1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to:

  • provide guidance on recommended management practices to address the security risks associated with the aggregation of information
  • help agencies to identify the value of their aggregated information
  • provide guidance on the appropriate protections for the aggregated information. 
Back to the top of page Print this subsection

1.2 Audience

The audience for these requirements is:

  • New Zealand government information security management staff
  • New Zealand government contractors and service providers. 
Back to the top of page Print this subsection

1.3 Scope

These requirements cover:

  • the security of electronic aggregations of New Zealand government information, that is, data, although the principles contained in these requirements may also be applied to hard copy information
  • the minimum measures that must be implemented by agencies bound by the New Zealand Protective Security Requirements (PSR) (compliance with the PSR mandatory requirements and protocols cannot be claimed unless adherence to the requirements can be demonstrated).

For further details on the security of hard copy information, see the Physical Security Management Protocol and supporting information security documents.

Agencies that hold aggregations of personal information should also refer to the New Zealand Office of the Privacy Commissioner Privacy Breach Guidelines.

These requirements amplify, and should be read in conjunction with, the Information Security Management Protocol and other protective security requirements.

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above identify if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements

Back to the top of page Print this subsection

2 Understanding aggregated information

Print this section

2.1 Defining aggregated information

Certain collections of information may require the application of higher or additional security controls than individual documents or pieces of information that comprise them.

This is because the business impact from the compromise of confidentiality, loss of integrity or unavailability of the aggregated information would cause greater damage than that of individual documents.

Such collections are normally referred to as ‘aggregated information’ or ‘aggregations’ and can include:

  • databases
  • data extracts from Information Technology (IT) systems
  • discrete data collections relating to specific projects or operations
  • data stored on media for transport
  • data stored in information systems.

Given New Zealand government agencies now conduct the majority of their business electronically, there are substantial quantities of information being processed and stored across government, thus greater volumes of aggregated information sources.

Although these requirements focus on the aggregation of electronic information, the ideas and principles are also applicable to the management of aggregations of paper-based information.

Back to the top of page Print this subsection

2.2 Identifying agency aggregated information

Identifying aggregated information is an agency’s first step toward the proper management of its aggregated information holdings.

Agencies should clearly define:

  • descriptions and limits of an information collection, for example, by data type, subject, location or volume
  • value, importance and sensitivity (and therefore protective marking needs) of information aggregated into that collection
  • security requirements that are specific to the aggregation such as security clearances and access and authentication requirements of privileged users
  • designations of the information collection’s business owner (or owners) and users, that need access to the information held in it, together with the level of privileges they require
  • physical and logical locations where the information collection is stored, transmitted, transported and/or processed.
Back to the top of page Print this subsection

2.3 Determining the value of aggregated information

Agencies are responsible for the security of their information holdings. Therefore agencies should conduct a risk assessment of aggregated information to assist in determining its value, importance and sensitivity.

An agency risk assessment should assess the impact associated with the  compromise of the confidentiality,  integrity or availability of its information, individually and in aggregation. It should also assess the potential impact on any organisation/s or individual/s from or about which the agency holds information.

An agency should include a Business Impact Level (BIL) assessment as part of the risk assessment when determining the aggregated information value.

The BIL should consider the potential business impact to the agency if something were to happen to the information asset or aggregation. This and its contribution to the agency’s function (or the potential to impede its functionality) assists in determining its value. For example, what would happen to your agency if all or part of your database of sensitive client/customer information was corrupted? Or if a commercially sensitive tender database was accessed and manipulated by unauthorised persons?

The impact on the agency may be operational, reputational or monetary. An agency should also consider the value of an information asset to its business processes, not just as information in and of itself.

Aggregated information can be sourced from more than one originator and may be accessed by more than one user or custodian. Its overall value should include the views of all those responsible for the organisational process it supports. All should understand, and agree on, exactly what is being valued.

It is important to remember that a value derived simply from the number of documents in a data set is unreliable and should not be used as the sole basis for a valuation.

To ensure a consistent approach across government, agencies should use the Business Impact Levels to assess the potential damage from the compromise of the confidentiality,  integrity or availability of their information.

