1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to establish a whole-of-government approach to how different categories of official information are treated when considering outsourced or offshore Information and Communications Technology (ICT) arrangements.

Back to the top of page Print this subsection

1.2 Audience

The audience of these requirements is:

  • New Zealand government employees and contractors with responsibility for information security, particularly agency Chief Information Security Officer (CISO)
  • agencies planning to enter into outsourced or offshore ICT arrangements for official information without a protective marking or with a protective marking of IN CONFIDENCE, SENSITIVE or RESTRICTED.
Back to the top of page Print this subsection

1.3 Scope

These requirements support the implementation of the New Zealand Protective Security Requirements (PSR).

In particular, they support the Information Security Management Protocol and the New Zealand Information Security Manual (NZISM)

They are part of a suite of documents available to help agencies meet their information security requirements.

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above identify if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements.

Back to the top of page Print this subsection

1.5 Relevant standards

Additional information relevant to these requirements is available online from the Government Chief Information Officer (GCIO) website. Go to: www.ict.govt.nz

Back to the top of page Print this subsection

2 Policy

Under the policy framework, agency heads must adopt a risk-based approach to information security decisions.

The objective of this approach is to ensure that the level of risk is balanced with the potential benefits.

As part of these arrangements, it is important to understand that although agencies can outsource responsibility to a service provider for implementing, managing and maintaining security controls, agency heads will remain accountable for ensuring their data is appropriately protected.

Agencies should join common capability cloud solutions if they exist rather than sourcing individual cloud solutions.

Under this policy, agencies:

  • can enter into outsourced and offshore ICT arrangement for the storage or processing of information protectively marked at, or below, RESTRICTED
  • must not enter into offshore ICT arrangement for the storage or processing of information protectively marked at CONFIDENTIAL, SECRET or TOP SECRET
  • can enter into outsourced ICT arrangements which are physically located in New Zealand for the storage or processing of information protectively marked at CONFIDENTIAL, SECRET or TOP SECRET with the prior approval of the GCSB
  • that are considering using cloud services must contact the GCIO for advice and guidance
  • that are considering using cloud services must follow the advice and guidance in Cloud Computing: Information Security and Privacy Considerations, an online document published by the GCIO. Go to www.ict.govt.nz
  • that are planning to use a cloud service must perform a formal risk assessment using the agency's information security risk assessment process and the guidance provided in Cloud Computing: Information Security and Privacy Considerations to identify the controls required to manage the information security and privacy risks associated with the agency’s use of the service
  • must verify that the security controls required to manage security and privacy risks have been implemented and are effective before certifying and accrediting the service for use.

Also refer to Table 1.

Before entering into any arrangements for outsourced offshore cloud services that will store or process information protectively marked at, or below, RESTRICTED (excluding non-protectively marked information that is publically available), or outsourced onshore cloud services that will store or process information protectively marked above RESTRICTED, agencies:

  • must conduct a formal risk assessment to identify the controls required to appropriately manage the information security and privacy risks associated with the agency’s use of the service
  • must formally accept the residual risk associated with the agency’s use of the service that processes protectively marked information
  • must inform the GCIO of their decision and provide evidence that a formal risk assessment has been completed, the guidance and advice from the GCIO has been followed and that they have formally accepted the residual risk associated with their agency’s use of the service
  • must accredit the systems used by the contractor to at least the same minimum standard as the agency’s systems
  • must ensure cloud service providers apply the controls specified in the New Zealand Information Security Manual to any systems hosting, processing or store agency data and systems
  • must not use public or hybrid cloud services to host, process or store material with the New Zealand Eyes Only (NZEO) endorsement marking.

 

Table 1: Policy for the Storage and Processing of New Zealand Government Information in Outsourced or Offshore Arrangements

 

Unclassified information that is publically availableInformation protectively marked at, or below, RESTRICTEDInformation protectively marked at CONFIDENTIAL, SECRET or TOP SECRET
Agencies can enter into outsourced and offshore ICT arrangement for the storage or processing of non-protectively marked information that is publically available.

Before entering into any outsourced or offshore ICT arrangements, agencies must formally assess the associated security risks and identify the controls required to manage them.

The handling, storage, transmission, transportation and disposal of information in the arrangement should be done in accordance with the New Zealand Government Information Security Management Protocol.
Agencies can enter into outsourced and offshore ICT arrangement for the storage or processing of information protectively marked at, or below, RESTRICTED.

Before entering into any outsourced or offshore ICT arrangements, agencies must:
  • contact the GCIO for advice and guidance when adopting onshore or offshore cloud services
  • follow the advice and guidance presented in Cloud Computing: Information Security and Privacy Considerations (published by the GCIO).
Formally assess the associated security and privacy risks and identify the controls required to manage them.
After entering into an outsourced or offshore ICT arrangement, agencies must verify that the security controls required to manage security and privacy risks have been implemented and are effective before certifying and accrediting the service for use.

Agency heads must:
  • ensure that a formal risk assessment has been completed
  • accept the residual risk associated with the agency’s use of the service
  • inform the GCIO of their decision to enter into the outsourced or offshore arrangement.
Agencies must not enter into offshore ICT arrangement for the storage or processing of information protectively marked at CONFIDENTIAL, SECRET or TOP SECRET.

Agencies can enter into outsourced ICT arrangements that are physically located in New Zealand for the storage or processing of information protectively marked at CONFIDENTIAL, SECRET or TOP SECRET with the prior approval of the GCSB.
Print this section

About

The purpose of these requirements is to establish a whole-of-government approach to how different categories of official information are treated when considering outsourced or offshore Information and Communications Technology (ICT) arrangements.

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information