Should we mourn the potential passing of Business Impact Levels?

It is proposed that the introduction of the new Government Security Classifications (GSC) in April 2014 will result in the demise of Business Impact Levels (BILs) [Business Impact Levels have been in existence since approximately 2006 and allow for the grouping of information into one of seven levels by considering the business impacts in a number of categories such as financial loss, personal privacy, national security and health implications using tables published by CESG]. Those working in central government IT will be used to hearing conversations about a system being IL2 or IL3 and if RESTRICTED is the same as IL3. Whilst the Cabinet Office, CESG and other senior groups can provide numerous examples of how BILs are misunderstood and get widely misused, particularly in procurement activities. There has been minimal formal communication of what this disappearance will mean to those groups who work with BILs on a daily basis

Skilled, pragmatic IA practitioners are used to working with, and occasionally around, BILs whilst understanding and responding to real business impacts. The removal of BILs has the potential to provide the latitude which to date they have had to work hard to achieve. The major challenges to address will be:

·         how to use a mandatory risk assessment methodology which currently relies on BILs (hopefully this will be resolved before April)

·         working with clients and suppliers who have a considerable reliance on BILs

·         advising clients and their employers on how to work with the G-Cloud which currently classifies services into BILs

HMG departments are likely to face some of the greatest challenges since they have considerable communities which make use of BILs in different ways:

·         Procurement and commercial teams often, rightly or wrongly, use BILs with no understanding of how the level has been calculated

·         Information Asset Owners are used to valuing their assets in terms of the banded business impact statements provided in the BIL tables rather than calculating specific impacts

·         Information assurance teams have to support this change alongside the new GSC both within their teams and across their organisations

·         Information sharing partners will need to communicate business impacts and potentially defining the specific protections they required

Many suppliers are used to the inclusion of a BIL in requirements being, at best, a vague indication of the controls which are going to be required for the solution so potentially their passing heralds better requirements which articulate actual customer needs. Their major concern should be ensuring they have access to skilled IA practitioners to provide and communicate risk management deliverables in the brave new world.

Whilst the disappearance of BILs is likely to cause some operational challenges for all involved it can be suggested that recently they have been providing a false sense of security. The increased level of risk acceptance in departments meant that whilst they nominally worked at the same BIL they may treat risks very differently. After the initial acclimatisation, assessment of true business impacts should provide the public sector with solutions which address their specific needs and deliver increased business benefits both through functionality and reduced costs.

Would you like to discuss what the potential disappearance of BILs means to you? Regency are happy to talk to Information Asset Owners, Accreditors, Procurement Teams, Project Managers, Public Sector Suppliers or any other interested groups without obligation. Contact us here.