Add to collection(s) Add to saved
  1. Business
  2. Management

ISMF Guideline 8b – New classification scheme for confidentiality of

advertisement 
OCIO/G4.8b
Government guideline on cyber security
ISMF Guideline 8b
New classification scheme for confidentiality of
information and associated assets
BACKGROUND
On 26 July 2011, the Australian Government announced a new confidentiality classification
scheme which was subsequently approved by the Government of South Australia for use in ICT
systems on 12 October 2011. Notably, the X-IN-CONFIDENCE, HIGHLY PROTECTED and
RESTRICTED classifications have been retired and several ‘dissemination limiting markers1’
[DLMs] were introduced.
ISMF version 3.1, and later editions, describe the new classification scheme and introduces DLMs and
‘caveats’ for use with governmental information and associated assets. Classifications for integrity and
availability requirements remain unchanged from earlier editions of the ISMF. This guideline supports
implementation of ISMF Policy Statement 8.
GUIDANCE
This guideline assists agencies and suppliers to government in translating earlier classification
markings to the revised scheme. The purpose of this guideline is to facilitate agency migration of
existing information assets to the new dissemination and/or protective security markings described
in the current ISMF.
Rule-set
The majority of translations between the earlier scheme and the new markings are one to one.
However the retirement of some classifications (noted above) and the introduction of caveats,
coupled with rules for the Sensitive: Cabinet dissemination limiting marker for Australian
Government information, creates some unique circumstances whereby a combination of a
dissemination limiting marker and a protective security marking or a caveat may be required. The
matrix contained in this guideline is not intended as an absolute rule-set and agencies are advised
to consult their Information Security Technology Adviser [ITSA] for further guidance.
Migration matrix
The table on the following page lists commonly used classifications from earlier versions of the
ISMF (and by association the now retired Australian Government Protective Security Manual or
PSM) and aligns these with the revised markings in ISMF v3.1 (and by association the current
Australian Government Protective Security Policy Framework). The table commences with the
least restrictive category of information and progresses to the most onerous classifications.
1
Dissemination limiting markers (DLMs) are markings for information where disclosure may be limited or prohibited by legislation, or
where it may otherwise require special handling.
ISMF Guideline 8b
ISMF Guideline 4
OLD CLASSIFICATION
SCHEME
NEW CLASSIFICATION SCHEME
Former classifications defined
by the Australian Government
PSM
Protective marking
(classifications)
Dissemination Limiting Marker
Optional Caveat(s)2
PUBLIC3
PUBLIC
PUBLIC
DO NOT release until
DO NOT release after
UNCLASSIFIED4
For Official Use Only
Permission required
Sensitive5 may be used in place of ‘For Official Use Only’ with security
classified or unclassified information:


where the secrecy provisions of enactments may apply, and/or
the disclosure of which may be limited or prohibited under legislation.
GOVERNMENT-IN-CONFIDENCE
For Official Use Only (FOUO)
AGENCY-IN-CONFIDENCE
For Official Use Only (FOUO)
(audience name) Eyes Only
e.g. Committee EO
COMMITTEE-IN-CONFIDENCE
When completed
STAFF-IN-CONFIDENCE
SECURITY-IN-CONFIDENCE
2
3
Table 4 of the ISMF describes applicable Government of South Australia caveats. It is available for download at http://www.sa.gov.au/policy/ismf
Information intended for Public use may now make use of South Australian Government caveats related to the release of this information per ISMF control S19.3
4
UNCLASSIFIED information should now apply a Dissemination Limiting Marker instead of the word UNCLASSIFIED
5
When applying the Sensitive marking without a pre-defined suffix (such as: Commercial, Medical, Legal, Personal etc.) the section of the relevant Act containing the secrecy or non-disclosure
requirements must be cited. This enables receiving parties to be aware of their obligations and facilitates Freedom of Information Officers in determining what aspects of a record or document
may not be disclosed.
Government guideline on cyber security
New classification scheme for confidentiality v1.2
Page 2 of 8
ISMF Guideline 8b
ISMF Guideline 4
OLD CLASSIFICATION
SCHEME
Former classifications defined
by the Australian Government
PSM
NEW CLASSIFICATION SCHEME
Protective marking
(classifications)
[IC] X-in-Confidence
Dissemination Limiting Marker
Optional Caveat(s)2
For Official Use Only (FOUO) – if containing no personally identifiable
information (i.e. privacy data)
Sensitive: Personal may be used with security classified or unclassified
information that is sensitive personal information.
CLIENT-IN-CONFIDENCE
Sensitive: Personal may be used with security classified or unclassified
information that includes sensitive personal information.
COMMERCIAL-IN-CONFIDENCE
Sensitive: Commercial is specifically implemented in South Australia to
facilitate the rapid reassignment of existing COMMERCIAL-IN-CONFIDENCE
classified materials.
PATIENT-IN-CONFIDENCE
Sensitive: Medical is a DLM specifically implemented in South Australia and
must be used for any information that may be subject to medical practitionerpatient privilege. This DLM must also be applied in place of Sensitive:
Personal markings where secrecy provisions of healthcare enactments or other
medical industry legislation may apply.
MEDICAL-IN-CONFIDENCE
ATTORNEY-IN-CONFIDENCE
When completed
Sensitive: Legal may be used for any information that may be subject to legal
professional privilege.
LEGAL-IN-CONFIDENCE
SOUTH AUSTRALIAN
CABINET-IN-CONFIDENCE
Government guideline on cyber security
New classification scheme for confidentiality v1.2
Sensitive: SA Cabinet is a DLM specifically implemented in South Australia to
facilitate rapid reassignment of existing CABINET-IN-CONFIDENCE classified
materials. It is considered the most sensitive of DLMs that does not require an
accompanying protective marking (i.e. security classification).
Page 3 of 8
ISMF Guideline 8b
ISMF Guideline 4
OLD CLASSIFICATION
SCHEME
NEW CLASSIFICATION SCHEME
Former classifications defined
by the Australian Government
PSM
Protective marking
(classifications)
Dissemination Limiting Marker
AUSTRALIAN GOVERNMENT
CABINET-IN-CONFIDENCE
PROTECTED
(or higher)
Sensitive: Cabinet is a DLM to be applied to Australian Government (i.e.
federal) cabinet information such as:

any document including but not limited to business lists, minutes,
submissions, memoranda and matters without submission that is or
has been:
— submitted or proposed to be submitted to Cabinet, or

official records of Cabinet

any other information that would reveal:
— the deliberations or decisions of Cabinet, or
— matters submitted, or proposed to be submitted to Cabinet.
Optional Caveat(s)2
Any use of the DLM ‘Sensitive: Cabinet’ is to be accompanied by a security
classification protective marker of at least PROTECTED level.
PROTECTED
PROTECTED
HIGHLY PROTECTED6
PROTECTED (SA Government)
SECRET (Australian Government)
RESTRICTED
CONFIDENTIAL (in limited
circumstances as determined by
the originating Australian
Government agency)
CONFIDENTIAL
CONFIDENTIAL
As above
SECRET
SECRET
As above
TOP SECRET
TOP SECRET
As above
6
The majority of RESTRICTED information will be marked ‘For Official
Use Only’ however such decisions will be made by the document
originator in the Australian Government. In limited circumstances, some
information may need to be classified as CONFIDENTIAL.
Refer Australian
Government Protective
Security Policy Framework
Certain elements of the former HIGHLY PROTECTED classification may require elevation to SECRET using the new scheme. The findings of an agency risk assessment including an impact
assessment for compromise (loss, damage, theft etc.) of the information should determine if this measure is warranted. Information received by or held on behalf of the Australian Government
must be treated as SECRET unless advised otherwise by the originating agency.
Government guideline on cyber security
New classification scheme for confidentiality v1.2
Page 4 of 8
ISMF Guideline 8b
ISMF Guideline 4
REVISED SOUTH AUSTRALIAN CONFIDENTIALITY CLASSIFICATION STRUCTURE
The image below details the structure of the revised South Australian classification structure in
alignment with the Australian Government Protective Security Policy Framework. Classifications to
describe availability and integrity requirements for information assets remain unchanged from
earlier versions of the ISMF.
OFFICIAL INFORMATION
Public Information
Non-Public Information
Unclassified Information
Security Classified Information
Dissemination Limiting Markers
Protective Markings
Sensitive: SA Cabinet
Top secret
Sensitive: Legal, Commercial or Medical
Secret
Sensitive or Sensitive: Personal
Confidential
For Official Use Only
Protected
Protected
(Sensitive: Cabinet)
SA government or National Security caveats
(optional)
INFORMATION SECURITY TECHNOLOGY ADVISERS
Agency personnel and suppliers to government agencies should initially consult and confer on
classification migration matters with the Information Security Technology Adviser [ITSA] for the
relevant agency. A list of agency ITSAs is available to government personnel via the South
Australian Government Exchange (commonly referred to as SAGE).
Government guideline on cyber security
New classification scheme for confidentiality v1.2
Page 5 of 8
ISMF Guideline 8b
ISMF Guideline 4
HOW TO SELECT AN APPROPRIATE CONFIDENTIALITY MARKING
Double-click the embedded object below (DOCX format version of this guideline only) for a
flowchart to assist agency personnel in determining an appropriate DLM and/or classification:
South_Australian_Co
nfidentiality_Classifications.doc
APPLY A SOUTH AUSTRALIAN GOVERNMENT INFORMATION CAVEAT (OPTIONAL)
A caveat is a warning that the information has special requirements in addition to those indicated
by the DLM or protective marking. Caveats are not classifications in their own right and are not to
appear without the appropriate DLM or protective marking.
Caveat
Description
Eyes only
(EO)
The Eyes Only marking indicates that access to information is restricted to select
individuals, functions or workgroups for instance:


Committee EO: Only Committee members
Agency EO: Only Agency personnel
Information must only be shared on a strict need-to-know basis and membership
to a given agency and/or committee does not convey an automatic entitlement.
Permission
required
Express written consent is required by the originator of the information prior to it
being republished or communicated to any other party.
When
completed
Predominately used for forms and templates, this conditional caveat indicates
that an accompanying DLM or protective marking takes effect only when the
form/template has been completed.
DO NOT
release until
Information may only be released AFTER a specific date, time or specified event.
DO NOT
release after
Information must only be released PRIOR to a specific date, time or specified
event.
(This caveat may also be used with Public Information, particularly with respect to major
announcements or initiatives.)
(This caveat may also be used with Public Information, particularly with respect to
emergency management information.)
ADDITIONAL CONSIDERATIONS

Information in aggregate may trigger an elevation of the information classification. For
example, a database or application that runs many instances of formerly X-IN-CONFIDENCE
materials may need an aggregated classification to the PROTECTED level. Similarly many
instances of PROTECTED information may need to be treated as SECRET when aggregated.
Government guideline on cyber security
New classification scheme for confidentiality v1.2
Page 6 of 8
ISMF Guideline 8b
ISMF Guideline 4

All Official Information and information assets not in the public domain must be considered to
be for “official use only” and the ‘need-to-know’ principle must be applied. This principle
means a person must have a legitimate need to access the classified information assets to
carry out their official duties. Other justifications, such as position of authority, or the desire to
enter controlled areas or access information for the sake of convenience, are not valid. (ISMF
control S19.4)

Collaboration and sharing of non-public information still retains the ‘need-to-know’ principle in
that information is for retention within the public sector. It is not intended for public
dissemination to the community or private sector organisations, as an example.

The use of the ‘Eyes Only’ caveat may be used to limit dissemination of information across the
Government of South Australia and to indicate it is not for use within other jurisdictions. (e.g.
‘SA Government Eyes Only’)

Unclassified information must use at least one DLM, Security Classified Information may also
use or contain (several) DLMs.

Several tools and guidelines have been published at the primary ISMF landing page
http://www.sa.gov.au/policy/ismf
This guideline does not aim to provide the reader with all of the responsibilities and obligations
associated with information confidentiality classification. It is merely an overview of the information
provided in applicable government cyber security policy, governance frameworks and associated
standards. It is highly recommended that agencies review these documents in their entirety. The
individual requirements of agencies will have direct bearing on what measures are implemented to
mitigate identified risk(s).
Government guideline on cyber security
New classification scheme for confidentiality v1.2
Page 7 of 8
ISMF Guideline 8b
REFERENCES, LINKS & ADDITIONAL INFORMATION

OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF]

PC030 Government of South Australia Protective Security Management Framework [PSMF]

Australian Government Protective Security Policy Framework [PSPF]
ID
OCIO_G4.8b
Classification/DLM
PUBLIC-I2-A1
Issued
March 2013 (re-issued as ISMF Guideline 8b from Guideline 11 – February 2014)
Authority
Security and Risk Steering Committee
Master document location
Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and
Standards\ISMF\ISMFguidelines\ISMFguideline8b(classification).docx
Records management
File Folder: 2011/15123/01 - Document number: 5872181
Managed & maintained by
Office of the Chief Information Officer
Author
Jason Caley, Principal Policy Adviser / Hannah Wheaton, Graduate Officer
Reviewer
Peter Fowler MACS (Snr. CP), IP3P, CISM, CGEIT, CRISC, MAIES ,
Director Security and Risk Assurance
Compliance
Discretionary
Review date
June 2016
To attribute this material, cite the
Office of the Chief Information
Officer, Government of South
Australia, ISMF Guideline 8b.
This work is licensed under a Creative Commons Attribution 3.0 Australia Licence
Copyright © South Australian Government, 2013.
Disclaimer
Related documents
ISMF Guideline 8a
ISMF Guideline 8a
ISMF Guideline 21 – Media handling
ISMF Guideline 21 – Media handling
Changing Australian Communities
Changing Australian Communities
ISMF Guideline 5 – Cloud computing
ISMF Guideline 5 – Cloud computing
ISMF Guideline 2 – An approach to risk assessment using the ISMF
ISMF Guideline 2 – An approach to risk assessment using the ISMF
ISMF Guideline 6 – Cyber security in procurement activities (Word
ISMF Guideline 6 – Cyber security in procurement activities (Word
Process for Self
Process for Self
About-the-Pharmacological-Management-of-Cancer-Pain-in
About-the-Pharmacological-Management-of-Cancer-Pain-in
ISMF Ruling 1– Security management requirements for critical ICT
ISMF Ruling 1– Security management requirements for critical ICT
ISMF Guideline 25 - User Access Management
ISMF Guideline 25 - User Access Management
Download
advertisement