Information security

INF018

Controlling and handling official information with protective markings

Official information with protective markings must be controlled and handled correctly to keep it secure.

Follow these requirements to ensure your agency complies with Protective Security Requirements (PSR) for information security.

These requirements apply to:

  • all official information (with or without security classifications)
  • outsourcing or offshoring your information handling or storage to third-parties, such as cloud service providers.

Complying with requirements for classified information

Levels of protection for protectively-marked information and equipment increase in line with their security classifications. The higher the security classification, the greater the need for protection.

The following requirements will help you to protect official information in line with the relevant security classification.

  • Control and handling of SENSITIVE or RESTRICTED documents and material
  • Control and handling of CONFIDENTIAL documents and material
  • Control and handling SECRET documents and material
  • Control and handling of TOP SECRET documents and material

Creating a registration system

Your agency must have a system for controlling and handling official and protectively-marked information.

For each document or file, your registration system needs to detail:

  • when it was created
  • where it is stored  
  • when it will be destroyed.

To register media, follow the requirements in the New Zealand Information Security Manual(NZSIM) – 13.2.14 Registering Media.

Maintaining a Classified Document Register

You must maintain a Classified Document Register (CDR) for all TOP SECRET and ACCOUNTABLE MATERIAL produced or received within your agency.

The CDR should include details of the documents received and all retained copies.

It’s good practice to maintain a register for SECRET information. You can also use CDRs for documents with lower classifications when necessary for risk mitigation.

With due care, your CDR should rarely need to be protectively marked. When it is necessary, mark your CDR on its own merits — not according to the protective markings of the documents it records (unless the title of a document in your CDR is protectively marked, which should be rare). 

If the volume of correspondence justifies it, use separate registers for each security classification and inwards and outwards correspondence.

Auditing hardcopies

Your agency must develop a system for auditing hardcopy information that has protective markings. Audit requirements for ICT systems and equipment are defined in the NZISM.

Using a receipt process to increase security

Consider having a receipt process for when protectively-marked information or equipment is delivered to your agency. The benefits include being able to:

  • provide confirmation that information has been delivered
  • trace the movement of protected information
  • ensure the recipient takes responsibility for protecting the information.

Any type of receipt mechanism is suitable, as long as it identifies the document either by reference number or title.

A reference number is often easier than a title, as the title of a document may describe the content of a protectively-marked document or, in limited cases, contain a word such as ‘secret’ or ‘confidential’. 

Specify a period on the receipt (for example, 7 days) in which the recipient must sign and returned the receipt. 

Confirm you’ve received all expected receipt returns within a month of their due date.

Spot-checking information marked ‘Top secret’ and ‘accountable material’

At irregular intervals, conduct or arrange a spot check of a small sample of TOP SECRET and ACCOUNTABLE MATERIAL to ensure it’s accounted for, and being handled and stored correctly. The manager responsible for the information should take charge of conducting or arranging spot checks.

Your agency should also conduct spot checks on 5 percent of TOP SECRET and ACCOUNTABLE MATERIAL per month.  

All (100 percent) of your TOP SECRET and ACCOUNTABLE MATERIAL files must be checked within every two-year period.

Recording spot checks

Maintain a record of your spot checks. It is good practice to conduct a similar spot check of other protectively-marked files at irregular intervals.

Reporting discrepancies

The manager should report any discrepancies to the Chief Security Officer (CSO), Chief Information Security Officer (CISO), or other appropriate authority for investigation. Examples of other authorities that might be appropriate are the Privacy Commissioner, Ombudsman, National Cyber Security Centre (NCSC), or Cert NZ. 

Go to the Management protocol for information security for more about managing information security incidents.

Managing and marking physical files

At a minimum, a file must carry a protective marking equal to the highest security classification of information within it. 

Make sure you consider the value and sensitivity of information within a file as a whole. If the security risks increase when the information is aggregated (combined), the file may need a higher security classification and marking.

