The process of accrediting the services on the G-Cloud Cloudstore is underway. There is a lot to do, and one common question has been about Impact Levels. Obviously the concept was new for quite a few people, and misunderstood by a fair few more, so I thought a short guide might be helpful. If you prefer, you can get the full detail from the reassuringly comprehensive 114 page HMG IA Standard No. 1 – Technical Risk Assessment (or IS1 in the jargon) which is on CESG’s website. If you want the headlines, read on:
So why do we need all this “IL” stuff? Well, for government systems there is obviously a need to make sure that information stored in them is appropriately protected. ‘Appropriate’ could range from: open to the public – to patient records – right through to highly secret national security information, so there needs to be a process to assess what is required in each case. It is this process (the Technical Risk Assessment) that is set out in detail in IS1. When you think about risks to a system, it makes sense to think about the “What if” if the system was compromised, and the impact that it would have on the business is a logical place to start. If you group that into levels, you get Business Impact Levels. They are currently defined from 0 (no impact) to 6 (severe impact).
Now, like most of these things, there is a shorthand in general use. A Business Impact Level (often written as IL, but really should be BIL) comes from consideration of 3 potential compromise areas:
- confidentiality: the potential impact if the information is seen by those who should not see it,
- integrity: the potential impact if the accuracy or completeness of the information is compromised,
- availability: the potential impact if the information becomes inaccessible.
The idea is that the person doing the risk assessment considers what the impact would be if the information was compromised from each perspective independently. There is a big set of tables (published in the IS1 document) to look up the BIL score based on descriptions provided. For example, under availability, loss of access to information supporting a key transport capability might be assessed as incurring a financial loss. There is a table category called “Impact on Public Finances”. Under each BIL, it sets out the appropriate measure: for BIL1 it says “Loss to Public Sector of up to £10,000″ – whereas, for BIL4, it has “Loss to HMG/ Public Sector of £10s millions up to £100 million”. It is simply a case of estimating the impact and coming up with an BIL number. There may be more than one appropriate category. Assessment cannot be an exact science; it requires judgement.
Once complete, an assessment will be something like BIL 3.3.4. If you see it written as IL3, it generally just refers to the confidentiality element. If you see statements like “a service accredited to IL3″, what this actually means is that the service has been reviewed as potentially suitable to hold information assessed at BIL3.3.x. Potentially suitable means that it fits the typical criteria needed. The information owner still needs to check. Simple, eh? What really matters here is that the bulk of the accreditation effort can be done once and reused, rather than doing the whole thing from scratch every time a service is to be used.
More on this in my next post on Common Accreditation Myths. I am keen to get feedback. Is this sort of thing useful? Do you want more? Something different? Do please leave a comment and let me know or get in touch.
is this all the guides for business impact levels?
More information is available in the G-Cloud IA Guidance references on our website
http://gcloud.civilservice.gov.uk/supplier-zone/accreditation/accreditation-references/
You will need to look through the Extract from HMG IA Standard No.1 Business Impact Level Tables.
http://www.cesg.gov.uk/publications/Documents/business_impact_tables.pdf
qu’elle utile utilisez vous pour garantir la confidentialité des données dans le cloud?
Commes utiles, il y en a controles et produits. On peut utiliser une série de contrôles pour garantir la confidentialité des données en fonction de la sensibilité de la matière dans un service nuage. Certains des produits utilisés dans ces contrôles peuvent être reconnus par nos programmes d’assurance, par exemple CAPS. Les contrôles doivent suivre les normes britanniques d’assurance de l’information, surtout si le service est IL3 ou au-dessus. Plus d’informations sont disponibles dans des conseils d’assurance de l’information G-Cloud sur notre site
http://gcloud.civilservice.gov.uk/supplier-zone/accreditation/#guidance
Si vous désirez plus d’informations, veuillez contacter l’équipe de sécurité G-Cloud avec plus de détails sur le type de service dont vous parlez.
enquiries@gcloud.cabinet-office.gov.uk
“Which tools do you use to guarantee data confidentiality in the cloud?”
For ‘tools’, there are controls and products. You can use a range of controls to guarantee data Confidentiality depending on the sensitivity of the material in your cloud service. Some of the products used in these controls may be recognised by our assurance schemes, e.g. CAPS. The controls should follow HMG IA Standards, especially if the service is IL3 or above. More information is available in the G-Cloud IA Guidance on our website
http://gcloud.civilservice.gov.uk/supplier-zone/accreditation/#guidance
If you require more information, please contact the G-Cloud Security team with more details of the type of service you are referring to.
enquiries@gcloud.cabinet-office.gov.uk
Is there a business user friendly “ready reckoner” to assess in outline what the IL level should be? I’m getting a bit bogged down with the language around this from my IT colleagues – I want to check the art of the possible around cloud based collaboration tools.
Ingrid
More information is available in the G-Cloud IA Guidance references on our website
http://gcloud.civilservice.gov.uk/supplier-zone/accreditation/accreditation-references/
You will need to look through the Extract from HMG IA Standard No.1 Business Impact Level Tables. Consider the impact to your business of unauthorised people; seeing information in your system (Confidentiality), changing information in your system (Integrity), preventing you from accessing information in your system (Availability).
The impact is written in plain English and you should note that not all of the tables may be applicable to your system.
