How AUSTRAC avoided a BlackBerry jam

Thanks to Australian Government Information Management Office (AGIMO) guidelines and Defence Signals Directorate (DSD) policies formalising the use of BlackBerrys in government, money-laundering watchdog AUSTRAC (Australian Transaction Reports and Analysis Centre) recently became one of the first government agencies to introduce the devices for use with information at lower security classifications.

A key accommodation that had to be made was the introduction of e-mail marking software, which labels all internal e-mails with a set of standardised tags denoting the classification level of that particular e-mail. These tags were set out in an October AGIMO document, Email Protective Marking Standard for the Australian Government Version 1, which was created to facilitate government departments' compliance with the e-mail management requirements of ACSI33, a DSD-authored living document that mandates information security requirements for government agencies.

In an attempt to control distribution of sensitive information even outside the protective confines of network e-mail filters, DSD guidelines have mandated the use of e-mail protective marking for Australian government departments wanting to use BlackBerry handhelds within their operations.

BlackBerrys may only be used to handle information at lower security classifications including UNCLASSIFIED, IN-CONFIDENCE, and RESTRICTED. BlackBerrys "should not" be used for CABINET-IN-CONFIDENCE, PROTECTED or HIGHLY PROTECTED information, although exemptions can be granted in specific cases.

The desire to introduce several BlackBerry devices for executives, as well as recognition of AGIMO's mandate that all government departments introduce e-mail marking by March 2007, drove AUSTRAC in January to implement e-mail marking using janusNET's janusSEAL 2.0 application.

"We're a relatively conservative agency," says IT security manager Scott Maclean. "It's just the nature of the work we do. Agencies like AUSTRAC and others have only had e-mail and Internet access to the desktop for about three years, and our staff don't necessarily need to have access to e-mail 24 hours a day; the small group of users that have BlackBerrys will only typically use them when they're travelling."

Installed on each of the nearly 200 desktops throughout AUSTRAC, janusSEAL presents users with a mandatory pop-up box in which they must specify the information security level of each e-mail they send. This level is embedded in the e-mail's X-Header and subject line in the format [SEC=xxxxxx], making it easy to identify and filter using e-mail management tools.

AUSTRAC uses Clearswift's MIMESweeper application to screen all e-mails entering or exiting the network. Similar rules on the BlackBerry Enterprise Server ensure that no messages with a higher classification than IN-CONFIDENCE are sent to the BlackBerry users. For now, BlackBerry-generated e-mails cannot leave the AUSTRAC network, but future use of smart tags is expected to help mobile users follow the tagging conventions as well.

Users cannot set an e-mail classification above the maximum permitted by their network, and there is no default -- a policy that forces them to spend the time to correctly classify the information. Unmarked incoming e-mails are automatically tagged as UNDETERMINED, and an UNOFFICIAL classification was created to let users tag personal e-mails without confusing them with "personal" e-mails -- those containing individuals' personal information that must be protected under privacy laws.

Although the IT team was initially concerned that users would bristle at being forced to take an extra step when sending e-mails, pilot testing showed it was far less of an issue than they first believed.

"We thought the users would kick back because of the extra step," Maclean concedes, "but we found that most users have already set functions like automatic spelling checks, which can require many clicks depending on how good their spelling is. The main issue was user education -- just making sure users aren't overclassifying or underclassifying information to speed their way through the filter."

Paired with regular audits, that education has ensured a relatively smooth implementation of the e-mail tagging technology for AUSTRAC. The system automatically alerts Maclean if users try to transmit information to a less trusted network, system or user, or otherwise violate the information protection policies that have been put in place.

New Berry on the block ... is the 8700 worth its AU$800 price tag? Read the review here.

By forcing users to classify e-mails and then using MIMESweeper to enforce classification policies, AUSTRAC has been able to introduce the devices while protecting information in compliance with AGIMO rules, the Attorney-General's Protective Security Manual regulations, and DSD's ACSI33. As more and more agencies introduce the technology, the tagging will also facilitate secure exchange of appropriately classified e-mails across protected inter-departmental networks.

Although the technology is intended for Australian government users, Clearswift's Trevor Laughton says that the company has also been approached by several commercial organisations, including financial institutions that want to tighten control over internal information stored on e-mail. The technique could potentially be used to limit distribution of sensitive information in virtually any environment.