How to protect information

Storing and filing information

Managing electronic information

Storing electronic information

Government information stored electronically within ICT systems require strong security measures to protect it from compromise. The standard for ICT system security is defined within the New Zealand Information Security Manual (NZISM)(external link). The agency’s Chief Information Security Officer (CISO) is responsible for ensuring their systems and that of any supplier to government who holds agency information comply with the NZISM to ensure the information is adequately protected.

At a minimum, an ICT system must carry a protective marking equal to the highest security classification of information within it.  The agency must consider the value and sensitivity of information within the system as a whole. If the security risks increase when the information is aggregated (combined), the system may need a higher security classification and security measures than the highest classification level of the specific information.

An ICT system will be certified to hold government information and data up to a certain classification level. An agency must register their core ICT systems classification level and certification status. ICT systems that are classified can include (but not limited to):

  • Email systems
  • Document management systems
  • Collaboration and conferencing systems
  • Human resource systems
  • Financial systems
  • Operational business systems and databases.

ICT systems may be hosted in house or in the cloud and are still required to meet the NZISM minimum standards.

An ICT system certified to hold up to TOP SECRET is protected to the highest level and can hold government information at any classification level.

For more information, refer to the NZISM.

USER TIP: When working with ICT systems, be sure to understand the highest level of classification that the system is certified to hold. You must not store information at higher classifications than the system is certified to hold.

For example, if a system is certified to hold up to RESTRICTED, it can only hold information classified at UNCLASSIFIED, IN-CONFIDENCE, SENSITIVE, or RESTRICTED.

Filing electronic information

When electronic information is added to an ICT system, where possible the classification and other protective markings should be recorded within its metadata. This will enable the automation of protective security measures based on the protective marking on the information.

An agency’s classification policy and procedures should detail any user requirements for recording classification and protective markings and filing information into ICT systems that they use.

Refer to the agency’s system user manuals for details on how to protectively mark and handle classified information within each ICT system that you use.

USER TIP: Even when using the same technology (e.g. Microsoft 365), agencies implementation of the security measures and functions may differ. That does not necessarily mean that one agency’s system is less secure than another; it only means that the security mechanisms have been implemented slightly differently.

Managing physical files

At a minimum, a file must carry a protective marking equal to the highest security classification of information within it.

Make sure you consider the value and sensitivity of information within a file as a whole. If the security risks increase when the information is aggregated (combined), the file may need a higher security classification and marking.

Access, usage and storage or classified information must meet the PSR physical zone requirements.

Adding information to a file

When new information is added to a file, the file user must ensure that the protective marking is still appropriate. If information is added that is at a higher security classification than the file itself, the file user must reclassify the file before attaching the new document.

Filing TOP SECRET and SECRET documents

Place TOP SECRET and SECRET documents in an appropriate file or cover immediately. The location of at least the TOP SECRET document must then be recorded in the CDR.

Filing information lower than SECRET

If you need to file information marked at levels lower than SECRET, place it in an appropriate file as soon as possible after it is created or received.

Using file references and numbering

Your agency should use a file reference and folio number for protectively-marked files, so you can maintain a record of the information held on the file. It is also considered good practice to follow normal filing procedures, such as recording the date and name of the person holding the file.

Using standard colours to make file markings easy to see

The protective markings on files must be clear and easy to distinguish from other markings. If possible, use the standard colours for file covers on your protectively-marked files. Some agencies might have other requirements that prevent you from using the standard colours.