan, Standard Operating Procedures, and risk mitigation controls

to store, process or transmit information at the levels of: CABINET-IN-CONFIDENCE PROTECTED HIGHLY PROTECTED YES DSD s BlackBerry policy states: BlackBerry MUST NOT be used to: Store ; or Transmit ;

18 BlackBerry Next Steps Pre Implementation Review Checklist Post Implementation Review Checklist Personal Electronic Devices Review

19 Conclusions Close co-operation between AGIMO and DSD Developed a repeatable model of cooperative development of security policy Whole of government implementation of security policy Heightened awareness of importance of information protection Heightened awareness of interconnectedness and interdependence of agency systems Protective Markings introduced in Mar 05 release of ACSI 33 Agencies have deployed client and server controls already!

information protection Heightened awareness of interconnectedness and interdependence of agency systems Email

20 Additional Information Attorney General s Department Protective Security Manual 2005 Defence Signals Directorate (DSD) Australian Government Information and Communications Technology Security Manual - ACSI 33 (Sept 05) ICT Security Policy for the Use of BlackBerry by the Australian Government (July 05) Australian Government Information Management Office (AGIMO) Implementation Guide for Protective Markings for Australian Government Agencies (Oct 05) Protective Marking Standard for the Australian Government (Oct 05) Instructions on the Allocation and Use of BlackBerry in the Australian Government (Oct 05) Better Practice Guidance #23 - Use of BlackBerry Devices (Oct 05) Better Practice Guidance #24 - User Requirements for BlackBerry Devices (Oct 05)

for Email Protective Markings for Australian Government Agencies (Oct 05) Email Protective Marking Standard for the Australian Government (Oct 05) Instructions on the Allocation and Use of

21 Questions? Questions, comments? Please contact: Bricet Klören, Manager, Emerging Technologies Phone: (02) Geoff Morrison, Security Consultant, Emerging Technologies Phone: (02)

Department of Finance and Administration. Australian Government Information Management Office. Archived

Department of Finance and Administration Australian Government Information Management Office Implementation Guide for Email Protective Markings for Australian Government Agencies October 2005 Version: