Archive for the ‘Protective Marking’ Category

SharePoint and Protective Marking Systems

Wednesday, November 25th, 2009

In the past few years we’ve seen a number of countries and governments make classification and marking of government information mandatory. The first country moving aggressively in this area was the Australian government which adopted the Australian Email Protective Marking Standard in 2005. This standard required that all email generated by federal agencies be classified and protectively marked (text in the email subject line shows the classification). The stadard included all email, not just secret or classified material. This meant that all unclassified email also had to be classified. This resulted in an email environment where all government employees could quickly understand the sensitivity of the information they were handling, resulting in less inadvertant data loss.

The UK has also moved agressively in this area in recent years. The UK Protective Marking Standard is part of the UK government’s security policy. The Protective Marking System (often referred to as the Government Protective Marking System/Scheme or GPMS) is the Government’s policy to ensure that access to information and other assets is correctly managed and safeguarded to an agreed and proportionate level throughout their lifecycle, including creation, storage, transmission and destruction. Departments and Agencies must apply the Protective Marking System and the necessary controls and technical measures as outlined in the framework. The Protective Marking System comprises five markings. In descending order of sensitivity (HMG Security Policy Framework v.3.0 Oct 09) they are: TOP SECRET, SECRET, CONFIDENTIAL, RESTRICTED and PROTECT. The term ‘UNCLASSIFIED’ or ‘NOT PROTECTIVELY MARKED’ may be used to indicate positively that a protective marking is not needed.

The US is also finalizing a Presedential Directive called Controlled Unclassified Information that would require much of the US government’s unclassified information to be protectively marked.

SharePoint can assist in the classification and marking of documents to comply with Protective Marking Standards. A custom column called Classification can be added to SharePoint document libraries and lists and the user can be forced to classify the document when they are saved or uploaded into SharePoint.

In addition to classifying the documents as they are added to SharePoint, Titus Labs provides solutions which ensure full compliance with marking standards. Titus Labs Document Marking for SharePoint solution ensures that all documents contain the required visual markings (headers and footers) clearly indicating the classification of the documents. As documents are saved or uploaded to SharePoint, the Document Marking for SharePoint solution will automatically add the require markings to the document based on the value in the classification column. For instance, if a document is classified as Confidential, the software will place a "Confidential" marking in the header and footer of the document. The software will apply markings one document at a time, or in batch if several or hundreds of documents are added to SharePoint at once. This ensures that as employees work with documents in the SharePoint environment, the documents will always contain a protective marking, even if the document is removed from SharePoint and sent via email.

Titus Labs’ Metadata Security for SharePoint product provides additional security for information stored in SharePoint based on their metadata tags. In a Protective Marking environment, information can be secured and filtered in SharePoint based on the protective marking. For example, if a document library contains some Unclassified and some Confidential information, the Metadata Security for SharePoint product can ensure that only some users will be able to see the Confidential Information. Users not cleared for Confidential material will only see the Unclassified material when they access the document library. This solutions helps government agencies comply with the requirement that access to protectively marked assets is only granted on the basis of the ‘need to know’ principle.