The purpose of these requirements is to:
- provide guidance on recommended management practices to address the security risks associated with the aggregation of information
- help agencies to identify the value of their aggregated information
- provide guidance on the appropriate protections for the aggregated information.
The audience for these requirements is:
- New Zealand government information security management staff
- New Zealand government contractors and service providers.
These requirements cover:
- the security of electronic aggregations of New Zealand government information, that is, data, although the principles contained in these requirements may also be applied to hard copy information
- the minimum measures that must be implemented by agencies bound by the New Zealand Protective Security Requirements (PSR) (compliance with the PSR mandatory requirements and protocols cannot be claimed unless adherence to the requirements can be demonstrated).
For further details on the security of hard copy information, see the Physical Security Management Protocol and supporting information security documents.
Agencies that hold aggregations of personal information should also refer to the New Zealand Office of the Privacy Commissioner Privacy Breach Guidelines.
These requirements amplify, and should be read in conjunction with, the Information Security Management Protocol and other protective security requirements.
1.4 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist
- or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head. In particular an agency should pose the following questions:
- Is the agency willing to accept additional risk?
- Have any implications for All of Government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.
The PSR provides agencies with mandatory and best practice security measures.
The controls detailed above identify if and when agencies need to consider specific security measures to comply with the mandatory requirements.
1.5 Relevant standards
Other relevant requirements and documents are:
- Information Security Management Protocol
- New Zealand Information Security Manual
- Personnel Security Management Protocol
- Physical Security Management Protocol
- Business Impact Levels
- Reporting Incidents and Conducting Security Investigations
- Security Requirements of Outsourced Services and Functions
- New Zealand Office of the Privacy Commissioner Privacy Breach Guidelines
- Public Records Act 2005.