Protectively marking information and equipment

Applying Classification

Security classifications must be marked:

  • in CAPITAL LETTERS
  • in BOLD
  • the same size as the body text or at least 3mm high (whichever is larger).

 

Colour-coding security classifications

Colour coding makes security classifications easier to identify and ensures higher classifications stand out. Colour-code security classifications as follows:

CLASSIFICATION COLOUR
UNCLASSIFIED Marking is recommended
IN-CONFIDENCE Black (R0 G0 B0)
SENSITIVE Black (R0 G0 B0)
RESTRICTED Black (R0 G0 B0)
CONFIDENTIAL Green (R0 G176 B80)
SECRET Blue (R0 G0 B255)
TOP SECRET Red (R255 G0 B0)

Applying Policy and Privacy endorsement markings

How to mark:

 

You must not use endorsement markings without a security classification.

Endorsements are applied differently between Policy and Privacy classifications (IN-CONFIDENCE or SENSITIVE) and National Security classifications (RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET).

When applying an endorsement marking to Policy and Privacy classifications, it is combined with the security classification as follows:

  • Same style, font and size as the classification marking
  • Appears before the classification marking.

For example:

Applying National Security endorsement markings

National Security endorsement markings must follow a security classification. Don’t apply them to information that doesn’t have a security classification.

National security endorsement markings are generally categorised into control markings and dissemination markings. SCI is a type of control marking. See your agency specific classification policy and procedures for the specific control and dissemination markings used in your organisation or sector.

The endorsement marking (including any SCI markings) is combined with the classification marking as follows:

  • Same style, font, size and colour as the classification marking
  • Appears after the classification marking
  • Use a double forward slash between the classification, control, and dissemination marking categories
  • If there are multiple markings to apply within each category, separate them with a single forward slash.

The format is:

CLASSIFICATION//CONTROL 1/CONTROL 2//DISSEMINATION 1/DISSEMINATION 2

Example 2:

TOP SECRET//<SCI CODEWORD>//ORCON/REL TO NZL, FVEY

 

Marking documents

When protectively marking documents, the highest security classification should be clearly marked in bold at the centre top and bottom of each page in a single line as shown in Example 3.

If necessary, the security classification can be stacked in the centre of the page to fit around a letterhead.

Documents with covers, or in folders, must show the security classification on:

  • the front and rear covers
  • the title page
  • all other pages in the document.

Any bindings or fastenings must not obscure the protective marking.

Marking paragraphs

Sometimes paragraphs may need to be marked because they have different or higher security needs. For example, a paragraph in a document might contain secret information. Paragraph markings are called ‘paragraph grading indicators’.

Your agency should consider including in your classification policy and procedures, information on protectively-marking paragraphs.

Applying paragraph grading indicators

Put paragraph grading indicators in brackets at the beginning of each paragraph. Write them in full or abbreviate them using the first letters of the security classification. For example, (S) for SECRET or (IC) for IN-CONFIDENCE. Table 8 shows the standard abbreviations you can use.

Paragraph grading indicators should be the same colour as the text in the document.

If you use paragraph grading indicators, you must also mark all the paragraphs in the document, so that no one is confused about which markings apply to what text.

Use UNCLASSIFIED for paragraphs that don’t carry a protective marking. Example 5 shows you how to do that.

CLASSIFICATION CODE
UNCLASSIFIED (U)
IN-CONFIDENCE (IC)
SENSITIVE (Sen)
RESTRICTED (R)
CONFIDENTIAL (C)
SECRET (S)
TOP SECRET (TS)

Applying paragraph grading indicators

Once you’ve applied paragraph grading indicators, you need to establish the overall protective marking for the document. The overall marking must be at least equal to the highest classification level of any one paragraph within the document.

 

Marking titles

Whenever possible, don’t put protective markings on titles of things like files, documents, books, and reports. They could be seen in management systems that aren’t protectively marked, and this could put the information at risk.

If marking the title is essential, the originator should use a separate UNCLASSIFIED reference. This mark can appear behind the title in brackets.

 

Marking printed graphics

For graphics such as maps and drawings:

  • print or stamp the protective markings near the map scale or drawing numbers
  • print the protective markings at the top and bottom centre of the graphic.

If the graphic will be folded, make sure the marking remains visible after folding.

 

Marking annexes, appendices, attachments, and covering documents

In some cases, the annexes or appendices to a document need protective markings even if the rest of the document is UNCLASSIFIED.

Occasionally, an annex or appendix may also need a different protective marking from the principal document it is attached to.

If the annex, appendix, or attachment has a higher protective marking than the principal document, the document’s front cover should indicate that the document as a whole has a higher security classification. Example 6 shows you how to mark correctly in this scenario.

