This protocol is designed to:
- provide high level guidance on achieving a consistent approach to information security management
- assist agencies to understand their information security governance, management and assurance responsibilities.
This protocol applies to:
- security practitioners and risk professionals such as Chief Security Officers (CSOs), Chief Information Security Officers (CISOs), Information Technology Security Managers (ITSMs), security risk and technology consultants, and security practitioners within agencies who are responsible for
- assessing risks to agency information assets
- enabling high assurance within agency information systems
- promoting the adherence to information security controls
- managers, business and system owners to help them meet their oversight responsibilities
- external parties such as business partners, external auditors and industry regulators to help them understand the New Zealand government’s overall information assurance, governance and security position and, where applicable, to evaluate or direct the operation of specific information security controls to meet contractual obligations.
1.3 Definition of information security
Information security is a combination of governance, assurance, protective and procedural measures designed to mitigate risks associated with producing, handling and protecting all New Zealand government information and assets. It includes measures relating to the confidentiality, availability, and integrity of information that is processed, stored and communicated by electronic and other means.
The information security management protocol and associated requirements detail requirements for agencies to:
- comply with core information security policies
- meet the mandatory information security requirements within the New Zealand Protective Security Requirements (PSR).
1.5 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates use of the control is mandatory. These are baseline controls unless they are demonstrably not relevant to the agency and this can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist
- a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head.
In particular agencies should consider the following questions:
- Is the agency willing to accept additional risk?
- 2. Have any implications for all-of-government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the agency’s governance and assurance processes.
The PSR provides agencies with mandatory and best practice security measures. The controls detailed above identify if and when agencies need to consider specific security measures to comply with the mandatory requirements.
1.6 Relevant standards
Standards relevant to this protocol are identified throughout the New Zealand Information Security Manual, together with additional guidance from national and international standards bodies.
1.7 Policy context
This protocol is part of the third tier of the New Zealand government’s protective security requirements hierarchy, as shown in Figure 1.
This protocol draws its authority from the Strategic Security Objectives, Core Policies and the Mandatory Requirements for Agencies and should be read in conjunction with the:
- Introduction and Overview to the Protective Security Requirements
- Security Structure and Agency Responsibilities
- Personnel Security Management Protocol
- Physical Security Management Protocol
- any agency-specific legislation.
Figure 1: Protective Security Requirements framework
1.9 Relationship to PSR structure
This protocol specifies information security controls to help satisfy the PSR’s mandatory requirements and implement best practice information security measures.
Requirements include a mix of mandatory and optional controls, and also provide advice and supporting information.
The PSR’s policy hierarchy is supported by activities such as assurance processes, security awareness training and compliance measures.
This protocol must be applied in conjunction with agencies’ other strategies, business plans and management arrangements. The protocol, the New Zealand Information Security Manual and associated standards and requirements will inform agency-specific information security policy and procedures through detailing security controls that must, or should, be implemented.
Standards and requirements will evolve to reflect changes in technologies and information security risks. The Government Communications Security Bureau (GCSB), along with the Government Chief Information Officer (GCIO), will authorise amendments to such requirements and the use of other standards as appropriate.