Once the value, importance and sensitivity of the information is known, attention should be drawn to the risks that can negatively affect it.

Back to the top of page Print this subsection

2.4 Risks to aggregated information

Risks to aggregated information can include, but are not limited to:

  • the targeting of large quantities of information that the New Zealand public expects the government to protect (for example, personal health information), by cyber criminals, hackers or other opportunistic individuals
  • the ease of copying, modifying, disseminating or exploiting agency information in such a way that the agency is unaware of the incident, or, if alerted, can not confirm the extent of the damage
  • the unauthorised removal of information by trusted insiders. This includes deliberate and accidental data spills
  • the theft, exploitation or other compromise of information held by the government could result in negative outcomes such as:
    • disruption to an agency’s ability to do business, or its responsiveness to meet its client and partner transactions
    • the erosion of trust between the agency and its clients, customers, partners and contractors or the government
    • violation of laws governing privacy or other types of information held in trust
    • embarrassment on a international, national or regional level, with potential deterioration in working relationships
    • exposure to legal proceedings by parties affected by the compromise or exploitation of information held or accessed by an agency.
Back to the top of page Print this subsection

2.5 Managing aggregated information

Agencies must apply security controls to aggregated information to meet the mandatory requirements specified for the highest protectively marked document.

Agencies should also manage the risks to the confidentiality, integrity or availability of the aggregated information.

Because every agency faces different security risks, each is responsible for developing its own approach to managing its aggregated information – one that is appropriate to its risk environment.

An agency’s risk management strategy should be based on a risk assessment that assesses the threats and vulnerabilities facing its aggregated information holdings.

Protective measures can then be selected to mitigate the identified risks in an effective, efficient, practical and cost-effective way.

Simply applying a higher protective marking will not ensure appropriate protection to aggregated information.

A protective marking is based on an assessment of the consequences associated with the compromise of the confidentiality of information. A risk assessment also takes into account the impact associated with the integrity and availability of the information being compromised and the likelihood of the risk events occurring.

If protective measures are not based on a risk assessment they could fail to adequately address the real risks involved or, conversely, impose unnecessary administrative burdens and costs.

Additional controls can be applied to mitigate increased likelihood of compromise without the need to upgrade the protective marking of an aggregation above its source data.

For example, an extract of data from a database can be subject to additional controls, reflecting the different risk exposure of the information once it has been removed from the system and still retain the same protective marking as the data held within the database.

A discrete collection of information may be assessed as requiring a higher protective marking where the aggregated information is significantly more valuable, because it reveals new and/or more sensitive information or intelligence than would be apparent from the individual data sources.

Examples could include data collections that support intelligence assessments or are designed to show evidence of fraud.

Under these circumstances, only the aggregated information would be assessed as requiring a higher protective marking. The components, when viewed separately, would retain their individual protective markings.

The security classification or additional protective markings applied to any collection should be at least equivalent to the highest classification or marking of any component which it comprised.

Where a collection contains only a comparatively small number of highly classified items, consideration should be given to storing these separately and just referencing them in the main aggregated data set, rather than upgrading the classification of the whole collection.

Back to the top of page Print this subsection

3 Applying good management principles

Agencies should use principles to select, interpret, prioritise and reinforce policies, strategies, plans, actions and expected behaviours.

The following principles apply to protecting and securing aggregated information:

  • accountability
  • adequacy
  • availability
  • awareness
  • compliance
  • confidentiality
  • integrity
  • measurement
  • response
  • resilience
  • risk management.

These principles also apply to the development of other agency protective security policy and procedures.

Print this section

3.1 Accountability

Agency heads are accountable for providing effective oversight for information security of aggregated information, including ensuring the effective execution of the agreed protection strategies.

Delegation of accountability and responsibility should be clearly defined, allocated to and accepted by nominated staff who then have the authority to act on behalf of the agency head.

Agency accountability and responsibility for information security of aggregated information should be visible to all stakeholders.

Agencies should have staff in place who possess the necessary knowledge, skills and abilities to fulfil their responsibilities under agency policy.

