Classification system
-
How to protect information
- How to protectively mark information and equipment
- Protecting information
- Controlling access to information
- Using, copying and reproducing information
- Storing and filing information
- Removing, transporting, or receiving information
- Destroying information
- Managing outsourcing and offshoring arrangements
- Guidance for specific information types
How to measure the performance of the Classification System
Use the Protective Security Requirements assurance and reporting tools below to assess the maturity of your organisation’s classification capability alongside your other protective security capabilities.
The PSR assurance tools have been updated to include additional maturity indicators related to the Classification System across different capability dimensions. These tools are available to any organisation to measure their performance in the use of the Classification System.
Tool |
Usage |
The model enables you to assess the maturity of your classification capability alongside your other protective security capabilities and help you to identify how you could develop them further. The model recognises that each organisation has a unique combination of security risks and areas it needs to protect and enables organisations to use a risk-based approach to managing their security risks. The model assesses capability across 12 dimensions and 4 maturity levels. The model is guided by the PSR’s mandatory requirements. While the 20 mandatory requirements are ‘baseline’ objectives, the model helps all types of organisations to set maturity targets based on their own security risk profile. One size does not fit all. |
|
Agencies need to provide the underlying evidence to support their self-assessment against the Capability Maturity Model. The evidence is broken down into evidence of policy and processes versus evidence of practice (such as registers, logs, or reports) showing the outcomes of the policy and processes and how they are used to improve on outcomes. The framework can be used by agencies themselves for informal self-assessment or by independent auditors for formal audit of the self-assessment (see the All of Government protective security panel for more information). |
|
The PSR Roadmap template can be used to capture your organisation’s goals and improvement plans across the 20 PSR mandatory requirements. |
|
The report template can be used annually to report back on your organisation’s protective security capability and improvement plans to agency leaders and directors as well as to government leads. If your organisation is mandated to follow the Protective Security Requirements, this reporting is mandatory and shared with the PSR/GPSL and GCSB/GCISO. |
|
Classification System changes to CMM & Moderation Framework (July 2022) |
This document provides the changes specifically related to measuring the performance of the Classification System. Use this guidance to understand what additional capabilities and evidence you will need to demonstrate good practice in the Classification System. |
Classification capability is measured under Mandatory Requirement INFOSEC2
The Classification System is part of the Protective Security Requirements Mandatory Requirement INFOSEC2:
INFOSEC2 - Design your information security
Consider information security early in the process of planning, selection, and design. Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with:
- the New Zealand Government Security Classification System
- the New Zealand Information Security Manual
- any privacy, legal, and regulatory obligations that you operate under.
Adopt an appropriate information security management framework that is appropriate to your risks.
When undertaking your self-assessment against this mandatory requirement in the October 2023 to March 2024 period, you will need to also consider the additional Classification System requirements to determine how well you meet this mandatory requirement.
For example, if you previously rated yourself as ‘Meets’ for INFOSEC2 but as at March 2024, you have not yet put in place all of the additional capability as defined in the July 2022 updates, then the status of your compliance with this mandatory requirement must reduce (‘Mostly meets’ or lower) as you no do not meet the updated mandatory requirement.
Examples for new Classification capability under the CMM dimensions
Below are a couple examples of the Leadership and Culture capabilities you will need to have in place be considered ‘Managed’.
Dimension |
Capability (Managed) |
Examples of Evidence |
Monitoring and assurance |
|
|
Culture and behaviours |
|
|
Refer to the Classification System changes to CMM & Moderation Framework (July 2022) for the full set of Classification capability requirements.
See also: Common questions
Page last modified: 20/06/2022