Meeting the mandatory requirements for information security

Keep your organisation secure with robust information security by following the mandatory requirements and the associated information lifecycle stages

INF043

Understand what information and ICT systems you need to protect

To implement the right security measures, you need to understand what information you have and how valuable it is. A comprehensive inventory will assist you to determine what types of information and ICT systems your organisation has, including those that support business continuity and disaster recovery plans.

For each type of information or ICT system, you should record:

  • how your organisation (and any providers or partners) uses, processes, shares, or stores it
  • any relevant confidentiality, integrity, privacy, or legislative requirements
  • how long you need to keep and protect the information
  • the minimum level of system performance or information accessibility your organisation needs to function
  • what destruction or disposal requirements apply.

Understand the value of your information

You must understand the value, importance, and sensitivity of your information. This will determine the minimum requirements you need to protect it from harm.

Not all information should be treated equally. Some information is more valuable or sensitive, requiring a greater level of protection. The Business Impact Levels (BILs) is a tool that can be used to assess the value of your information and what impact might occur if your information is compromised.

Based on the value of your information and equipment, you will need to classify and assign protective markings to it that will inform your people on how to handle and protect the information from harm. All New Zealand Government agencies must do this in line with the New Zealand Government Security Classification System.  

Assess the risks to your information security

You need to think about the vulnerabilities and threats you face and their impact on your organisation. Consider the following questions to help you assess your organisation’s risks.

Where is your organisation vulnerable?

Identify areas where your organisation might be vulnerable to security breaches (deliberate or accidental). Determine which vulnerabilities might be exploited and how this might be limited.

What threats do you face?

Identify and document the potential threats to your information security and ensure that this information is kept current. Ask yourself, ‘Who would benefit from having access to our organisation’s information and what information would they want?’

What impact would a security breach have on your organisation?

Assess how your organisation would be impacted if your information security is breached. Think about the confidentiality, integrity, and availability of your information.

You should also consider these additional questions during your risk assessment:

Have you included your supply chain risks?

Supply chains are becoming deeper and the interconnections more complex. Make sure each part of your organisation’s supply chain is included in your risk assessment. Check that your suppliers can articulate who and what they are connected to, and what dependencies they have.

Have you factored in the risks from collections of information?

Collections of information (aggregated information) can be more valuable than the single pieces of information they’re made up of, so your organisation might need extra security measures to protect them. Ask yourself, ‘What could be deduced if the collection were breached?’ Aggregated information includes collections of physical documents and collections of information stored in your ICT systems.

Is your existing security enough?

Analyse your existing security measures. How well would they protect your information against the risks and effects you’ve identified? If information such as customer records, financial data, and intellectual property were stolen, could you quickly and accurately determine what was lost and be able to recover it? What action do you need to take to improve your security?

Design fit-for-purpose information security measures

Your information security measures must be proportionate to the risks your organisation has identified, and in line with your risk appetite.

The New Zealand Information Security Manual(external link) (NZISM) specifies mandatory baseline controls for New Zealand Government agencies, based on the classification of your information, and a series of additional controls to assist in treating your identified risks.

Use multiple layers of security – ‘defence in depth’

Effective security for an information asset can be achieved by using several different layers of security measures. This approach is referred to as ‘defence in depth’ — the security of an asset is not significantly reduced with the loss or breach of any single layer of security.

Address all the points where your information security could be breached

When you design your security measures, address your critical information security risks and vulnerabilities, including your cyber-security threats, information security culture, security products and processes.

Make sure your organisation complies with its mandatory obligations

The design of all your security measures for information, ICT systems, networks (including remote access), infrastructure, and applications must be lawful. The NZISM is a resource that New Zealand Government agencies must use and private organisations can use to ensure your organisation complies with its obligations. It is important to carefully assess which controls apply to your organisation.

Consider the trade-off between ultimate security and effective operation

Meeting the minimum standards is often not enough, but ultimate security can be cost-prohibitive. Your information security framework should be pragmatic while still ensuring that your critical risks are adequately addressed.

Add to your business continuity and disaster recovery plans

The security requirements identified during the design phase should also be in your business continuity and disaster recovery plans.

Accept: Get your information security design accepted

Before you can implement your security measures, your Chief Information Security Officer (or other designated executive) must accept that the proposed security design is fit for purpose and will address your organisation’s specific information security requirements.