If the annex, appendix, or attachment is at the same protective marking level as the principal document or lower, you don’t need to show that on the cover.

Marking books, pamphlets, and reports

Documents with covers, such as books, pamphlets and reports, must show the protective marking on:

  • each page
  • the front and rear covers
  • the title page
  • the binding (if possible).

Any binding or fastening of pages must not obscure the protective markings.

 

Marking emails

Emails should be marked with an appropriate protective marking. The markings must appear as follows:

  • In the subject line
  • At the beginning of the email
  • In BOLD and ALL CAPS

TOP SECRET, SECRET, or CONFIDENTIAL information cannot be sent via email unless it is on a GCSB accredited system.

Marking emails ensures that:

  • the intended audience understands their obligations for securely handling the information
  • appropriate security measures are applied to the information (see SE*Mail below for more information)
  • helps to prevent information being accidentally released into the public domain.

For the policy and controls to apply to emails, go to the New Zealand Information Security Manual (NZISM) – Email Security(external link).

Secure and encrypted email (SEEMail)

SEEMail is the brand name for the New Zealand government’s secure and encrypted email service. SEEMail is used by government agencies to secure and encrypt email between parties. It is a gateway-to-gateway email service between participating agencies and trusted partners.

There are two types of SEEMail membership – Standard group and Restricted group.

For any agency that subscribes to the Standard group, they can only share encrypted information up to IN-CONFIDENCE.

For any agency that subscribes to the Restricted group, they can only share encrypted information up to SENSITIVE/RESTRICTED with other agencies who are also certified members of the Restricted group.

SEEMail cannot be used for emailing information at classifications of CONFIDENTIAL, SECRET or TOP SECRET.

Also, SEEMail cannot be used for emailing to organisations or individuals who are not participating agencies or trusted partners. This may mean that the information cannot be shared with that organisation or individual via email if encryption is a mandatory requirement for its classification.

Note: SENSITIVE or RESTRICTED information must by encrypted before being sent via email. The agency must use SEEMail or equivalent encryption service before allowing users to send emails at SENSITIVE or RESTRICTED.  It is also good practice to use SEEMail to encrypt IN CONFIDENCE  and unclassified information as well. Refer to the NZISM for more information. 

Your classification policies and procedures should detail which SEEMail group the agency is a member of and any email marking that is required within the email system to ensure that email is sent via SEEMail securely.

SEEMail uses specific ‘trigger words’ to apply appropriate protective measures to emails.  

Add square brackets around the classification and use the appropriate tags depending on who you want to receive the email:

Classification Tag Who can receive the email
[SEEMAIL] Limits sending to only participating SEEMail government agencies. Use this trigger word for securely sending unclassified communications between participating SEEMail government agencies.
[TRUSTED] Allows sending to both SEEMail participating government agencies and trusted partners. Use this trigger word for securely sending unclassified communications between participating government agencies and their trusted partners.
[RESTRICTED] Limits sending to agencies or partners accredited to RESTRICTED SEEMail systems. Use this trigger word to classify the communication and securely send communications between Restricted level systems.
[SENSITIVE] Limits sending to agencies or partners accredited to RESTRICTED SEEMail systems. Use this trigger word to classify the communication and securely send communications between Restricted level systems.
[IN-CONFIDENCE] Allows sending to any participating SEEMail user. Use this trigger word to classify the communication and securely send communications between Standard or Restricted level systems.

Marking imagery

Photographs and film, and their storage envelopes or containers must all carry clear protective markings when applicable.

Protective markings must be:

  • on both sides of containers and spools
  • projected for at least five seconds in the title and end sequences of roll imagery, cine-film, and video tape.

You must also mark photographic negatives, so that the protective marking is reproduced on all copies made from that negative.

 

Marking presentations

Official presentations and presentations with security classifications presentations need appropriate protective markings.

Treat each slide or screen as an individual page, as you would for a paper-based document. The protective marking should be verbally stated to the audience.

 

Marking audio

For audio recordings, the level of protective marking must be clearly stated at the beginning and end of each recording. The tape or other media and its container must be conspicuously labelled with the appropriate protective marking.

 

Marking microforms

Some agencies may still hold microforms such as aperture cards, microfiche, and microfilm that contains protectively-marked information. If so, this material must show the appropriate protective marking at the top and bottom centre of each frame.

Containers and envelopes must bear the appropriate protective marking of the highest protectively-marked microform.

The protective marking must be visible without projection on cards and microfiche. Microfilm should be prominently marked at the beginning and end of each roll.

 

Marking electronic storage media

For the policy on marking electronic storage media, go to the following sections of the NZISM:

Marking equipment or storage media

Your agency must develop specific procedures for marking equipment and electronic storage media.

Protective markings should be clearly visible and not easily removed.

For more details, go to NZISM: