Governance
GOV051
Protecting information
You must protect information when it is being used away from your office or being transported to another location. You must also comply with the handling requirements for protectively-marked information.
Securing official information in private facilities
You might find it difficult to adequately secure your information when your people are working in private facilities, such as commercial or client facilities. You’re unlikely to have control over key security controls such as alarm or keying systems.
Unless your organisation has full control over the space, you should treat the facilities as zone 1 security areas for information and asset storage.
Storing protectively-marked information
Protectively-marked information must not be stored outside your offices unless you have implemented:
- the Management protocol for information security
- the Management protocol for physical security
- supporting requirements (including the accreditation of any ICT and physical security arrangements).
You should not allow TOP SECRET information to be stored outside your premises unless it is critical for an operation. The New Zealand Security Intelligence Service must certify all storage of TOP SECRET information.
Transferring information away from the office
It is unrealistic to expect people to maintain physical custody of information at all times if it can’t be carried on their person.
However, you should restrict the use of removable ICT media, such as USB sticks and portable hard drives, for carrying large quantities of information, as they are easily lost.
Information is at considerable risk when it is being transported. Consider all alternatives before you allow your people to transport information to remote locations.
Some alternatives to consider are:
- giving people remote secure access to your ICT networks (if a connection can be arranged)
- transporting the information to nearby New Zealand Government or jurisdictional facilities using endorsed couriers or secure networks
- storing the information on a portable device approved by the Government Communication Security Bureau — a device that provides additional logical controls to prevent unauthorised access.
When you can’t arrange alternative transport, consider arranging for information to be secured in suitable New Zealand Government or New Zealand Government-approved facilities during breaks in trips.
For more information, go to:
Disposing of official information securely
Your organisation should have procedures in place for the secure disposing of official information for all working away from the office scenarios.
You must ensure all protectively-marked information is returned to your premises for destruction unless you have approved destruction equipment located off-site.
For more information, refer to:
- Handling requirements for protectively-marked information and equipment
- NZISM: Product Sanitation and Disposal
- NZISM: Media Management, Decommission and Disposal
Page last modified: 4/05/2022