Address all the points where your information security could be breached

When you design your security measures, address your critical information security risks and vulnerabilities including your cyber-security threats, information security culture, security products, and processes.

Design appropriate access controls to ensure that only those who need to know have access to information

Your organisation must have measures in place for controlling access to all information, ICT systems, networks (including remote access), infrastructure and applications, as defined in the NZISM: Access Controls.

Areas to consider include:

• user access management — who should be able to access what
• user responsibilities and segregation of duties to protect information
• network access control — what resources can be accessed on a network
• system access control — secure logins
• application and information access control
• risks associated with mobile computing and remote working
• Bring Your Own Device (BYOD).

Make sure your organisation complies with its mandatory obligations

The New Zealand Information Security Manual (NZISM) is a resource that New Zealand Government agencies must use (and private organisations can use) to ensure your organisation complies with its obligations. It is important to carefully assess which controls apply to your organisation.

The design of all your security measures for information, ICT systems, networks (including remote access), infrastructure, and applications must be lawful.

Resources for designing information security

You should ensure that all defence layers have adequate security measures. Use the resources below to support the design of your security measures:

• Network and perimeter security
  NZISM: Network Security
  NZISM: Gateway Security
  NZISM: Enterprise System Security
  
  
• Security monitoring
  NZISM: Information Security Monitoring
  
  
• System security
  NZISM: Physical security of servers and IT equipment
  NZISM: Communication Systems and Devices
  
  
• Application security
  NZISM: Product security
  NZISM: Software Security
  NZISM: Email Security
  NZISM: Using the Internet
  
  
• Data security
  NZISM: Access Control
  NZISM: Cryptography
  NZISM: Data Management 

Also refer to Information management guidance and resources — digital.govt.nz — including Common capabilities panel, Government Enterprise Architecture NZ (GEA-NZ) standards, web standards, web services standards, cloud services, and open government.

Legislation on information and privacy

You should also be familiar with the legislation on information and privacy.

• Official Information Act 1982
• Public Records Act 2005
• Privacy Act 2020
• Archives, Culture and Heritage Reform Act 2000

Consider the trade-off between ultimate security and effective operation

Meeting the minimum standards is often not enough, but the cost of ultimate security can be prohibitive. Your information security framework should be pragmatic while still ensuring that your critical risks are adequately addressed. 

For more information email: info@ncsc.govt.nz 

Add to your business continuity and disaster recovery plans

The security requirements you identified during the design phase should also be in your business continuity and disaster recovery plans.

Business continuity management defines the actions to take to continue operating during a significant service interruption, attack or other incident, and then to return to normal operation after the incident.

You will need to develop and regularly test your plans to prepare your organisation for smooth operation during an incident, and ensure that you can resume normal operations as soon as possible after the incident. Your organisation’s resilience depends directly on its ability to confront the hazards and continue to achieve its defined outcomes.

Given the increasing dependence on information systems to deliver your products and services, you need to consider the resilience of the ICT systems that hold and process your critical information. Key metrics for your ICT disaster recovery plans should include:

• recovery point objective (RPO) — how much data might be lost, considering the frequency of backups taken
• recovery time objective (RTO) — the length of time required to recover and restore to normal function after a disaster ends.

For more information go to Business continuity management

Handling protectively-marked information and equipment

All New Zealand Government agencies must design their security measures in line with the New Zealand Government Security Classification System. Refer to: How to protect information for specific required security measures.

This guidance provides a consistent and structured approach to protectively marking and handling official information and material subject to the New Zealand Government Security Classification System.

This guidance provides the procedures for protectively-marked information and material including:

• applying protective markings
• protecting protectively-marked documents and material
• producing and re-producing protectively-marked documents
• removing protectively-marked information and material from agency premises
• transferring protectively-marked information and material
• receiving protectively-marked hard copy information and material
• destroying protectively-marked hardcopy information and material.

Design security measures for your specific scenarios

Incorporate the appropriate security measures for the specific scenarios that you assessed during your risk assessment.

Page last modified: 31/01/2024