Protecting information with protective markings must be controlled and handled correctly to keep it secure. Follow these requirements to ensure your agency complies with Protective Security Requirements (PSR) for information security.
These requirements apply to:
- all government information (with or without security classifications)
- outsourcing or offshoring your information handling or storage to third-parties, such as cloud service providers.
Levels of protection for protectively-marked information and equipment increase in line with their security classifications. The higher the security classification, the greater the need for protection.
The following requirements will help you to protect government information in line with the relevant security classification.
This section defines the minimum control and handling requirements. Agencies may apply greater security measures to certain classified information should they deem it appropriate based on the risks that the organisation faces. Refer to the agency’s classification and information security policies and procedures for the specific handling requirements for the environment.
Types of security measures for protecting government information
Security measures used to protect government information include:
- Procedural measures that restrict who can access and what can be done with government information and equipment, such as organisational policies, processes, and procedures.
- Physical measures that control access to areas where government information is stored or used, such as physical barriers, safes, and cabinetry.
- Technical measures that help to protect government information, such as security access control systems, firewalls, and encryption.
Agencies must consider the following minimum security requirements when defining their classification policy and procedures and designing their protective security measures.
General classified information security measures
Creating a registration system
Your agency must have a system for controlling and handling government and protectively-marked information.
For each document or file, your registration system needs to detail:
- when it was created
- where it is stored
- when it will be destroyed.
To register media, follow the requirements in the New Zealand Information Security Manual (NZISM) – 13.2.14 Registering Media.
Maintaining a Classified Document Register
You must maintain a Classified Document Register (CDR) for all TOP SECRET and ACCOUNTABLE MATERIAL produced or received within your agency.
The CDR should include details of the documents received and all retained copies.
It’s good practice to maintain a register for SECRET information. You can also use CDRs for documents with lower classifications when necessary for risk mitigation.
With due care, your CDR should rarely need to be protectively marked. When it is necessary, mark your CDR on its own merits — not according to the protective markings of the documents it records (unless the title of a document in your CDR is protectively marked, which should be rare).
If the volume of correspondence justifies it, use separate registers for each security classification and inwards and outwards correspondence.
Your agency must develop a system for auditing hardcopy information that has protective markings. Audit requirements for ICT systems and equipment are defined in the NZISM.
Using a receipt process to increase security
Consider having a receipt process for when protectively-marked information or equipment is delivered to your agency. The benefits include being able to:
- provide confirmation that information has been delivered
- trace the movement of protected information
- ensure the recipient takes responsibility for protecting the information.
Any type of receipt mechanism is suitable, as long as it identifies the document either by reference number or title.
A reference number is often easier than a title, as the title of a document may describe the content of a protectively-marked document or, in limited cases, contain a word such as ‘secret’ or ‘confidential’.
Specify a period on the receipt (for example, 7 days) in which the recipient must sign and returned the receipt.
Confirm you’ve received all expected receipt returns within a month of their due date.
Spot-checking information marked ‘Top secret’ and ‘accountable material’
At irregular intervals, conduct or arrange a spot check of a small sample of TOP SECRET and ACCOUNTABLE MATERIAL to ensure it’s accounted for, and being handled and stored correctly. The manager responsible for the information should take charge of conducting or arranging spot checks.
Your agency should also conduct spot checks on 5 percent of TOP SECRET and ACCOUNTABLE MATERIAL per month.
All (100 percent) of your TOP SECRET and ACCOUNTABLE MATERIAL files must be checked within every two-year period.
Recording spot checks
Maintain a record of your spot checks. It is good practice to conduct a similar spot check of other protectively-marked files at irregular intervals.
The manager should report any discrepancies to the Chief Security Officer (CSO), Chief Information Security Officer (CISO), or other appropriate authority for investigation. Examples of other authorities that might be appropriate are the Privacy Commissioner, Ombudsman, National Cyber Security Centre (NCSC), or Cert NZ.
Go to the Management protocol for information security for more about managing information security incidents.
Page last modified: 20/06/2022