The policy framework

Information security (INFOSEC)

The New Zealand Government collects and receives information to fulfil its functions and expects all those who hold or access this information to protect it

Every organisation relies on the confidentiality, integrity, and availability of the information it processes, stores, and communicates.

The New Zealand Government collects and receives information to fulfil its functions and expects all those who hold or access this information to protect it.

Your information security measures should be based on your requirements for confidentiality, integrity, and availability of information.

Information exists in many forms (for example, electronic, printed, or spoken) and may reside inside or outside an organisation, including with providers and clients, and in the cloud.

Information in all forms needs to be appropriately protected — information security is a broad concept that also includes cyber-security, digital security, and ICT security.

Robust information security is a business enabler by helping organisations to:

  • maintain the trust and confidence of the public, customer, and partners
  • keep important information safe and available to those that need it
  • reduce the risks of information being lost, damaged, or compromised 
  • avoid costs of recovery after an incident, as well as costs of downtime and lost productivity, and
  • comply with regulation and legislation.

An organisation needs to develop, implement, and review security measures for protecting information from unauthorised use, accidental modification, loss or release. You do this through:

  • establishing an information security culture
  • implementing security measures that match your information's value, sensitivity, and any protective marking
  • adhering to legal requirements.

PSR Policy Framework — INFOSEC

The INFOSEC mandatory requirements are the core information security requirements that mandated government agencies must follow, and other organisations should adopt as best practice.

This section provides a high-level overview of the PSR INFOSEC mandatory requirements. To understand, implement, and comply with the PSR INFOSEC mandatory requirements, please refer to the following documents:

INFOSEC 1

Understand what you need to protect

Identify the information and ICT systems that your organisation manages. Assess the security risks (threats and vulnerabilities) and the business impact of any security breaches.

To put right information security measures in place, you need to know what you have and how your organisation would be affected by any loss or harm. This is in alignment with the Public Records Act 2005.

INFOSEC 1 includes the following requirements:

INFOSEC 1.1 Understand the value of your information

Organisations must identify the information and ICT systems they manages and its value, importance, and sensitivity. This will determine the required measures to protect it from harm. Also consider the potential greater impacts for collections of information (or aggregated information) if the whole collection were compromised.

  • Create an inventory of information and ICT systems
  • Assess the impact of possible information security incidents

INFOSEC 1.2 Assess the risks to information security

As part of GOV2, information security risks and their treatments need to be considered.

 

Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the INFOSEC 1 mandatory requirement.

Guidance and resources

INFOSEC 2

Design your information security

Consider information security early in the process of planning, selection, and design.

Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with:

  • the New Zealand Government Security Classification System
  • the New Zealand Information Security Manual
  • any privacy, legal, and regulatory obligations that you operate under.

Adopt an appropriate information security management framework that is appropriate to your risks.

Once you understand the risks to your organisation’s information, you need to design fit-for-purpose security measures. These measures should be proportionate to your risks and in line with your risk appetite.

INFOSEC 2 includes the following requirements:

INFOSEC 2.1 Adopt an appropriate information security management framework

An information security management framework is the set of security approaches, standards, policies, and procedures adopted to manage and address the organisation’s specific information security risks.  See Information See Information Security Appendix A: INFOSEC Supporting Frameworks and Resources for example frameworks and standards.

INFOSEC 2.2 Design and implement information security measures

Your security measures may be procedural (to restrict access and what can be done), physical (control access to areas such as physical barriers, safes and cabinetry, and technical (control access and security such as ACS, firewalls, and encryption). See also NCSC Information Security Guidance (ncsc.govt.nz)(external link) for more information.

  • Use appropriate information security design approaches
  • Implement appropriate access controls
  • Address the points where your information could face critical risks

INFOSEC 2.3 Follow the Classification System

The New Zealand Government Information Security Classification System (Classification System) provides a framework for assessing the potential harm should government information be compromised and defines the minimum requirements for protecting government information.

A security classification defines the sensitivity of the information (i.e. the likely harm that would result from its compromise) and identifies the security measures needed to protect it.  All government information requires an appropriate degree of protection to ensure its continued integrity, availability, and confidentiality. See also Classification System for more information.

  • Adopt Classification System principles
  • Classify and assign protective markings
  • Protect classified information
  • Handle government information securely

 

Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the INFOSEC 2 mandatory requirement.

Guidance and resources

INFOSEC 3

Validate your security measures

Confirm that your information security measures have been correctly implemented and are fit for purpose. Complete the certification and accreditation process to ensure your ICT systems have approval to operate.

The validation step provides senior executives with the confidence that information and its associated technology are well-managed, risks are properly identified and mitigated, and governance responsibilities can be met. You must validate the measures you implement to ensure they will work as expected.

ICT systems must comply with the certification and accreditation process in the New Zealand Information Security Manual (nzism.gcsb.govt.nz)(external link).

INFOSEC 3 includes the following requirements:

INFOSEC 3.1 Ensure appropriate certification and accreditation.

 

Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the INFOSEC 3 mandatory requirement.

Guidance and resources

INFOSEC 4

Keep your security up to date

Ensure that your information security remains fit for purpose by:

  • monitoring for security events and responding to them
  • keeping up to date with evolving threats and vulnerabilities
  • maintaining appropriate access to your information.

Threats, vulnerabilities, and risks evolve over time as technology, business, and information demands change.

Organisations must ensure that their security measures keep pace with this change to remain relevant and effective.

INFOSEC 4 includes the following requirements:

INFOSEC 4.1 Analyse evolving security vulnerabilities and threats

Vulnerabilities may exist within your existing security measures. For example, how well are your security procedures followed? How secure are the existing measures from current threats? How would you know if your systems have been compromised? Is there sufficient layers of security (defence-in-depth) to reduce the risk of breach? Monitoring your systems, networks, and processes as well as the environment for possible threats and events. See also Information Security Appendix A for international threat catalogues.

  • Monitor for security events and vulnerabilities
  • Monitor evolving threats to information security

INFOSEC 4.2 Keep Information security measures up to date

Organisations security measures are only effective if they reflect its actual assessed risks, and are kept updated to reflect measures required for emerging risks and threats. This includes:

  • your access control systems as people join, change jobs, and leave the organisation
  • protecting ICT equipment and systems from known threats and compromises
  • applying security patches and updates
  • testing its business continuity, disaster recovery, and threat response plans to ensure the organisation can effectively respond during a compromise.

INFOSEC 4.3 Respond to information security incidents

When an incident occurs, organisations need to act quickly to reduce any impact and recover as quickly as possible. See GOV 6 for more information on how to manage incidents effectively.

INFOSEC 4.4 Review security measures

Reviewing your measures will help you to improve, adapt, or change your information security when needed. A mixture of regular and periodic reviews along with an annual assessment will help you to know when change is necessary, and how well your measures are being implemented and followed.

  • Conduct periodic reviews and assure compliance
  • Identify changes required to organisational information security

INFOSEC 4.5 Retire information securely

Organisations need to retire information and information assets securely in compliance with relevant legislation, Classification System, NZISM, and best practice standards. This also may include declassification, archival, and disposal and destruction.

 

Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the INFOSEC 4 mandatory requirement.

Guidance and resources