Security classification procedure

What is the RoS security classification policy?

• The security classification policy covers the handling of all types of information, physical and electronic, from creation to disposal.
• It is a method of determining the level of protection needed for information and to indicate that level of protection to others where appropriate.
• It applies to information created by RoS and also to information received by RoS.
• There are three graded levels of classification marking within Government: OFFICIAL, SECRET and TOP SECRET.
• Each classification provides for a baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile.
• RoS operates exclusively at OFFICIAL level.
• OFFICIAL information is intended for RoS internal use only unless management has approved external dissemination.
• There is no requirement to explicitly mark routine or sensitive OFFICIAL information, however a limited subset of OFFICIAL information could have more damaging consequences (for individuals, an organisation or government generally) if it were lost, stolen or published in the media. This subset of information should still be managed within the OFFICIAL classification tier, but may attract additional measures (generally procedural or personnel) to reinforce the ‘need to know’. In such cases where there is a clear and justifiable requirement to reinforce the ‘need to know’, assets should be conspicuously marked: OFFICIAL–SENSITIVE
• The use of OFFICIAL-SENSITIVE caveat will be rare in RoS and must be approved by the appropriate Information Asset Owner.

Why do we have a security classification policy?

• The policy is based on the UK Government’s security classification system which provides a common baseline across Government for protection of information.

How do we comply with the security classification policy?

• Everyone must be aware of and follow the guidance for handling information whether created by RoS or received by third parties.
• Anyone creating information must determine in accordance with the safeguarding RoS information guide whether the information is sensitive or business critical.
• Anyone sharing / copying sensitive / business critical information should consider if the recipient(s) will be aware of and understand how they should protect and dispose of this information in line with RoS policy. In cases where the recipient(s) will not be aware of RoS handling and disposal arrangements for sensitive / business critical information then the sharer must include handling and disposal instructions.
• Any information received from outside government that is marked to indicate sensitivity (e.g. “commercial in confidence”) must be handled in accordance with the OFFICIAL level.
• In the event of an information security breach (e.g. if it is discovered that information has been handled in contravention of the guidance for handling information), the information security incident notification procedures must be followed.

What happens if the security classification policy is not followed?

• Anyone who does not comply with the security classification policy may be subject to RoS disciplinary policy.
• If you notice any breach of this policy then you should speak to your line manager.

Related documentation

• Working with Official information