Implement your information security measures

During this phase, you need to implement the agreed security and privacy measures, including policies, processes, and technical security measures.

Build secure supply chains and solutions

Work with your suppliers to ensure that they understand and can meet your security requirements. Build your security requirements into your contractual arrangements.

Security weaknesses in suppliers can compromise otherwise robust security measures in other parts of your business. Remember to account for the information risks involved in the ICT system development lifecycle, such as development providers accessing and using test data or defect tracking systems.

Test and control changes

System testing must happen during development and before acceptance. You must also have an effective change control process to ensure that changes conform to relevant standards.

Validate your security measures

Validate your organisation’s information security measures to find out if they’ve been correctly implemented and are fit for purpose.

Validating your security measures provides accountability

The CISO must determine whether the measures are acceptable for the risks your organisation faces. The validation step provides senior executives with the confidence that information and its associated technology are well-managed, risks are properly identified and mitigated, and governance responsibilities can be met. 

Ensure appropriate certification and accreditation

Conduct the appropriate certification and accreditation processes required for the type of security measures being implemented. ICT systems must follow the certification and accreditation process defined in the NZISM. They must also reflect the mandatory controls in the Manual. Physical security requires additional certification and accreditation. See the Management protocol for physical security for more information.

Operate and maintain to stay secure

Threats, vulnerabilities, and risks evolve over time as technology, business, and information demands change. Security measures must keep pace with this change to remain relevant and effective.

Analyse evolving threats and vulnerabilities

To manage the vulnerabilities in your information security, take the following action.

  • Monitor your systems, networks, and processes for security vulnerabilities. Observe system and network events, configurations, and processes to detect suspicious or unauthorised events.
  • Be proactive to stay on top of vulnerabilities or flaws in your technical environment.
  • Assess your security measures against best practice and known security threats.
  • Analyse, prioritise, and report on vulnerabilities that pose the most immediate risk to your organisation.
  • Apply and track fixes to completion to mitigate the risk of your information being compromised.

Keep your information security measures up to date

  • Your security measures are only effective if they reflect your actual risks. Take the following action to stay up to date.
  • Maintain your user access control systems.
  • Protect your organisation’s ICT equipment.
  • Test your business continuity and disaster recovery plans when new processes, systems, and capability are introduced. Make sure your organisation is adequately prepared for a significant service interruption, attack, or other serious security incident.

Respond to information security incidents

Good management is critical to reducing the impact of security incidents and recovering quickly. Incident response should be a key part of your overall security framework.

Follow the right process when an incident happens

When an incident happens, act quickly to reduce any impact and to help your organisation recover as quickly as possible. Later you might also need to restore the confidence of any partners or clients affected by an incident.

Investigate and respond: First, gather details of the incident and assess the degree of impact. Take any initial actions necessary to reduce harm.

Communicate and escalate: Make sure you communicate security incidents to affected parties for their action. If necessary, alert any relevant authorities. You may also need to actively warn some people to avoid harm occurring further downstream.

Recover and learn: Recover lost information if possible and reinstate business functions.  Make sure your organisation learns from the incident so that you can improve your security measures in future.

Review your security measures

Undertake regular reviews to ensure your security measures remain fit for purpose

Identify changes in how you use and organise your information, and any changes required by legislation. Use this information to inform improvements.

Conduct periodic reviews and assure compliance

Regularly monitor, review, and audit your security measures so you know the degree to which your information security policies are being implemented and followed.

Identify changes required to your information security

Change is a given. You need to identify which changes in your environment might affect your information security and be prepared to restart your information security lifecycle.

  • Consider these questions to inform changes and improvements.
  • Are you using information in new ways?
  • Are you bringing on a new supplier, provider, or partner to fulfil a specific need?
  • Are you planning improvements to internal or external security services?
  • Have you identified new security threats or vulnerabilities?

Retire information securely

When your information and supporting ICT systems are no longer required, they need to be archived, destroyed, repurposed, or disposed of securely. The NZISM offers advice and controls around managing information and systems that have reached the end of their lifecycle.

Consider these questions:

  • How will you declassify your information and equipment when it no longer needs to be protectively marked?
  • How will you dispose of sensitive information and related equipment?

Make sure you take relevant legislation, the NZISM, and best-practice standards into account.