In 2018, the Australian Government released the new Protective Security Policy Framework. This framework aims to assist Australian Government agencies to protect people, assets, and information, as well as providing guidance on how to apply the framework’s requirements.

From an information security perspective, the PSPF focuses on maintaining the confidentiality (ensuring information is accessed by the right people), integrity (ensuring information is accurate, complete and up to date), and availability (ensuring people have timely and reliable access to information) of information.

This, in conjunction with the release of new protective markings by the Office of the Victorian Information Commissioner and the current requirements of the Privacy and Data Protection Act 2014 (Vic), prompted one Victorian state government agency to seek the development of a solution that would help them manage the ever-increasing volume of information being shared over email.

As organisations produce a range of information using different tools and techniques, the approach to the application of protective measures will vary. In the case of Emails, it is the responsibility of the originator to ensure any recipients of the information they create understand how to protect the information.

In order to achieve this, the originator is required to apply relevant markings to emails (referred to as “Protective Markings”) to communicate to the recipient how the information needs to be protected.

The Victorian Legal Services Board recently engaged Kapish to design and build a technical solution that would assist them in complying with the requirements of the Privacy and Data Protection Act 2014 (Vic), supported by the PSPF.

The solution should:

• Apply the relevant protective markings to emails
• Apply the relevant security classification to emails
• Assist with the accurate registration of emails into the organisation’s EDRMS - Content Manager
• Be intuitive to use to increase the uptake of the new solution

Kapish worked closely with the Victorian Legal Services Board to design the solution using the updated Protective Markings provided by the Office of the Victorian Information Commissioner (see Figure 1: Updated Protective Markings). The solution has been successfully implemented at this agency.

Figure 1: Mapping from Old to New Protective Markings. Victorian Protective Data Security Framework | Version 2.0 | February 2019

The solution that Kapish developed works seamlessly with Microsoft Outlook, allowing Protective Markings and security classifications to be applied to emails as they are sent out.

The ‘Application of Protective Markings’ component, initiated on ‘send’, gives the user the ability to  choose the most appropriate Protective Marking from a series of Security Classifications and Information Management Markers.

The available Protective Marking options are derived from values created and managed in Content Manager (CM) as Security Classification and Information Management Markers. This will allow the CM Administrator to easily modify the available Protective Markings values in CM.

The selected Protective Markings will be applied to the email in the following three (3) places:

• Appended to the ‘Subject’ field
  
  • e.g. “This is an example subject line [SEC= PROTECTED]”
• Added to the Internet Message Header Extension
  
  • e.g. “X-Protective-Marking:SEC= PROTECTED,DLM= Sensitive:Personal”
• Added as a Header (optionally in the Footer too) in the Email Body – Bold typeface, Red font colour and Centre Paragraph Alignment (refer to Figure 3: Example email showing the proposed formatting of Protective Markings in Email Body Header and Footer).

Figure 2: Example email showing the proposed formatting of Protective Markings in Email Body Header and Footer

The CM Administrator has the ability to configure the add-in to suppress the ‘Application of Protective Markings’ dialog box for emails addressed to internal contacts.

The Victorian Legal Services Board is the first Victorian government agency to implement such a solution.

For further information visit http://kapish.com.au/contact-us/