I’m sorry for the layout of the headings to each table. They are after each one, rather than before it. It makes it a little hard to read. There is another version that includes Reputation as a consideration. However, this is not in the publicly available version at the moment.
As you go through the tables, start at level 6 and work towards 0 (right-to-left). Stop at the level you believe to be the maximum impact for Confidentiality on each table and note the numbers down. The highest number you have noted down is the impact level for Confidentiality. Go through the tables twice more. Once for Integrity and once for Availability.
You should now have 3 numbers noted down: maximum Confidentiality, maximum Integrity, maximum Availability. Write them down in that order with a dash between each one and that is the Business Impact Level (BIL) of your system, e.g. 3-3-4
Everyone is most often concerned with Confidentiality so the services on the Store have badges to summarise that
http://gcloud.civilservice.gov.uk/2012/08/23/accreditation-badges/
Hello.
The business impact tables have now been updated and also include a row for assessment of “reputation”. While this does not necesarily affect the scores, I think that the link needs to be updated with the latest release.
Thanks,
Phil
The only publicly available version of the business impact level (BIL) tables is the version from October 2009. G-Cloud Security is working with CESG to make the April 2012 version of the BIL tables publicly available as an extract from HMG IA Standard Numbers 1 & 2 – Supplement.
Hello,
Thank you this was extremely useful summary!
This is very useful, thank you.
(MOD employee)
I see that SCC has delivered the first UK Healthcare Cloud to Mersey Care NHS Trust. Does IL3 support the NHS requirement for N3 Code of connectivity etc security levels required for patient data to be held in their cloud?
This appears to be focused on “public sector” (government-managed) entities, correct? How does IL3 accreditation apply to non-UK service providers?
Steve, that’s not quite correct no. The UK Government (which could be a central Government Department or agency down to Local Authorities or emergency services) uses Impact Levels to assess the potential impact of our information being compromised. If a non-UK service provider wants to supply to government, and hold any information where there would be an impact caused by compromise, then it is likely they would need to go through security accreditation. For G-Cloud, this could be through the Pan Government Accreditation service or with local accreditation with each customer. For full information about accreditation through G-Cloud refer to the accreditation page.
The requirements of UK Government IA policy must be able to be met in any overseas location – you should refer to the Cabinet Office guidance on off-shoring for more detail on this: http://www.cabinetoffice.gov.uk/resource-library/government-ict-offshoring-international-sourcing-guidance
Thank you, Emma!
How does on go about obtaining IL3 accreditation? There is VERY little about this on the web
Have a look in our accreditation zone http://gcloud.civilservice.gov.uk/supplier-zone/accreditation/#guidance and in the additional resources http://gcloud.civilservice.gov.uk/supplier-zone/accreditation/accreditation-references/ and let us know if there’s a question we haven’t covered.
Hi would anyone know what the IL would be for the education sector? Thanks
For some software solutions such as libraries and catering solutions, the IL appears to be zero, but in some sections, biometrics is seen as important to minimise the opportunities for the school bully to extract user names and passwords from vulnerable students to commit identity theft. I discussed biometrics with members of the G-Cloud team at the Civil Service event, but biometrics does not come under the IL banner. Voice recognition is an alternative to biometrics to protect against identity theft, which is important for the disabled, who are not so dexterous; I understand that voice recognition, Android and iPhone security are not in the IL agenda either.
Thanks! This type of simple summary is really useful.
Very useful synopsis, for which thanks.
I understand that UK Government is considering simplifying the business impact levels such that the present IL0, IL1, IL2 and IL3 are treated together, and their common security requirement would be equivalent to commercial best practice ISO27001.
Could you provide any guidance on this?
JM – The UK Cabinet Office is carrying out a review of the protective marking scheme. Our approach to this is detailed in paragraphs 60 and 61 of the G-Cloud IA guidance, available on our accreditation page.
Agreed very useful, and would also like to ask for something similar on ISO 270001and IL2 for the G-Cloud
Excellent. More of the same please.
The article was extremely useful and well written. Thank you.
As a supplier of information notice boards accessible by lots of different people, I am concerned with slander, libel and copyright.
These are aspects of confidentiality, integrity and availablility. The implementations of Impact Levels to my knowledge pay little allegiance to this. In a library system, information entered by an originator has to be vetted and checked before publication to restricted sources (integrity and confidentiality). A Cloud solution has to prevent inappropriate comments from being published i.e. made ‘available’.
I would welcome any feedback as to where and how Impact Levels are tied in with slander, libel and copyright.
Another piece of concise and very useful info from the G Cloud team. Keep it coming. Thanks.
Very good.
Please keep the information flowing.
Great to see this. More of the same please!
Echoing the comment above I would like to see more clarification of how 27001 and IL2 will be expected to work together as part of the GCloud information assurance process.
Very useful information. Thank you.
Yes – this is very useful. Please write one on ISO27001 too as this is an obstacle for submission to the G Cloud ITT.
Yes this is useful and even more information would be helpful I would like to know more about the size of opportunities and government IT markets there are currently broken down by BIL levels and public bodies.
It would also be interesting to know if this is likely to change and what, if any, pressure there will be for a reassessment of BIL levels downwards in cases where they are perhaps set to highly because of excessive caution in the judgements being applied.
Absolutely this is useful! Thank you – after years of working on/off with government departments this sort of open/simple information is very welcome!