Adding information to a file

When new information is added to a file, the file user must ensure that the protective marking is still appropriate. If information is added that is at a higher security classification than the file itself, the file user must reclassify the file before attaching the new document.

Filing TOP SECRET and SECRET documents

Place TOP SECRET and SECRET documents in an appropriate file or cover immediately. 

The location of at least the TOP SECRET document must then be recorded in the CDR.

Filing information lower than SECRET

If you need to file information marked at levels lower than SECRET, place it in an appropriate file as soon as possible after it is created or received.

Using file references and numbering

Your agency should use a file reference and folio number for protectively-marked files, so you can maintain a record of the information held on the file. It is also considered good practice to follow normal filing procedures, such as recording the date and name of the person holding the file.

Using standard colours to make file markings easy to see

The protective markings on files must be clear and easy to distinguish from other markings. If possible, use the standard colours for file covers on your protectively-marked files. (Some agencies might have other requirements that prevent you from using the standard colours.)

Figure 1: Standard colours for file covers

Managing outsourcing and offshoring arrangements for ICT

If you’re considering outsourcing functions, services, or capabilities to third parties inside or outside of New Zealand, make sure you understand the value, classification, and risks of the information that suppliers and their sub-contractors will have access to. 

Your agency must follow the outsourcing and offshoring guidelines and policies defined below.

Making ICT arrangements: what you can and can’t do

Your agency can enter into:

  • outsourcing and offshoring arrangements for storing or processing information marked at, or below, RESTRICTED

  • outsourcing arrangements in New Zealand for storing or processing information marked at CONFIDENTIAL, SECRET or TOP SECRET only with the prior approval of the Government Communications Security Bureau (GCSB).

Your agency must not enter into offshoring arrangements for storing or processing information marked as CONFIDENTIAL, SECRET, or TOP SECRET.

Considering or planning cloud services

If your agency is considering using cloud services, you must contact the Government Chief Digital Officer (GCDO) for advice. Check their online content first: Using Cloud Services

If your agency is planning to use a cloud service, you must:

  • carry out a formal risk assessment
  • follow the guidance in Cloud Computing: Information Security and Privacy Considerations.

Next, you must use your risk assessment and the guidance to identify which controls you need to manage the risks associated with using the service (information and privacy risks).

Outsourcing services for storing and processing official information

Before your agency outsources services for storing and processing official information to an offshore or onshore provider, there are several steps you must take.

These steps apply to arrangements for outsourcing services to an:

  • offshore provider that will store or process information marked at, or below, RESTRICTED(excluding public information with no protective markings)
  • onshore provider that will store or process information marked above RESTRICTED.

Your agency must:

  • conduct a formal risk assessment to identify the controls required to appropriately manage the information security and privacy risks associated with using the service
  • formally accept the residual risk associated with using a service that processes protectively-marked information
  • inform the GCDO of your decision, and give them evidence that you’ve completed a formal risk assessment and followed their guidance
  • accredit the systems used by the contractor to at least the same minimum standard as for your systems
  • ensure the cloud service provider applies the controls specified in the New Zealand Information Security Manual to any systems hosting, processing, or storing your agency’s data and systems
  •  not use public or hybrid cloud services to host, process, or store material with the New Zealand Eyes Only (NZEO) endorsement marking.

Unclassified information that is publicly available

Your agency can enter into outsourcing and offshoring arrangements for storing or processing information that is publicly available and doesn’t have any protective markings. However, you must formally assess the associated security risks and identify the controls required to manage them.

You must also ensure that providers handle, store, transmit, transport, and dispose of information in line with the Management protocol for information security.

Verifying security controls: Certifying or accrediting services

Before your agency certifies or accredits a service for use, you must verify that the security controls required to manage the security and privacy risks have been implemented and are effective.

See the ‘Validate’ section of the Information security lifecycle for more information.

Storing official and protectively-marked information safely

Store official and protectively-marked information in line with Security Zones.

Page last modified: 5/08/2019