Governance

GOV048

Managing ICT security

Meet ICT security requirements before you allow mobile or remote working arrangements to begin.

Before arrangements start, your organisation must meet all ICT security requirements specified in the New Zealand Information Security Manual (NZISM) - Working Off-Site.

Be mindful that ICT security for equipment can be difficult to enforce in working away from the office scenarios. However, when your people are using equipment your organisation has provided, it’s reasonable to expect them to use it in much the same way as they would in the office.

Include boundaries for use of ICT equipment in your policies

In your policies for mobile and remote working, you should clearly define boundaries for the use of equipment your organisation provides.

You should cover:

  • what reasonable personal use means
  • whether equipment can be used by family members or not
  • any restrictions or rules you need your people to comply with.

Manage protectively-marked information

You must not allow your people to access protectively-marked information on public computers or other public ICT communication devices, such as internet cafes, hotel business centres, or airport lounges.

All information accessed on public ICT equipment is at risk. Your organisation has no control over who can access the equipment or the security features or applications that are enabled on the equipment by its owner or manager.

Consider the use of personal ICT equipment for work carefully

Today, more people are using their personal devices for corporate purposes, or their corporate devices for personal purposes. Both usage scenarios increase the risks to your organisation’s information. User education is crucial to managing the risks.

Before you approve the use of personal devices, refer to the following guidance on BYOD security controls you should have in place.

NZISM: 21.4. Non-Agency Owned Devices and Bring Your Own Device (BYOD)

Do not allow your people to use personal ICT equipment for processing information with a Business Impact Level (BIL) of high or above, or protectively marked RESTRICTED or above.

Be mindful that even when devices are turned off, information is still stored in memory and is therefore vulnerable.

Make sure your people understand the risk of information being lost when they’re working from a USB stick or similar storage device.

Page last modified: 4/05/2022