Address all the points where your information security could be breached
When you design your security measures, address your critical information security risks and vulnerabilities including your cyber-security threats, information security culture, security products, and processes.
Design appropriate access controls to ensure that only those who need to know have access to information
Your organisation must have measures in place for controlling access to all information, ICT systems, networks (including remote access), infrastructure and applications, as defined in the NZISM: Access Controls.
Areas to consider include:
- user access management — who should be able to access what
- user responsibilities and segregation of duties to protect information
- network access control — what resources can be accessed on a network
- system access control — secure logins
- application and information access control
- risks associated with mobile computing and remote working
- Bring Your Own Device (BYOD).
Make sure your organisation complies with its mandatory obligations
The New Zealand Information Security Manual (NZISM) is a resource that New Zealand Government agencies must use (and private organisations can use) to ensure your organisation complies with its obligations. It is important to carefully assess which controls apply to your organisation.
The design of all your security measures for information, ICT systems, networks (including remote access), infrastructure, and applications must be lawful.
Resources for designing information security
You should ensure that all defence layers have adequate security measures. Use the resources below to support the design of your security measures:
- Network and perimeter security
NZISM: Network Security
NZISM: Gateway Security
NZISM: Enterprise System Security
- Security monitoring
NZISM: Information Security Monitoring
- System security
NZISM: Physical security of servers and IT equipment
NZISM: Communication Systems and Devices
- Application security
NZISM: Product security
NZISM: Software Security
NZISM: Email Security
NZISM: Using the Internet
- Data security
NZISM: Access Control
NZISM: Data Management
Also refer to Information management guidance and resources — digital.govt.nz — including Common capabilities panel, Government Enterprise Architecture NZ (GEA-NZ) standards, web standards, web services standards, cloud services, and open government.
Legislation on information and privacy
You should also be familiar with the legislation on information and privacy.
- Official Information Act 1982
- Public Records Act 2005
- Privacy Act 2020
- Archives, Culture and Heritage Reform Act 2000
Consider the trade-off between ultimate security and effective operation
Meeting the minimum standards is often not enough, but the cost of ultimate security can be prohibitive. Your information security framework should be pragmatic while still ensuring that your critical risks are adequately addressed.
For more information email: firstname.lastname@example.org
Add to your business continuity and disaster recovery plans
The security requirements you identified during the design phase should also be in your business continuity and disaster recovery plans.
Business continuity management defines the actions to take to continue operating during a significant service interruption, attack or other incident, and then to return to normal operation after the incident.
You will need to develop and regularly test your plans to prepare your organisation for smooth operation during an incident, and ensure that you can resume normal operations as soon as possible after the incident. Your organisation’s resilience depends directly on its ability to confront the hazards and continue to achieve its defined outcomes.
Given the increasing dependence on information systems to deliver your products and services, you need to consider the resilience of the ICT systems that hold and process your critical information. Key metrics for your ICT disaster recovery plans should include:
- recovery point objective (RPO) — how much data might be lost, considering the frequency of backups taken
- recovery time objective (RTO) — the length of time required to recover and restore to normal function after a disaster ends.
For more information go to Business continuity management
Handling protectively-marked information and equipment
All New Zealand Government agencies must follow the guidance defined in Handling requirements for protectively-marked information and equipment.
This guidance provides a consistent and structured approach to protectively marking and handling official information and material subject to the New Zealand Government Security Classification System.
This guidance provides the procedures for protectively-marked information and material including:
- applying protective markings
- protecting protectively-marked documents and material
- producing and re-producing protectively-marked documents
- removing protectively-marked information and material from agency premises
- transferring protectively-marked information and material
- receiving protectively-marked hard copy information and material
- destroying protectively-marked hardcopy information and material.
Supporting documents and information
- Control and handling of CONFIDENTIAL documents and material (PDF, 97KB)
- Control and handling of SENSITIVE or RESTRICTED documents and material (PDF, 89KB)
- Control and handling of SECRET documents and material (PDF, 90KB)
- Control and handling of TOP SECRET documents and material (PDF, 90KB)
Design security measures for your specific scenarios
Incorporate the appropriate security measures for the specific scenarios that you assessed during your risk assessment.
Page last modified: 17/02/2021