United Kingdom Business Impact Levels (BIL), Guidelines & Desctruction Procedures Explained

An Introduction to Business Impact Levels

The Security Policy Framework (SPF) sets out new responsibilities regarding the Protective Security and Risk Management required within Government Departments and Agencies whilst recognising the wider implication for the Commercial Sector which plays an increasingly intimate role within the UK Government matrix, as well as making up the core sectors within the Critical National Infrastructure (energy, water, agriculture, etc). Similarly, organisations such as the National Health Service, Police forces and local Government all handle Government Assets on a regular basis.

The SPF specifies the key elements within the Government's Protective Security System, which details the minimum mandatory requirements relating to the Handling of Personal Data and Managing Information Risk within Government Departments. These requirements are formalised within a new Information Assurance Standard - IA Standard no.6.

The enclosed has been prepared by Don Ruffles Limited using commercially available documentation specifically for the ShreddingMachines.co.uk and Degaussers.eu websites due to the high number of prospects requesting explanations. The enclosed should only be used as a guideline only, as it is implicitly recognised that all Organisations should consult with their Security Advisors for specific advice on their individual Requirements Alternatively discuss with Don Ruffles Limited expert advisors for specific advice - 01293 775248

View full details of the SPF - Cabinet Office/HMG Security Policy Version 8 April 2012 here

When assessing the Level of Impact that is likely to result from the Loss or Compromise of Information including that of Sensitive Data, Departments and Agencies must refer to specific Business Impact Levels or BIL's, which range from BIL 0 - which indicates that there is NO IMPACT to BIL6 which indicates the HIGHEST SECURITY IMPLICATIONS.

Business Impact Levels provide a very handy seven-point scale which allows Departments, Agencies and Commercial Customers to make a balanced assessment of what Countermeasures would be required to effectively meet their Risk Management requirements of Confidentiality and Integrity.

In many cases these recommendations are Minimum Requirements as Organisations must review where large amounts of data are aggregated, accumulated, or associated with other data, to determine whether a Higher Impact Level, and therefore Greater Protection may be required. Impact Levels are produced specific to different types of Organisation (Defence, Public Services, Law etc. - as below)

Business Impact Level Sector Tables
The CESG the National Technical Authority for Information Assurance in conjunction with the Cabinet Office have issued a Non Protectively Marked Document which makes available details of Business Impact Level Tables to help Organisations and Individuals assess the Specific Impact of a Loss that would relate to various Sectors within the UK.

These Sectors include:

• Table 1 - Defence, International Relations, Security and Intelligence
• Table 2 - Public Order, Public Safety and Law Enforcement
• Table 3 - Trade, Economics and Public Finance
• Table 4 - Public Services
• Table 5 - Critical National Infrastructure (CNI)
• Table 6 - Personal / Citizen

View full details of CESG/Cabinet Office Business Impact Level Tables issue no.3.5 Oct 09 here

An example of Business Impact Level may include:

Business Impact Level 0 (BIL0) - NO IMPACT

• Not likely to cause any specific loss but may cause some embarrassment if information were to fall into the wrong hands

Business Impact Level 1 (BIL1) - UNCLASSIFIED or NON PROTECTIVELY MARKED assets

• To cause a Financial Loss to the Public Sector of up to £1,000.00
• Likely to cause a Minor Financial Loss to any party - for example under £100.00 for an Individual or Sole Trader or up to £1,000.00 for a Larger Business

Business Impact Level 2 (BIL2) - Criteria for assessing PROTECT (Sub-national security marking) assets:

• Likely to cause distress to individuals
• Breach proper undertakings to maintain the confidence of information provided by third parties
• Breach statutory restrictions on the disclosure of information
• Cause financial loss or loss of earning potential, or to facilitate improper gain
• Unfair advantage for individuals or companies
• Prejudice the investigation or facilitate the commission of crime
• Disadvantage government in commercial or policy negotiations with others
• Likely to cause inconvenience or loss to an individual or
• Would undermine the Financial Viability to UK SME's (Small and Medium sized Enterprises)
• Can potentially cause a Financial Loss to the Public Sector of up to £10,000.00
• Likely to cause a Moderate Financial Loss to any party - for example under £1,000.00 for an Individual or Sole Trader or under £10,000.00 for a Larger Business

Business Impact Level 3 (BIL3) - Criteria for assessing RESTRICTED assets:

