About the PSR
ABOUT009
Information security
The New Zealand Government collects and receives information to fulfil its functions and expects all those who hold or access this information to protect it.
Your information security measures should be based on your requirements for confidentiality, integrity, and availability of information.
What you need to do
Your organisation should develop, implement, and review security measures for protecting information from unauthorised use, accidental modification, loss or release. You do this through:
- establishing an information security culture
- implementing security measures that match your information's value, sensitivity, and any protective marking
- adhering to legal requirements.
Definition of information asset
The term 'information assets' refers to any form of information, including:
- printed documents and papers
- electronic data
- the software or ICT systems and networks on which information is stored, processed, or communicated
- the intellectual information (knowledge) acquired by individuals
- physical items from which information regarding design, components or use could be derived.
Understanding what information you need to protect
To put right information security measures in place, you need to know what you have and how your organisation would be affected by any loss or harm.
INFOSEC1 - Understand what you need to protect Identify the information and ICT systems that your organisation manages. Assess the security risks (threats and vulnerabilities) and the business impact of any security breaches.
Take the following steps to comply with INFOSEC 1.
- Carry out an inventory of your information and ICT systems, including those that support business continuity and disaster recovery plans.
- Use the Business Impact Levels to assess the impact of your information being compromised. Find out where your organisation is vulnerable to security breaches, what threats you face, and how you would be affected.
- Include risks from your supply chain and from aggregated information (collections of information in electronic or hardcopy formats).
- Analyse your existing security measures to find out where you might need to improve.
- Classify and assign protective markings to information that requires it, so your people know how to handle the information and protect it.
Designing your information security measures
Once you understand the risks to your organisation’s information, you need to design fit-for-purpose security measures. These measures should be proportionate to your risks and in line with your risk appetite.
INFOSEC2 - Design your information security Consider information security early in the process of planning, selection, and design.
Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with:
• the New Zealand Government Security Classification System
• the New Zealand Information Security Manual
• any privacy, legal, and regulatory obligations that you operate under.
Adopt an appropriate information security management framework that is appropriate to your risks.
Design your information security measures
Carry out the following actions to design fit-for-purpose security measures.
- Use multiple layers of security — ‘security in depth’ — to reduce the risks to your information.
- Know and address the points where your information could face critical risks.
- Create a framework for information security that balance security with costs and the impact on your operations.
- Include the security measures you design in your business continuity and disaster recovery plans.
- Comply with mandatory requirements for information, ICT systems, networks (including remote access), infrastructure, and applications.
- Get sign-off from your chief information security officer (CISO) or equivalent executive.
Implement your information security measures
Once your CISO agrees that the proposed security design will address your organisation’s specific information security requirements, you need to:
- implement the agreed security and privacy measures, including policies, processes, and technical security measures
- work with your suppliers to ensure that they understand and can meet your security requirements
- account for the information risks involved in the ICT system development lifecycle
- test your systems during development and before acceptance.
Comply with relevant requirements
Your security measures must comply with any privacy, legal, and regulatory obligations that you operate under, and the requirements in:
Validating your information security measures
You must validate the measures you implement to ensure they will work as expected.
INFOSEC3 - Validate your security measures Confirm that your information security measures have been correctly implemented and are fit for purpose. Complete the certification and accreditation process to ensure your ICT systems have approval to operate.
Your CISO is responsible for deciding whether your security measures will reduce your organisation’s risks to an acceptable level. Your executive team can then have confidence in the measures, including how they’ll be governed.
ICT systems must comply with the certification and accreditation process in the New Zealand Information Security Manual.
Keeping your information security up to date
Threats, vulnerabilities and risks to your organisation’s information will change as technology, business, and information needs change.
INFOSEC4 - Keep your security up to date Ensure that your information security remains fit for purpose by:
• monitoring for security events and responding to them
• keeping up to date with evolving threats and vulnerabilities
• maintaining appropriate access to your information.
To keep your information security up to date and comply with INFOSEC 4, carry out the following activities.
Analyse evolving threats and vulnerabilities. Monitor and observe so you can identify vulnerabilities and detect concerning events. Take proactive action to secure your systems, networks, configurations, and processes.
Keep your information security measures up to date. Maintain access control systems and protect ICT equipment. Ensure your business continuity and disaster recovery plans are tested when you adopt new or updated processes, systems, and capability.
Respond to information security incidents. Ensure you investigate and respond quickly, communicate with affected parties or relevant authorities without delay, and learn from incidents to improve security.
Assessing your capability
Reviewing your measures will help you to improve, adapt, or change your information security when needed.
GOV8 - Assess your capability Use an annual evidence-based assessment process to provide assurance that your organisation’s security capability is fit-for-purpose. Provide an assurance report to Government through the Protective Security Requirements team if requested.
Review your policies and plans every 2 years, or sooner if changes in the threat or operating environment make it necessary.
A mixture of regular and periodic reviews along with an annual assessment will help you to know when change is necessary, and how well your measures are being implemented and followed.
You’ll also know when information needs to be archived, destroyed, repurposed, or disposed of securely.
Guidance to help you meet requirements
- Management protocol for information security
- New Zealand Information Security Manual
- New Zealand Government Security Classification System
- Handling requirements for protectively-marked information and equipment
Page last modified: 21/12/2020
