Management protocol for information security | Protective Security Requirements

INF003

When your information security controls are well designed and implemented, you reduce the risks of your information being compromised.

Encourage a strong security culture, so your information security practices are known and followed.

This protocol explains the steps your organisation should take to improve your information security. It sets out a lifecycle for managing information security, and outlines the mandatory requirements for New Zealand Government agencies.

Understanding the information security lifecycle and meeting the mandatory requirements will help you protect your organisation’s information. Read this protocol if you’re a:

chief executive, chief security officer (CSO), or chief information security officer (CISO)
senior manager responsible for information security, manager responsible for information management, senior manager, or line manager.

These principles should be read along with the Management protocol for personnel security, the Management protocol for physical security, and governance guidance for protective security.

As part of good practice, we recommend that private sector organisations also adopt the mandatory requirements for information security.

What is information security?

Information is an asset and information security is the protection you apply to keep your information assets secured from harm. Think of information in the broadest sense, not just in terms of information technology. Information exists in many forms (for example, electronic, printed, or spoken) and may reside inside or outside your organisation, including with your providers and clients, and in the cloud.

Information security is a broad concept that also includes cyber-security, digital security, and ICT security.

Understand the benefits of robust information security

Every organisation relies on the confidentiality, integrity, and availability of the information it processes, stores, and communicates. Robust information security is a business enabler. It helps your organisation to:

maintain the trust and confidence of the public, customers, and partners
keep your important information safe and available to those who need it
reduce the risks of your information being lost, damaged, or compromised
avoid costs of recovery after an incident, as well as costs of downtime and lost productivity
comply with regulation and legislation.

Know the threats and risks you need to manage

Threats to the security of your information can come from inside and outside your organisation. Your information in all forms (for example, electronic, printed or spoken) needs to be appropriately protected. Information stored and processed on IT systems or mobile devices is vulnerable to cyber-specific threats.

We are far more exposed today than ever before.

We have increasing quantities of electronic information, and organisations are often heavily dependent on it to function.

We have cloud, social media, mobile, and other emerging technologies, which have increased the ways critical information can be accessed.

We face increasing and continually evolving threats that make detection challenging.

External actors and disgruntled insiders have been known to:

expose or publish sensitive information in the public domain
encrypt and then ransom critical information
sell information to competitors and interested parties
steal intellectual property (IP)
compromise organisations by destroying or denying access to records.

Your people may also accidentally compromise your information because they:

lack awareness of your security practices and why they’re important
get distracted or complacent while handling organisational information
provide access to other parties seeking information for criminal or other inappropriate purposes. For instance, ‘social engineering’ attacks attempt to manipulate people into breaking normal security controls, often disguising themselves as someone trusted through phishing, pretexting, baiting, quid pro quo, and tailgating or other means.

Security breaches can be undetected, disruptive, and damaging

If your security practices are weak, your information is exposed to risk. It could be removed, copied, modified, destroyed, published, shared, or exploited.

This can happen without your organisation being aware of it. Even if your organisation is alerted to an incident or breach, confirming the extent of the impact might be difficult.

Information security breaches can seriously disrupt your ability to do business, expose you and your customers to more risks, and damage your reputation. Breaches can:

make it difficult or impossible to process transactions or provide core services
involve a loss of intellectual property
violate laws governing privacy or other types of information held in trust
expose you to legal proceedings from affected parties
cause embarrassment at an international, national, or regional level
erode trust between your organisation and the people you serve or work with.

Understand the information security lifecycle

Understand and follow the information security lifecycle to protect your organisation’s information.

The lifecycle stages show the steps you should work through to understand what you need to protect, assess the risks to your information, design appropriate security measures, validate that those measures are implemented correctly, and maintain them over time.

Take a risk-based approach to information security

In response to these threats, using a risk-based approach that applies sound risk management will best allow you to tailor an information security framework to your organisation’s operating context and the threats it may face.

Not all information should be treated equally. Some information is more valuable or sensitive, requiring a greater level of protection. You must understand the value, importance, and sensitivity of your information. This will determine the minimum requirements you need to protect it from harm.

The Business Impact Levels (BILs) is a tool that can be used to assess the value of your information and the potential impact if your information is compromised. Along with assessing event likelihood, threats, and vulnerabilities, BILs should inform a robust risk assessment.

Consider the impact on your organisation if:

a database with sensitive information was corrupted
an unauthorised person accessed and shared sensitive information with the media
information was accidentally released to third parties.

Create a security culture that everyone knows and shares

Everyone in your organisation needs to be part of your security culture, otherwise your security processes and tools won’t be effective. It only takes one malicious email attachment to potentially compromise your entire organisation. You need to make sure your people and partners:

understand the security risks
understand your information security policies
adopt the right security behaviours.

To get everyone on board, it is critical to provide security awareness training and ongoing support.

Your chief information security officer (CISO) or other senior manager is responsible for your organisation’s information security, in line with the overall protective security policy.

Adopt a framework to manage information security

Your organisation should establish a framework to direct and coordinate the management of your information security.

Your framework must:

be appropriate to the level of security risk in your information environment
be consistent with your business needs and legal obligations
integrate with any other frameworks governing your organisation’s security.

Your framework should also cover how you’ll ensure that your organisation:

understands and follows security policies and processes
is alerted to changes to systems, risks, or standards
marks, accesses, and declassifies protected information correctly
manages and controls access to information.