Information security (INFOSEC)

ABOUT009

Every organisation relies on the confidentiality, integrity, and availability of the information it processes, stores, and communicates.

The New Zealand Government collects and receives information to fulfil its functions and expects all those who hold or access this information to protect it. Your information security measures should be based on your requirements for confidentiality, integrity, and availability of information.

What you need to do

Your organisation should develop, implement, and review security measures for protecting information from unauthorised use, accidental modification, loss or release. You do this through:

• establishing an information security culture
• implementing security measures that match your information's value, sensitivity, and any protective marking
• adhering to legal requirements.

Definition of information asset

The term 'information assets' refers to any form of information, including:

• printed documents and papers
• electronic data
• the software or ICT systems and networks on which information is stored, processed, or communicated
• the intellectual information (knowledge) acquired by individuals
• physical items from which information regarding design, components or use could be derived.

To put right information security measures in place, you need to know what you have and how your organisation would be affected by any loss or harm.

Take the following steps to comply with INFOSEC 1:

• Carry out an inventory of your information and ICT systems, including those that support business continuity and disaster recovery plans.
• Use the Business Impact Levels to assess the impact of your information being compromised. Find out where your organisation is vulnerable to security breaches, what threats you face, and how you would be affected.
• Include risks from your supply chain and from aggregated information (collections of information in electronic or hardcopy formats).
• Analyse your existing security measures to find out where you might need to improve.
• Classify and assign protective markings to information that requires it, so your people know how to handle the information and protect it.

Once you understand the risks to your organisation’s information, you need to design fit-for-purpose security measures. These measures should be proportionate to your risks and in line with your risk appetite.

Carry out the following actions to design fit-for-purpose security measures:

• Use multiple layers of security — ‘security in depth’ — to reduce the risks to your information.
• Know and address the points where your information could face critical risks.
• Create a framework for information security that balance security with costs and the impact on your operations.
• Include the security measures you design in your business continuity and disaster recovery plans.
• Comply with mandatory requirements for information, ICT systems, networks (including remote access), infrastructure, and applications.
• Get sign-off from your chief information security officer (CISO) or equivalent executive.

Implement your information security measures

Once your CISO agrees that the proposed security design will address your organisation’s specific information security requirements, you need to:

• implement the agreed security and privacy measures, including policies, processes, and technical security measures
• work with your suppliers to ensure that they understand and can meet your security requirements
• account for the information risks involved in the ICT system development lifecycle
• test your systems during development and before acceptance.

Comply with relevant requirements

Your security measures must comply with any privacy, legal, and regulatory obligations that you operate under, and the requirements in:

You must validate the measures you implement to ensure they will work as expected.

Your CISO is responsible for deciding whether your security measures will reduce your organisation’s risks to an acceptable level. Your executive team can then have confidence in the measures, including how they’ll be governed.

ICT systems must comply with the certification and accreditation process outlined in the New Zealand Information Security Manual(external link).

Threats, vulnerabilities and risks to your organisation’s information will change as technology, business, and information needs change.

To keep your information security up to date and comply with INFOSEC4, carry out the following activities:

• Analyse evolving threats and vulnerabilities – Monitor and observe so you can identify vulnerabilities and detect concerning events. Take proactive action to secure your systems, networks, configurations, and processes.
• Keep your information security measures up to date – Maintain access control systems and protect ICT equipment. Ensure your business continuity and disaster recovery plans are tested when you adopt new or updated processes, systems, and capability.
• Respond to information security incidents – Ensure you investigate and respond quickly, communicate with affected parties or relevant authorities without delay, and learn from incidents to improve security.

Assess your capability

Reviewing your measures will help you to improve, adapt, or change your information security when needed.

A mixture of regular and periodic reviews along with an annual assessment will help you to know when change is necessary, and how well your measures are being implemented and followed.

You’ll also know when information needs to be archived, destroyed, repurposed, or disposed of securely.