1 Introduction

Print this section

1.1 Purpose

This protocol is designed to:

  • provide high level guidance on achieving a consistent approach to information security management
  • assist agencies to understand their information security governance, management and assurance responsibilities.
Back to the top of page Print this subsection

1.2 Audience

This protocol applies to:

  • security practitioners and risk professionals such as Chief Security Officers (CSOs), Chief Information Security Officers (CISOs), Information Technology Security Managers (ITSMs), security risk and technology consultants, and security practitioners within agencies who are responsible for
    • assessing risks to agency information assets
    • enabling high assurance within agency information systems
    • promoting the adherence to information security controls
  • managers, business and system owners to help them meet their oversight responsibilities
  • external parties such as business partners, external auditors and industry regulators to help them understand the New Zealand government’s overall information assurance, governance and security position and, where applicable, to evaluate or direct the operation of specific information security controls to meet contractual obligations.
Back to the top of page Print this subsection

1.3 Definition of information security

Information security is a combination of governance, assurance, protective and procedural measures designed to mitigate risks associated with producing, handling and protecting all New Zealand government information and assets.  It includes measures relating to the confidentiality, availability, and integrity of information that is processed, stored and communicated by electronic and other means.

Back to the top of page Print this subsection

1.4 Scope

The information security management protocol and associated requirements detail requirements for agencies to:

  • comply with core information security policies
  • meet the mandatory information security requirements within the New Zealand Protective Security Requirements (PSR).
Back to the top of page Print this subsection

1.5 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates use of the control is mandatory.  These are baseline controls unless they are demonstrably not relevant to the agency and this can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  • a control is not relevant because the risk does not exist
  • a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  
In particular agencies should consider the following questions:

  1. Is the agency willing to accept additional risk?
  2. 2. Have any implications for all-of-government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the agency’s governance and assurance processes.

The PSR provides agencies with mandatory and best practice security measures.  The controls detailed above identify if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements For Agencies.

Back to the top of page Print this subsection

1.6 Relevant standards

Standards relevant to this protocol are identified throughout the New Zealand Information Security Manual, together with additional guidance from national and international standards bodies.

Back to the top of page Print this subsection

1.7 Policy context

This protocol is part of the third tier of the New Zealand government’s protective security requirements hierarchy, as shown in Figure 1.

This protocol draws its authority from the Strategic Security Objectives, Core Policies and the Mandatory Requirements for Agencies and should be read in conjunction with the:

Figure 1: Protective Security Requirements framework

 

Protective Security Requirements framework
 

Back to the top of page Print this subsection

1.9 Relationship to PSR structure

This protocol specifies information security controls to help satisfy the PSR’s mandatory requirements and implement best practice information security measures.

Requirements include a mix of mandatory and optional controls, and also provide advice and supporting information.

The PSR’s policy hierarchy is supported by activities such as assurance processes, security awareness training and compliance measures.

This protocol must be applied in conjunction with agencies’ other strategies, business plans and management arrangements.  The protocol, the New Zealand Information Security Manual and associated standards and requirements will inform agency-specific information security policy and procedures through detailing security controls that must, or should, be implemented.

Standards and requirements will evolve to reflect changes in technologies and information security risks. The Government Communications Security Bureau (GCSB), along with the Government Chief Information Officer (GCIO), will authorise amendments to such requirements and the use of other standards as appropriate.

Back to the top of page Print this subsection

2 Risk assessment and treatment

Mandatory requirement

GOV3: Agencies must adopt a risk management approach to cover all areas of protective security across their organisation, in accordance with the New Zealand standard AS/NZS ISO 31000:2009 Risk Management - Principles and Guidelines.

Agencies should implement a risk management process to support the implementation of the New Zealand Information Security Manual and to inform design, certification and accreditation decisions.

Agencies should conduct information security risk assessments and develop treatments using:

Print this section

3 Agency information security policy and planning

Mandatory requirement

GOV4: Agencies must develop their own set of protective security policies, plans and protocols to meet their specific business needs. Policies and plans must be reviewed every two years or sooner if changes in risks or the agency’s operating environment dictate.

INFOSEC1: Agencies must address information security requirements through the development and implementation of an information security policy as part of the agency security plan.

Information security policies set the strategic direction for information security.  The information security policy should be sponsored by the agency head and delegated to the Chief Security Officer (CSO), Chief Information Security Officer (CISO) or Chief Information Officer (CIO).