• Affect Diplomatic relations adversely
• Cause substantial distress to individuals
• Make it more difficult to maintain the operational effectiveness or security of United Kingdom or Allied forces
• Cause financial loss or loss of earning potential or to facilitate improper gain or advantage for individuals or Companies
• Prejudice the investigation or facilitate the commission of crime
• Breach proper undertaking to maintain confidence of information provided by 3rd parties
• Impede the effective development or operation of government policies
• To breach statutory restrictions on disclosure of information
• Disadvantage government in commercial or policy negotiations with others
• Undermine the proper management of the public sector and its operations
• Likely to cause a risk to an Individuals Safety and Liberty
• Would undermine the Financial Viability of a Minor UK based or UK owned Organisation
• Can potentially cause a financial loss to HMG/Public Sector of up to £1million
• Likely to cause a Significant Financial Loss to any party - for example under £10,000.00 for an Individual or Sole Trader or under £100,000.00 for a Larger Business

Business Impact Level 4 (BIL4) - Criteria for assessing CONFIDENTIAL assets:

• Materially damage diplomatic relations (i.e. cause formal protest or other sanction)
• Prejudice individual security or liberty
• Cause damage to the operational effectiveness or security of United Kingdom or allied forces or the effectiveness of valuable security or intelligence operations
• Work substantially against national finances or economic and commercial interests
• Substantially to undermine the financial viability of major organisations
• Impede the investigation or facilitate the commission of serious crime
• Impede seriously the development or operation of major government policies
• Shut down or otherwise substantially disrupt significant national operations
• Likely to cause a risk to a Group of Individuals Safety and Liberty
• Would undermine the Financial Viability of a Major UK based or UK owned Organisation
• Can potentially cause a financial loss to HMG/Public Sector of up to £10million
• Likely to cause a Significant Financial Loss to any party - for example under £100,000.00 for an Individual or Sole Trader or under £1million for a Larger Business

Business Impact Level 5 (BIL5) - Criteria for assessing SECRET assets:

• Raise international tension
• To damage seriously relations with friendly governments
• Threaten life directly, or seriously prejudice public order, or individual security or liberty
• Cause serious damage to the operational effectiveness or security of United Kingdom or allied forces or the continuing effectiveness of highly valuable security or intelligence operations
• Cause substantial material damage to national finances or economic and commercial interests

Business Impact Level 6 (BIL6) - Criteria for assessing TOP SECRET assets:

• Threaten directly the internal stability of the United Kingdom or friendly countries
• Lead directly to widespread loss of life
• Cause exceptionally grave damage to the effectiveness or security of United Kingdom or allied forces or to the continuing effectiveness of extremely valuable security or intelligence operations
• Cause exceptionally grave damage to relations with friendly governments
• Cause severe long-term damage to the United Kingdom economy

Business Impact Level Destruction Procedures
Once it has been ascertained as to what Level of Risk relates to your Specific Organisational requirements, it is necessary then to decide on an appropriate Code of Practice for the Secure Destruction or Sanitisation dependent on the Material to be destroyed.

For Details on the Destruction Procedure Recommended for the following Product Categories please refer to HMG 1A Standard No. 5 - Secure Sanitisation for details or Contact Don Ruffles on 01293 775248

Paper Based Products

Magnetic Media, Hard Drives, and Magnetic Tapes includes removable Magnetic Hard Drives, ZIP Drives, Floppy Disks, SCSI Drives and Software-encrypted Disks commonly found on Desktop or Lap Top Computers, Videotape, Audiotape, Computer Back-up tape include procedures as follows:

CDs, DVDs and Blu-ray Disks includes CD-Roms, CD-Rs, CD-RWs, DVD-ROMs, DVD-Rs, DVD-RWs, DVD+Rs, DVD+RWs, DVDRAMs, BD-ROMs, BD-Rs and BD-Rs:

Microform includes microfiche, microfilm and other reduced image photo negatives:

Other Media to consider may include:
Dynamic RAM (DRAM), EEPROM and EPROM - electrically Erasable PROM
Flash Drives - USB Sticks, Hybrid Hard Drives, SD Cards
FPGA (non volatile and volatile)
Monitors - CRT, Plasma, LCD Screens
Network Devices - switches, routers, interface cards, enterprise networks
Office Equipment - Printers, Scanners, Faxes, Photocopiers, Multi-function Devices
Personal Electronic Devices (PEDs) - Mobile Phones, Smart Phones, Personal Digital Assistants (PDAs)
Screen Controllers - Graphics Cards, Chipsets, Dedicated Graphics Controllers
Smart Cards and SIM Cards - Key Cards, Tablet PCs
Static RAM (SRAM) - Battery-backed or Capacitor-backed SRAM and SRAM without power or backup.