Managing electronic information
Storing electronic information
Government information stored electronically within ICT systems require strong security measures to protect it from compromise. The standard for ICT system security is defined within the New Zealand Information Security Manual (NZISM)(external link). The agency’s Chief Information Security Officer (CISO) is responsible for ensuring their systems and that of any supplier to government who holds agency information comply with the NZISM to ensure the information is adequately protected.
At a minimum, an ICT system must carry a protective marking equal to the highest security classification of information within it. The agency must consider the value and sensitivity of information within the system as a whole. If the security risks increase when the information is aggregated (combined), the system may need a higher security classification and security measures than the highest classification level of the specific information.
An ICT system will be certified to hold government information and data up to a certain classification level. An agency must register their core ICT systems classification level and certification status. ICT systems that are classified can include (but not limited to):
- Email systems
- Document management systems
- Collaboration and conferencing systems
- Human resource systems
- Financial systems
- Operational business systems and databases.
ICT systems may be hosted in house or in the cloud and are still required to meet the NZISM minimum standards.
An ICT system certified to hold up to TOP SECRET is protected to the highest level and can hold government information at any classification level.
For more information, refer to the NZISM.