Storing protectively marked information in exceptional circumstances: an INFOSEC and PHYSEC case study
This case study looks at the importance of correctly storing protectively marked information.
- appropriate storage zones and containers
- seeking NZSIS permission to hold protectively marked information in exceptional circumstances.
Scenario – what happened
A small government agency routinely stores information that is protectively marked as CONFIDENTIAL. Occasionally the agency also stores information protectively marked as SECRET.
However, following a benign threat incident affecting all government departments, a senior employee receives a TOP SECRET document through SafeHand.
The agency head permits the onsite storage of the information, thinking that as it is a single document only and the benign threat incident has been resolved onsite storage of the information is okay.
The TOP SECRET document is stored in a Zone 3 non-accredited facility designed to store material classified as CONFIDENTIAL and SECRET.
The document is indiscriminately filed in the storage facility, together with a series of documents protectively marked as CONFIDENTIAL.
Several weeks later, the TOP SECRET document is accidently picked up and disseminated by an administrator distributing a CONFIDENTIAL document.
Lessons learning – what should have happened
The agency made two errors in this scenario.
Staff should have:
Stored the information in the appropriate way, using the appropriate storage
TOP SECRET information must be securely stored in the appropriate zone and storage container.
TOP SECRET information is not permitted to be stored in Zone 3 (limited employee access with controlled visitors only) or Zone 4 (strictly controlled employee access with personal identity verification) except in exceptional circumstances.
TOP SECRET information must be stored in a NZSIS accredited Zone 5 in a Class B container which must be approved by the NZSIS.
Protectively marked material should be stored in a folder of the appropriate colour to clearly indicate its security classification.
Obtained approval from the NZSIS to hold the information
If, in exceptional circumstances, an agency cannot hold protectively marked information in the appropriate facilities, the agency must obtain approval from the NZSIS and the originator of the material to do so.
Agencies can arrange for another agency to store the information if it is impractical or not viable to do so. However, only those with a security clearance at least equal to the protective marking are to ever have access to the protectively marked material.
Page last modified: 9/10/2018