Agencies should ensure that all users with access to aggregated information understand their responsibilities around this access.

Each staff member should be assigned a specific role and responsibilities and given specific authority and accountability in the management of the aggregated information.

Agencies should, as part of their periodic risk reviews, evaluate their aggregated information security program, review the evaluation results, report on performance to agency management and develop a remedial plan to correct deficiencies.

The Chief Security Officer (CSO), or the Chief Information Security Officer (CISO), should work with aggregated information owners to ensure all processes are documented, implemented and regularly reviewed.

Agencies should have a secure process or procedure for purging information when the need to preserve the information has expired.

Also refer to the Public Records Act 2005

Back to the top of page Print this subsection

3.2 Adequacy

The investment in protection strategies (principles, policies, procedures, processes and controls) for aggregated information should be commensurate with the associated risks.

Determination of risk is based on the business impact having assessed its vulnerability to loss, damage, disclosure, denial or interruption of access. Agencies should consider the likelihood, frequency and severity of potential vulnerabilities.

Agencies should ensure sufficient resources (people, time, equipment, facilities and funding) are authorised and assigned to achieve and uphold an acceptable level of protection.

Agencies should ensure information asset owners work together to identify and agree the requirements for  the compartmentalisation that sensitive or protectively marked aggregated information sets need.

Agency policies should direct information asset owners to declare business impact levels and identify their security requirements (confidentiality, availability, integrity and authentication) and to set up appropriate, measurable security controls.

Back to the top of page Print this subsection

3.3 Awareness

Agencies should

  • be aware of and understand the need to protect aggregated information
  • ensure all users are aware of the specific security risks and protection strategies associated with their use of aggregated information
  • ensure users are aware of and understand their roles and responsibilities in relation to information collections
  • provide training and education to users given access to protectively marked aggregated information
  • set attendance at periodic training as a requirement for continued access to information collections. Individual performance reviews  should include an evaluation of how well the individual fulfils their responsibilities.
Back to the top of page Print this subsection

3.4 Compliance

Aggregated information protection strategies should identify any legislative or regulatory requirements, and take into consideration the ongoing requirements of conducting business and/or requirements of relevant external stakeholders.

Agencies should incorporate any necessary actions to evaluate compliance objectively (such as internal and external audits) into the information security compliance programme.

This includes regular monitoring, review and reporting of compliance findings to affected and interested parties.

Agencies should ensure that remedial and timely action is taken for any aggregated information security deficiencies.

Back to the top of page Print this subsection

3.5 Measurement

Agencies should identify and seek periodic reports on measures and indicators that show the value and adequacy (or lack of it) of aggregated information security protection strategies.

Periodic measurement indicates how well policies and processes are functioning and whether or not they are producing desired performance outcomes.

Back to the top of page Print this subsection

3.6 Response

Agencies should:

  • provide users with the guidance and resources to act in a timely, coordinated manner to prevent or respond to security incidents that could compromise the aggregated information held in an information collection
  • develop and regularly test business continuity, disaster recovery, crisis management and security incident management plans to adequately prepare for significant service interruption, attack or other incident and can resume normal operations as soon as possible.
Back to the top of page Print this subsection

3.7 Resilience

The degree to which an agency is resilient is directly dependent on the ability of the agency to confront all hazards and continue to achieve its defined outputs.

Given the ever-increasing dependency on information systems to deliver government outputs, agencies should consider the resilience capability of systems carrying large quantities of aggregated information.

That is, whether:

  • the system can provide and maintain an acceptable level of service in the face of major changes or disruption
  • the system possesses the ability to be less susceptible to disruption and is capable of recovering from sudden changes by returning back to a near-original service delivery level.
Back to the top of page Print this subsection

3.8 Risk management

Agencies should:

  • continually review, assess and modify aggregated information protection strategies in response to changes in the risk context in which they operate.
  • explain acceptable levels of risk to aggregated information assets based on the business impacts associated with the compromise of its confidentiality, integrity or availability. Such levels should be regularly reviewed and examined as part of the agency’s risk management strategy. The costs of compromise should be quantified to a realistic worst-case scenario as part of continuing risk management.
  • select and regularly review the performance of controls to effectively manage the risks associated with the agency’s use of aggregated information.
  • develop plans for remedial action to adjust risk management deficiencies and carry out those plans following each review.
Back to the top of page Print this subsection

4 Apply good security practices

Through applying sound management principles and good security practices, agencies can mitigate the risks associated with information aggregation and better protect their aggregated information.