The agency head must approve an information security policy document and ensure it is communicated to all employees and relevant external parties.  In accordance with GOV4, agencies should review their policy at least every two years or whenever significant changes occur (for
example to the agency’s sphere of responsibilities) to ensure the policy remains relevant, adequate and effective.

Agencies should primarily use implementation guidance from the following publications when developing information security policy documents:

Print this section

4 Information security framework and external party access

Mandatory requirement

INFOSEC2: Agencies must establish a framework to provide direction and coordinated management of information security. Frameworks must be appropriate to the level of security risk in the agency’s information environment and consistent with business needs and legal obligations.

The information security framework, in conjunction with GOV1, should comprise a range of functions and provide the mechanism to ensure appropriate information systems security controls are in place and being adhered to. It should enable the agency to become aware of changes to systems, risks or standards that might drive changes to security controls.

In accordance with GOV6, agencies should ensure security personnel are familiar with the information security functions and services provided by other government agencies to help augment their internal support.  Contact with special interest groups, specialist security forums and professional associations should also be maintained to promote a good breadth of security awareness.

In support of GOV5, agencies should have information security reviews conducted by personnel independent of the subject if the review, or by an independent third party, in order to identify any gaps or errors in the implementation of security controls.

Agencies should primarily reference guidance in the following publications when developing information security frameworks and policies governing access by external parties:

Other information

Print this section

4.1 External parties

Mandatory requirement

GOV8: Agencies must ensure contracted providers comply with the Protective Security Requirements and agency-specific protective security protocols.

Risks to the agency’s information holdings and information processing facilities arising from business processes involving third parties must be identified.  Suitable controls must be in place before granting access to third parties.

Agencies should regularly monitor, review and audit the services, reports and records provided by external parties.

Agencies should manage changes to the provision of services, including to maintain and improve existing security procedures and controls.

For more information regarding contractual obligations refer to Security of Outsourced Service and Functions.

Other information

Back to the top of page Print this subsection

5 Information asset management

Mandatory requirements

INFOSEC3: Agencies must implement policies and protocols for the protective marking and handling of information assets in accordance with the Protective Security Requirements New Zealand Government Security Classification System and the New Zealand Information Security Manual.

GOV9: Agencies must adhere to any provisions concerning the security of people, information and assets contained in multilateral or bilateral agreements and arrangements to which New Zealand or the agency is a party.

Agencies must follow the requirements of the New Zealand Government Classification System and Handling Requirements for Protectively Marked Information and Equipment for the protective marking and handling of government held, processed and communicated information and data.  When establishing policies for the protective marking of information, agencies must consider the level of protection it requires and who needs to access it.

Agencies should primarily use guidance in the following publications when developing their information asset management policies:

Print this section

5.1 Responsibility for information assets

Agencies should identify significant information assets, including those required to support business continuity and disaster recovery plans.  Asset details should be recorded in a complete and accurate inventory.

Appropriately senior managers should be accountable for the protection of significant information assets, with this responsibility being recorded in asset inventories. These people are responsible for ensuring the assets are appropriately protectively marked, and for defining and reviewing associated information security controls, including access controls.

For further information on identifying the types of assets to add to an inventory, refer to ISO/IEC 27002:2013.

When specifying suitable protective measures for information assets, agencies should also refer to the New Zealand Information Security Manual for guidance on business continuity and disaster recovery processes, and to Business Impact Levels for an understanding of their relative values.

Other information

Back to the top of page Print this subsection

5.2 Protective markings

Agencies must protectively mark official information and material in accordance with the New Zealand Government Security Classification System.

Agencies must handle protectively marked official information and material in accordance with the Handling Requirements for Protectively Marked Information and Equipment.

Agencies should establish a policy on how they mark, protect and handle information that requires increased protection but does not qualify for a protective marking.

Back to the top of page Print this subsection

5.3 Business Impact Levels (BILs)

During the risk assessment process agencies should determine the business impact of the loss of confidentiality, integrity and/or availability of information assets, both individual and aggregated, in accordance with Business Impact Levels.

Back to the top of page Print this subsection

5.4 Aggregation

The aggregation of official information can mean the overall classification of a collection needs to be higher than the classification(s) of its individual elements.  Agencies should follow the requirements and guidance set out in Management of Aggregated Information.

