Information security
INF023
Understand what information and ICT systems you need to protect
To implement the right security measures, you need to understand what information you have and how valuable it is.
INFOSEC1 - Understand what you need to protect
Identify the information and ICT systems that your organisation manages. Assess the security risks (threats and vulnerabilities) and the business impact of any security breaches.
Create an inventory
A comprehensive inventory will help you to find out what types of information and ICT systems your organisation has, including those that support business continuity and disaster recovery plans.
Your organisation might have many different types of information and information assets, such as:
- documents and papers, including intellectual property
- electronic data collections, including databases, document stores, data extracts, and media (fixed or removable)
- software, systems, or networks on which your information is stored, processed, or communicated
- intellectual knowledge held by individuals
- information you hold that is owned by others (for example, third-party or foreign government information).
For each type of information or ICT system, you should record:
- how your organisation (including your providers and partners) uses, processes, shares, or stores it
- any relevant confidentiality, integrity, availability, privacy, or legislative requirements
- how long you need to keep and protect the information
- the minimum level of system performance or information accessibility your organisation needs to function
- what destruction or disposal requirements apply
- the location of the information asset and its physical security requirements.
Understand the value of your information
You must understand the value, importance, and sensitivity of your information. This will determine the minimum requirements you need to protect it from harm.
Not all information should be treated equally. Some information is more valuable or sensitive, requiring a greater level of protection. The Business Impact Levels (BILs) is a tool that can be used to assess the value of your information and what impact might occur if your information is compromised.
Along with assessments of event likelihood, threats, and vulnerabilities, BILs should inform a robust risk assessment.
Classify and assign protective markings
Based on the value of your information and equipment, classify and assign protective markings to it. The markings will inform your people on how to handle the information and protect it from harm.
Supporting documents and information
Archives, information management, and public records
- Identifying and managing information assets (PDF, 323KB) — Archives NZ
- Information and Records Management Toolkit — Archives NZ
Privacy and data protection
- General Data Protection Regulation (GDPR) Resources — Privacy Commissioner
- Privacy Act 2020
- Privacy requirements when holding personal information — Privacy Commissioner
Protective Security Requirements
- Business Impact Levels (BILs)
- New Zealand Information Security Manual: Product Classifying and Labelling
- Management protocol for physical security
Page last modified: 4/05/2022