By working to ensure the security of the aggregated information in their charge, agencies can not only avoid the negative consequences associated with an information security breach but can also strengthen their relationships with customers and partners.

The following good security practice themes should be considered by agencies as they apply to protecting and securing all types of information and, in particular, to security issues around aggregated information:

  • information security strategy
  • agency information security framework (policy and planning)
  • information security framework and external party access
  • physical and environmental security
  • personnel security
  • information technology security
  • information security incident management
  • business continuity management
  • audit and monitoring
  • vulnerability management and assessment.

Each practice theme is represented by actions, behaviours and conditions that show its presence in an agency’s culture and conduct.

Print this section

4.1 Information security strategy

The agency’s security strategy should be part of the agency’s overall strategic planning activity. It serves as a systematic plan of action for implementing, maintaining and improving the security posture of the agency.

The strategy encompasses and describes the agency’s information security program, including all of the activities and processes performed to accomplish it.

This includes protecting aggregated information, considered in the context of all other security strategy actions.

Each agency should consider its unique operating circumstances, as well as its culture, mission, functions and critical success causes.

An effective information security strategy aligns with, and supports, the business strategy and drivers of an agency.

Back to the top of page Print this subsection

4.2 Agency information security framework (policy and planning)

Information security management systems determine how an agency defines and establishes the limits and boundaries for using its information, including aggregated information.

The core of the information security management systems defines the agency’s risk tolerance, which suggests the range of security events the agency is prepared to withstand.

For example, a higher risk tolerance may mean the agency believes it would not suffer a significant or material impact if a security weakness or vulnerability was exploited by a malicious party.

As the agency’s risk tolerance narrows, a more extensive security strategy is necessary as well as well-defined and prescribed requirements for behaviour and action.

Back to the top of page Print this subsection

4.3 Information security framework and external party access

Security architecture and design is the physical and logical implementation of the agency’s security strategies, policies and procedures to enable the agency to meet its business and operational requirements.

It is the agency’s implementation of security structure throughout the various layers of its technical infrastructure. This includes physical devices, hardware, software and the ways in which security is managed and administered in this infrastructure.

Security architecture and design addresses the unique requirements reflected in the profile for each subset of aggregated information.

This practice includes ensuring systems on which aggregated information is stored, processed and transmitted are securely configured and that configurations are maintained using  well defined and enforced change and configuration management process.

External party access (i.e. access by vendors, contractors, service providers or other agencies) to agency information should ensure that agency’s requirements for confidentiality, integrity and availability are met.

Agencies should communicate its requirements to these external parties, together with how they are expected to behave so they do not expose the agency to additional risk.

Agencies should recognise that they ultimately retain accountability for ensuring their information is appropriately protected from unauthorised access, disclosure, modification or deletion. It is essential that external parties understand their roles and responsibilities and are held contractually liable for adequately protecting any aggregated information to which they have access, owned by the agency.

Where there is no contractual relationship with external parties, agencies should ensure that all external parties remain aware and adhere to, policies and procedures which protect aggregated information.

Also refer to Security Requirements of Outsourced Services and Functions.

Back to the top of page Print this subsection

4.4 Physical and environmental security

Physical and environmental security is a component of a comprehensive protection strategy for tangible aggregated information resources such as hardware, software and media.

For additional information see the Information Security Management Protocol.

Back to the top of page Print this subsection

4.5 Personnel security

Personnel security is another component of a comprehensive strategy for the management of aggregated information resources.

Agencies should assess, based on the Business Impact Levels (BILs) of aggregations, the level of security clearance, or other personnel security measures, required by employees who will access the aggregations of information.

Also refer to Business Impact Levels.

