The New Zealand government collects and receives information to fulfill its functions and expects all those who hold or access this information to protect it.
Agencies should develop, document, implement and review appropriate security measures to protect information from unauthorised use or accidental modification, loss or release through:
- establishing an appropriate information security culture within the agency
- implementing security measures that match the information’s value, sensitivity and any protective marking
- adhering to all legal requirements.
The mandatory requirements of this core policy are based on the following elements:
- confidentiality – ensuring information is accessible only to those authorised to have access
- integrity – safeguarding the accuracy and completeness of information and processing methods
- availability – ensuring authorised users have access to information and associated assets when required.
The term ‘information assets’ within this policy refers to any form of information, including:
- printed documents and papers
- electronic data
- the software or ICT systems and networks on which information is stored, processed or communicated
- the intellectual information (knowledge) acquired by individuals
- physical items from which information regarding design, components or use could be derived.
For more information refer to the Information Security Management Protocol and supporting requirements.
Sharing information and other assets
Agencies must implement this policy when sharing protectively marked information and assets with New Zealand government agencies, other governments, private sector, educational and international organisations.
In such cases agencies should outline security responsibilities, safeguards to be applied and terms and conditions for continued participation.
Agencies must treat information and other assets received from foreign jurisdictions in accordance with relevant legislation and agreements between the parties concerned.
5.1 Agency information security policy and planning
INFOSEC1: Agencies must address information security requirements through the development and implementation of an information security policy as part of the agency security plan.
The policy and plan should:
- detail the objectives, scope and approach to the management of information security risks and issues within the agency
- be endorsed by the agency head
- identify information security roles and responsibilities
- detail the types of information an employee:
- can lawfully disclose in the performance of his or her duties
- needs to obtain authority to disclose
- be reviewed and evaluated in line with changes to agency business and information security risks
- be consistent with the requirements of the agency’s wider protective security plan and information security risk assessment findings
- address the issue of data aggregation
- include details of the agency’s declassification programme
- explain the consequences of breaching the policy or circumventing any associated protective security measure
- be communicated on an ongoing basis, be accessible to all employees and, where practical, be publicly available.
5.2 Information security framework and external party access
INFOSEC2: Agencies must establish a framework to provide direction and coordinated management of information security. Frameworks must be appropriate to the level of security risk in the agency’s information environment and consistent with business needs and legal obligations.
- document requirements for information security when entering into outsourcing contracts and arrangements with contractors and consultants
- enter into Memoranda of Understanding (MOU) with other agencies when regularly sharing information and, where reasonable and practical, make these MOUs publicly available
- ensure that prior to providing third parties with access to government information and ICT systems, security measures that match the protective marking of the information or ICT systems are in place and clearly defined in relevant agreements or contracts
- ensure appropriate permissions are received before providing third parties with access to information not originating within the agency.
5.3 Information asset protective marking and control
INFOSEC3: Agencies must implement policies and protocols for the protective marking and handling of information assets in accordance with the Protective Security Requirements New Zealand Government Security Classification System and the New Zealand Information Security Manual.
When addressing policies and procedures for protective marking and control, agencies should:
- identify, document and assign owners for the maintenance of security measures for all major information assets, including hardware, software and services used in agency operations (including ICT assets used to process, store or transmit information)
- require all agency information be classified and protectively marked in accordance with the New Zealand Government Security Classification System
- implement controls for all security classified and protectively marked information (including for handling, storage, transmission, transportation and disposal) in accordance with the Handling Requirements for Protectively Marked Information and Equipment
- develop and maintain a protective marking guide specific to the agency which is accessible to all employees.
Additionally, agencies should ensure:
- the agency’s protective marking guide does not limit the provisions of relevant legislative requirements or other obligations (including international) under which the agency operates
- disposal of public records is in accordance with legislative and regulatory requirements.
5.4 Operations security management
INFOSEC4: Agencies must document and implement operational procedures and measures to ensure information, systems development and systems operations are designed and managed in accordance with security, privacy, legal and regulatory obligations under which the agency operates.
INFOSEC5: Agencies must ensure there is a formal process to approve ICT systems to operate.
This process, known as ‘certification and accreditation’, is an essential component of the governance and assurance of ICT systems and supports risk management. The process is described in the New Zealand Information Security Manual.
Operational procedures and responsibilities
Agencies must document and implement operational procedures and measures to ensure information, ICT systems and network tasks are managed securely and consistently in accordance with required levels of security and privacy protection.
- have in place incident management procedures and mechanisms to review violations and to ensure appropriate responses to security incidents, breaches and failures
- have in place adequate controls to prevent, detect, remove and report attacks and malicious code on ICT systems and networks
- operate comprehensive systems maintenance processes and procedures, including operator, audit and fault logs, and backup procedures
- implement operational change control procedures to ensure appropriate management and approval of all changes to information processing facilities or ICT systems
- comply with legal obligations when exchanging information in any form with other agencies or third parties
- apply the protective marking standards and controls specified in the Information Security Management Protocol and the New Zealand Information Security Manual.
Information access controls
Agencies must have in place measures for controlling access to all information, ICT systems, networks (including remote access), infrastructures and applications.
Access control rules must be consistent with the agency’s risk assessment, business requirements, security classifications and legal obligations.
- assess access requirements against the New Zealand Information Security Manual
- require specific authorisation to access agency ICT systems
- assign each user a unique personal identification code and secure means of authentication
- define, document and implement policies and procedures to manage operating systems security, including user registration, authentication management, and access rights and privileges to ICT systems and application utilities
- display restricted access and authorised use only (or equivalent) warnings upon access to all agency ICT systems
- where wireless communications are used, appropriately configure security features to at least the equivalent level of security of wired communications
- implement control measures to detect and regularly log, monitor and review ICT systems and network access and use, including all significant security-relevant events
- conduct risk assessments and define policies and processes for mobile technologies and teleworking facilities
- prior to connection, assess security risks and implement appropriate controls associated with the use of ICT facilities and devices not owned by government such as mobile telephones, personal storage devices, Internet and email.
Information systems development and maintenance
Agencies must have in place security measures during all stages of ICT system development and implementation. These measures must match the assessed security risk of the information holdings contained within the systems.
When implementing new ICT systems, or changing existing systems, agencies must:
- address security from the early phases of the system development lifecycle, including concept development, planning, requirements analysis and design
- consult internal and/or external audit functions when implementing new or significant changes to financial and critical business systems
- incorporate processes in applications, including data validity checks, audit trails and activity logging, to ensure the integrity and accuracy of data captured or held by systems
- apply authentication policies and techniques set out in the New Zealand Information Security Manual
- identify and implement access controls
- control access to ICT system files to ensure the integrity of business systems, applications and data
- carry out appropriate change control, system and acceptance testing and migration control measures when installing or upgrading software
- conduct certification and accreditation of all new systems to confirm they meet security standards.
In order to ensure legal, regulatory, privacy and contractual obligations relevant to information security are managed appropriately, agencies must:
- take all reasonable steps to monitor, review and audit agency information security effectiveness, including assigning appropriate security roles and engaging internal auditors, external auditors and specialist organisations when required
- regularly review all agency information security policies, processes and requirements, including contracts with third parties, and report their compliance to agency management.