Back to the top of page Print this subsection

5.5 Foreign government information

Where agencies hold information originating from a foreign government, agencies should follow the requirements and guidance set out in Safeguarding Foreign Government Information (under development).

Back to the top of page Print this subsection

5.6 Information declassification

Agencies should include details of their agency declassification programme in their information security policy and plans.

Information should be declassified as soon as it no longer meets the criteria for protective marking as described in the New Zealand Government Security Classification System.

Back to the top of page Print this subsection

6 Operational security management

Mandatory requirement

INFOSEC4: Agencies must document and implement operational procedures and measures to ensure information, systems development and systems operations are designed and managed in accordance with security, privacy, legal and regulatory obligations under which the agency operates.

INFOSEC5: Agencies must ensure there is a formal process to approve ICT systems to operate.  
This process, known as ‘certification and accreditation’, is an essential component of the governance and assurance of ICT systems and supports risk management.  The process is described in the New Zealand Information Security Manual.

GOV5: Agencies must have an assurance system to conduct an annual security assessment against the mandatory requirements detailed within the Protective Security Requirements. Agencies must be prepared to report this assessment information upon request from lead security agencies.

 

Print this section

6.1 Operational procedures and responsibilities

Operating procedures must be documented, maintained and made available to all users who need them.

Any changes to information systems carrying a protective marking of TOP SECRET must be controlled through a formal management process.

Changes to all information systems should be controlled through a formal management process.

Duties and areas of responsibilities must be segregated to reduce opportunities for the unauthorised or unintentional modification or misuse of agency information assets.

Agencies should separate development, test and operational facilities to reduce the risk of unauthorised access or changes to systems.

For additional information refer to the New Zealand Information Security Manual.

Back to the top of page Print this subsection

6.2 Certification and accreditation

Agencies must develop a certification and accreditation framework for their agency.

Agencies must certify and accredit their information systems in accordance with the process set out in the New Zealand Information Security Manual – System Certification and Accreditation. This requirement applies to existing systems that have not yet been certified and accredited, new information systems, upgrades and new software versions.

Agencies should ensure appropriate system testing is carried out during development and before acceptance.

Back to the top of page Print this subsection

6.3 Information access controls

Agencies must have in place measures for controlling access to all information, ICT systems, networks (including remote access), infrastructure and applications.

Access control rules and measures must be:

  • based on assessed and residual risks
  • consistent with business requirements, protective markings and legal obligations.

There are several areas to consider, including:

  • user access management – who should be able to access what
  • user responsibilities to protect information
  • network access control – what resources can be accessed on a network
  • system access control – secure logins
  • application and information access control
  • risks associated with mobile computing and remote working
  • Bring Your Own Device (BYOD).

When developing information access controls agencies should primarily reference the following sources:

Back to the top of page Print this subsection

6.4 Information systems development and maintenance

Agencies must have in place security measures during all stages of ICT system development and implementation.  These measures must match the assessed security risk of the aggregated information holdings contained within the systems.

During system development and maintenance agencies must consider a range of requirements to ensure information security is managed properly in accordance with assessed risk.  Key elements for consideration include:

  • business requirements
  • data validation
  • security architecture
  • cryptographic controls
  • access control
  • change management controls
  • identification and management of vulnerabilities
  • supply chain.

Agencies should primarily reference the following sources when developing systems management measures and procedures:

Back to the top of page Print this subsection

6.6 Compliance with policy, protocols, standards and technical advice

Agencies should ensure all security policies, processes and procedures within their areas of responsibility are risk-managed and carried out correctly to meet the requirements of the PSR.

The New Zealand Information Security Manual (NZISM) encapsulates the GCSB’s guidance for managing the protection, security and privacy of government-held information.  The requirements and processes detailed in the NZISM must be followed to mitigate threats to information systems.

Agencies should regularly check their compliance with other security implementation standards.

Other information

Back to the top of page Print this subsection

6.7 Information systems audit considerations

To minimise the risk of disruption to agency business processes, agencies should carefully plan and agree suitable audit requirements for operational systems.

The opportunity for unauthorised access to agency information system audit tools should be minimised so as to limit the potential to misuse or compromise them.

Other information

Back to the top of page Print this subsection

About

This protocol is designed to:

 

  • provide high level guidance on achieving a consistent approach to information security management
  • assist agencies with understanding their governance, assurance and information security obligations and responsibilities.

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information