Changes to CESG Data-at-Rest Policy
CESG is taking the opportunity offered by the new Government Security Classification Policy to
revise the Data-at-Rest policy.
The old guidance did not adequately capture the residual risks that the wider system presents to the
information. When CESG assured Data-at-Rest products, it did so based on an evaluation of the
product alone, not the wider system, and the lack of assurance of the wider system leads to risks
that cannot be mitigated by the product itself.
Consider a laptop with an encrypted disk. We can assure the disk pack and its interaction with the
wider system, and may be able to say that the encryption on the disk is strong enough to provide the
required confidentiality. However, we cannot guarantee that the laptop does not have a key logger
installed on it, or an implant that egresses data over WiFi, or has been physically tampered with, etc.
We are currently producing policy that addresses this problem.
In future, the handling requirements necessary to mitigate the residual risks will be a decision for the
Information Risk Owner (IRO) based on an understanding of the residual risks, and how they apply in
the particular operational scenario.
The intention is to provide the IRO with the information necessary to allow an informed, local
decision on measures necessary to mitigate residual risk based on operational considerations. In
some cases the decision may be to simply 'handle as if TS/S/Official', but the scope and flexibility are
there for the IRO to mandate whatever residual handling requirements they deem appropriate.
Release of a CESG Information Assurance Notice (CIAN) containing further information is imminent.
If you have any queries on this, please contact Andi Holland andi.holland@gchq.gsi.gov.uk, or Steve
Candler stephen.candler@gchq.gsi.gov.uk