Governance

GOV051

Protecting information

You must protect information when it is being used away from your office or being transported to another location. You must also comply with the handling requirements for protectively-marked information.

Securing official information in private facilities

You might find it difficult to adequately secure your information when your people are working in private facilities, such as commercial or client facilities. You’re unlikely to have control over key security controls such as alarm or keying systems.

Unless your organisation has full control over the space, you should treat the facilities as zone 1 security areas for information and asset storage.

Storing protectively-marked information

Protectively-marked information must not be stored outside your offices unless you have implemented:

 You should not allow TOP SECRET information to be stored outside your premises unless it is critical for an operation. The New Zealand Security Intelligence Service must certify all storage of TOP SECRET information.

Transferring information away from the office

It is unrealistic to expect people to maintain physical custody of information at all times if it can’t be carried on their person.

However, you should restrict the use of removable ICT media, such as USB sticks and portable hard drives, for carrying large quantities of information, as they are easily lost.

Information is at considerable risk when it is being transported. Consider all alternatives before you allow your people to transport information to remote locations.

Some alternatives to consider are:

  • giving people remote secure access to your ICT networks (if a connection can be arranged)
  • transporting the information to nearby New Zealand Government or jurisdictional facilities using endorsed couriers or secure networks
  • storing the information on a portable device approved by the Government Communication Security Bureau — a device that provides additional logical controls to prevent unauthorised access.

When you can’t arrange alternative transport, consider arranging for information to be secured in suitable New Zealand Government or New Zealand Government-approved facilities during breaks in trips.

For more information, go to:

Disposing of official information securely

Your organisation should have procedures in place for the secure disposing of official information for all working away from the office scenarios.

You must ensure all protectively-marked information is returned to your premises for destruction unless you have approved destruction equipment located off-site.

For more information, refer to:

 

Page last modified: 31/10/2018