The purpose of these requirements is to provide guidance on:
- the protective marking and handling of official and security classified information
- information bearing endorsement and/or compartmented markings.
These requirements are for:
- New Zealand government employees
- individuals who require access to protectively marked information.
These requirements aim to provide a consistent and structured approach to protectively marking and handling official information and material subject to the New Zealand Government Security Classification System.
These requirements introduce the application of protective markings and go on to describe handling procedures for protectively marked information and material including:
- removal of protectively marked information and material from agency premises
- transfer of protectively marked information and material
- receipt of protectively marked hardcopy information and material
- destruction of protectively marked hardcopy information and material.
These requirements relate to information security within the New Zealand government and support the implementation of the New Zealand Protective Security Requirements (PSR).
In particular, they support the Information Security Management Protocol.
They are part of a suite of documents that assist agencies to meet the mandatory information security requirements.
They should be read in conjunction with other supporting information security management requirements.
1.4 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist
- or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head. In particular an agency should pose the following questions:
- Is the agency willing to accept additional risk?
- Have any implications for All of Government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.
The PSR provides agencies with mandatory and best practice security measures.
The controls detailed above identify if and when agencies need to consider specific security measures to comply with the mandatory requirements.