The process of accrediting the services on the G-Cloud Cloudstore is underway. There is a lot to do, and one common question has been about Impact Levels. Obviously the concept was new for quite a few people, and misunderstood by a fair few more, so I thought a short guide might be helpful. If you prefer, you can get the full detail from the reassuringly comprehensive 114 page HMG IA Standard No. 1 – Technical Risk Assessment (or IS1 in the jargon) which is on CESG’s website. If you want the headlines, read on:
So why do we need all this “IL” stuff? Well, for government systems there is obviously a need to make sure that information stored in them is appropriately protected. ‘Appropriate’ could range from: open to the public – to patient records – right through to highly secret national security information, so there needs to be a process to assess what is required in each case. It is this process (the Technical Risk Assessment) that is set out in detail in IS1. When you think about risks to a system, it makes sense to think about the “What if” if the system was compromised, and the impact that it would have on the business is a logical place to start. If you group that into levels, you get Business Impact Levels. They are currently defined from 0 (no impact) to 6 (severe impact).
Now, like most of these things, there is a shorthand in general use. A Business Impact Level (often written as IL, but really should be BIL) comes from consideration of 3 potential compromise areas:
- confidentiality: the potential impact if the information is seen by those who should not see it,
- integrity: the potential impact if the accuracy or completeness of the information is compromised,
- availability: the potential impact if the information becomes inaccessible.
The idea is that the person doing the risk assessment considers what the impact would be if the information was compromised from each perspective independently. There is a big set of tables (published in the IS1 document) to look up the BIL score based on descriptions provided. For example, under availability, loss of access to information supporting a key transport capability might be assessed as incurring a financial loss. There is a table category called “Impact on Public Finances”. Under each BIL, it sets out the appropriate measure: for BIL1 it says “Loss to Public Sector of up to £10,000″ – whereas, for BIL4, it has “Loss to HMG/ Public Sector of £10s millions up to £100 million”. It is simply a case of estimating the impact and coming up with an BIL number. There may be more than one appropriate category. Assessment cannot be an exact science; it requires judgement.
Once complete, an assessment will be something like BIL 3.3.4. If you see it written as IL3, it generally just refers to the confidentiality element. If you see statements like “a service accredited to IL3″, what this actually means is that the service has been reviewed as potentially suitable to hold information assessed at BIL3.3.x. Potentially suitable means that it fits the typical criteria needed. The information owner still needs to check. Simple, eh? What really matters here is that the bulk of the accreditation effort can be done once and reused, rather than doing the whole thing from scratch every time a service is to be used.
More on this in my next post on Common Accreditation Myths. I am keen to get feedback. Is this sort of thing useful? Do you want more? Something different? Do please leave a comment and let me know or get in touch.