This is a particularly important consideration for people with administrator access, their supervisors or people in positions of trust who have a greater potential for harm than ordinary system users.

Risks associated with loss or compromise of the data (rather than confidentiality of the information) should be included in determining staff access.

For additional information, see the Personnel Security Management Protocol and the New Zealand Information Security Manual published by the Government Communications Security Bureau, which contain specific personnel security training requirements for Information and Communications Technology (ICT) systems and administrators.

Back to the top of page Print this subsection

4.6 Information technology security

ICT security is the range of technical mechanisms an agency uses to enable and enforce policy, standards and procedures.

Technical practices and mechanisms should be applied to counter known and anticipated threats and vulnerabilities to aggregated information, software, systems and networks.

See the New Zealand Information Security Manual for further information on technical controls.

As well as threat avoidance, resistance, detection and recovery, technology also supports security controls such as:

  • least privilege/separation of duties
  • access control
  • role-based authentication
  • firewalls, including use of policy segregated networks
  • change and patch management
  • aggregated database server configuration control and encryption
  • redundancy
  • acceptable implementation of aggregated information profiles, such as separating classified from unclassified information.

The security of aggregated information is governed by the information security strategy and plans and spans physical, logical and operational domains.

The physical domain includes the networks and the directly connected systems.

The logical domain includes the ways in which users access and authenticate system and network resources related to aggregated information.

The operational domain considers how and where certain agency functions are performed by the owner(s) and users of aggregated information.

Back to the top of page Print this subsection

4.7 Information security incident management

Information security incident management is the agency’s process for identifying, reporting and responding to suspected security incidents and violations, including those involving aggregated information.

The agency should prepare for incidents involving the agency’s network and technical infrastructure, physical facilities and human resources such as social engineering attempts.

The agency should address incidents as a part of the overall security strategy, providing another tool for monitoring its environment, understanding its vulnerabilities and the threats it faces, and assisting in the development of proactive mitigating and protective strategies.

For aggregated information in particular, incident management includes the processes for communication to, and warning of, affected parties such as clients and partners.

Incident management may also include remedial and corrective actions necessary to restore client and partner confidence.

Further information can be found in the Reporting Incidents and Conducting Security Investigations

Also refer to the National Cyber Security Centre’s website and form Security Incident Reporting. Go to: www.ncsc.govt.nz

Back to the top of page Print this subsection

4.8 Business continuity management

Business continuity management directs the approaches and actions taken by the agency to continue, or return to, normal operational functions when confronted with significant and/or adverse disruption.

Business continuity management involves both proactive and reactive steps to facilitate an effective and efficient recovery from any contingency that puts the agency’s mission at risk.

Managing the impact/s involves and requires suitable policies, plans and procedures to be documented, communicated, tested and evaluated before a contingency situation occurs.

Business continuity management practices include ensuring aggregated information back-ups are regularly made, transmitted securely (encrypted), reach their back-up storage location, are stored securely, and that the aggregated information can be readily restored to a known state from any given back-up media.

Back to the top of page Print this subsection

4.9 Audit and monitoring

Monitoring and auditing examines the degree to which the agency’s information security policies are being implemented and followed.

Monitoring activities are the means by which the agency systematically checks its security posture for weaknesses and vulnerabilities and starts suitable responses where necessary.

This includes observing system and network events, configurations, and processes under routine operation for suspicious or unauthorised events related to aggregated information security.

Back to the top of page Print this subsection

4.10 Vulnerability management and assessment

Vulnerability management determines the state of technical and operational weaknesses in the technical infrastructure where aggregated information resides and how to suitably mitigate these.

Vulnerability assessment is a proactive or preventive monitoring activity where systems and networks are examined for known technical flaws or weaknesses.

Results of a vulnerability assessment are analysed, prioritised and reported, with actions tracked to completion.

Back to the top of page Print this subsection


The purpose of these requirements is to:

  • provide guidance on recommended management practices to address the security risks associated with the aggregation of information
  • help agencies to identify the value of their aggregated information
  • provide guidance on the appropriate protections for the aggregated information. 

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information