Agencies must develop specific protective marking policies, plans and procedures based on the New Zealand Government Security Classification System.
Agencies must develop detailed guidance to identify agency-generated information that requires a protective marking. This will help to ensure that information is marked at the appropriate level.
An agency’s protective marking policy should mitigate information security risks and facilitate sharing arrangements.
A protective marking policy supplements the security plan and, while it may form part of the plan, the guide can be used as standalone advice to employees.
Each agency’s individual protective marking requirements should mitigate the impact of the compromise of the official information it holds.
As such, the policy should be as comprehensive as possible. This can be achieved by consulting with representatives from every section within an agency.
The objectives of an agency protective marking policy should be to:
- identify the value of the information
- determine the level of protective marking needed, based on the impact of compromise of the confidentiality of the information.
Agencies with diverse functions may need to develop more than one protective marking policy, or sectionalise their policy based on function.
This will depend on the range of agency operations. Agencies may also need to develop policies to assist business partners to protectively mark sensitive or security classified information they may generate on behalf of the agency.
Protective marking and control of agency protective marking policy
The control and protective marking of the agency’s protective marking policy itself should be carefully considered against the business impact of the compromise of the confidentiality of the policy.
Individual elements of the policy should be protectively marked as appropriate.
Grouping information by type and potential harm may make it easier for employees to select the appropriate protective marking.
Examples of types of information are:
- client information, for example, individuals or organisations
- financial information, for example, accounts, budget or payments
- personnel information, for example, payroll, medical or taxation
- project information, for example, projects with similar objectives or processes might be grouped.
The groups could be further divided based on the impact of the compromise to individuals or organisations, the agency, the government, the national interest or national security.
Considerations when developing a protective marking guide
When developing agency protective marking guides agencies should also consider:
- the capabilities of their ICT systems to label, store and transmit information
- procedures for archiving information
- procedures for disposing of unneeded information (in accordance with the Public Records Act 2005) through destruction, return to originator or transfer to another agency
- protecting the integrity of information
- establishing accountabilities and responsibilities for protectively marked material
- balancing the need to make information as widely available as possible, while still protecting the national interest and national security.
Also refer to Handling Requirements for Protectively Marked Information and Equipment.
Areas that should be covered in an agency protective marking guide
Agency protective marking guides should include the following areas.
- The agency protective marking policy (if not included as part of the agency information security management policy).
- A summary of the types of information generated or held by the agency that require protective markings, possibly in the form of a ready reference for employees, based on:
- the impact of the compromise of confidentiality
- requirements for endorsement and/or compartmented markings
- any legislative secrecy provisions.
- How to apply protective markings to documents. Agencies should include procedures for the use of any templates in their systems and, for cases where templates are not applicable, document how to manually apply protective markings. Agencies should also consider including information on applying timeframes to protectively marked information when it is event-specific.
- Procedures for applying protective markings to information generated as a result of protectively marked information being provided from other sources. This should include marking information at the same level or higher than that received and how to request permission to use part of the information at a lower level.
- Procedures for protectively marking information received from foreign governments. Foreign government information must be handled in accordance with the articles of any agreements with the foreign governments. The agency protective marking guide could include a comparative protective marking table.
- Who can apply protective markings. Some agencies require a senior officer to confirm the application of protective markings above a certain level, including the inclusion of endorsement and/or compartmented markings.
- How to apply protective markings in the agency records management system. Electronic records management systems need to have the protective markings included in the document metadata.
- How to apply protective markings to emails. Agency email systems should have a capacity to apply protective marking to emails. In addition, agencies should have procedures relating to what types of information can be emailed and to whom.
- Agency protective marking review and declassification procedures. The archiving of protectively marked information can result in a large administrative and financial cost to agencies. As the impact of most information changes over time, agencies should have procedures to review the protective markings.
If not included in other areas of the agency’s information security procedures, agencies may include:
- storage advice, including storage within the agency and using external providers
- transmission procedure, show to transfer information to other agencies
- destruction procedures (in accordance with the Public Records Act 2005), including the location and direction for use of shredders and bins.