How Janusnet can help with SAPSF information classification
Image of Parliament House, South Australia courtesy of hypnotiseme - Own work, CC BY-SA 4.0
The South Australian Protective Security Framework (SAPSF) incorporates relevant South Australian security policies and provides tailored guidance and other resources for all South Australian public sector agencies. Part of the Framework is 'INFOSEC1: Protecting official information' which aims to ensure all South Australian Government agencies protect their information assets from compromise. It outlines the South Australian Information Classification System (ICS) and associated guidance. All South Australian Government agencies “…must use the system when assessing the confidentiality, integrity and availability of their information assets to ensure appropriate classification, protective markings and handling requirements are assigned.”
The use of security classification labels (protective markings) as an effective means to maintain data confidentiality and prevent data leakage is well established in national government circles, when dealing with both hardcopy and electronic information.
PROTECTIVE MARKINGS IN USE IN SOUTH AUSTRALIA
This is covered in detail in the aforementioned INFOSEC1: Protecting official information document. Therein the South Australian Government describes its approach to classifying and labelling sensitive information. Its ICS is based upon the Commonwealth Government's sensitive and classified information requirements under the Protective Security Policy Framework (PSPF) with some modifications to suit the South Australian context.
There are three main components of a protective marking: security classification, information management markers and caveats. Specific definitions of each protective marking are set out in the table below. (This table does not list caveats or information management markers, which may be used in conjunction with security classifications – in accordance with the SAICS Overview document.)
|
Protective Marking |
Business Impact Level |
Description |
|
UNOFFICIAL |
0 |
UNOFFICIAL can be used for non-work-related information. Use of the protective marking is optional, but may be required by ICT systems (e.g. emails). |
|
OFFICIAL |
1 |
OFFICIAL describes routine information created or processed by the South Australian public sector with a low business impact. Use of the protective marking is optional, but recommended, and may be required by ICT systems (e.g. emails). |
|
OFFICIAL: Sensitive |
2 |
OFFICIAL: Sensitive identifies sensitive, but not security classified information. It is a single dissemination limiting marker (DLM) which indicates that compromise of the information may result in limited damage to an individual, organization or government generally. Use of the protective marking is mandatory. |
|
PROTECTED |
3 |
PROTECTED is a security classification which indicates that compromise of the information may result in damage to the state or national interests, organisations or individuals. Use of the protective marking is mandatory. |
|
SECRET |
4 |
SECRET is a security classification which indicates compromise of the information may result in serious damage to the state or national interests, organisations or individuals. Use of the protective marking is mandatory. |
|
TOP SECRET |
5 |
TOP SECRET is a security classification which indicates compromise of the information may result in exceptionally grave damage to the state or national interests, organisations or individuals. Use of the protective marking is mandatory. |
PROTECTED, SECRET and TOP SECRET are the only three true security classifications used in South Australia; the lower sensitivity protective markings can be thought of as pseudo-classifications.
Information Management Markers can be added to an appropriate classification of OFFICIAL:Sensitive or higher. They are used to reflect ‘rights properties’ for particular content and can inform access restrictions. They are not mandatory. The recognised IMMs in SA are:
- Legislative Secrecy
- Personal Privacy
- Legal Privilege
- Medical in Confidence
Caveats indicate extra special security requirements for public sector information in addition to the confidentiality requirements of the security classification, further restricting access to the material.
Types of caveats which may be encountered in South Australian government include:
- sensitive compartment information (codewords)
- foreign government markings
- special handling instructions
- releasability caveats
These caveats generally align with the national level caveats of the Commonwealth. South Australia does have its own SA CABINET caveat that can be used with information at a security classification of OFFICIAL:Sensitive and above. The National CABINET caveat was added in August 2020. Both the SA and NATIONAL caveat requirements are explained in detail in section 18.
Click here for the South Australian Protective Security Framework INFOSEC1: Protecting official information pdf.
If you would like to discuss how Janusnet can help you comply with SAICS compliance standards, please contact us or to obtain a fully working Janusseal evaluation with SAICS configuration, please complete the form below:
