Outsourced ICT facilities
Meet your obligations to protect information when you outsource ICT facilities.
Your organisation must ensure that outsourced ICT facilities meet the physical security requirements for ICT systems.
Preparing to use a data centre
Before you use a data centre, you must assess the aggregated (combined) value of the official information you plan to store in it. Information can increase in value when it is combined and therefore need greater protection.
If you have a shared data centre arrangement, work with the other organisations to assess the Business Impact Level (BIL) of the aggregated information before you use the datacentre operationally.
Protect data storage devices in line with the business impact of the compromise of the aggregated of the information stored on the devices.
Data centres can provide security for your information and ensure your information is continuously available.
ANSI/TIA-942 Telecommunications Infrastructure Standard for Data Centers gives information on the levels (tiers) of availability.
Using a commercial data center
If your organisation plans to use a commercial data centre to hold official information with BIL of catastrophic, you must seek advice from the New Zealand Security Intelligence Service (NZSIS). They will advise you on the certification requirements for the physical security measures that you must meet before the data centre is used.
New Zealand Government information on outsourced or offshore ICT arrangements gives more information on the requirements.
Supply chain security guides you on including security requirements in contracts for outsourced functions.
Page last modified: 5/08/2019