Information Security

New Zealanders need to have trust and confidence in the way their information is being managed and used by government agencies.

The government takes all aspects of privacy and security very seriously.  In this section agencies will find guidance and resources to build their capability in managing privacy and security.

Access to capability

The GCIO has established an ICT common capabilities panel for security and related services to help government agencies to continually improve their practices.

Managing Risks

A generic security risk assessment process has been developed - Risk Assessment Process: Information Security [295 kb PDF].  Adherence to this document is not mandatory, however you are required to have a robust risk assessment process and this document may be of assistance. Agencies are free to use their own established risk assessment processes instead if preferred. 

Attachments

Risk Assessment Process: Information Security [295 kb PDF]

Risk Assessment: Template [270 kb DOCX]

Cloud computing

If an agency is considering a cloud computing initiative, they are expected to follow the Cloud Service Requirements (Word 115KB) which includes informing the GCIO. This document summarises the process and links to easy to use resources that assist agencies to comply with the Cloud Computing:Information Privacy and Security Considerations (pdf 196KB). More information is found on the Requirements for Cloud Computing pages.

Other security guidance

The Protective Security Requirements (PSR) outlines the Government’s expectations for managing personnel, physical and information security. The PSR helps agencies manage business risks and assure continuity of service delivery, setting out what agencies must and should consider to ensure they are managing security risks effectively.  It consolidates a number of government security policies:

  • The Department of Prime Minister and Cabinet directive on Security in the Government Sector (SIGS) , which included detailed guidance about classification of data.
  • The NZSIS ‘Protective Security Manual’, which detailed government security policy and practices.

The Government Communications Security BureauNew Zealand Information Security Manual’ (NZISM), which details processes and controls for the protection of all New Zealand Government information systems. 

The Office of the Privacy Commissioner has guidelines on how to comply with the Privacy Act.

The Government Enterprise Architecture for New Zealand (GEA-NZ) version 3 includes guidance on the NZ Government information security and privacy eco-system, as well as associated taxonomy components. In 2015, it will also include suitable reference architecture patterns for agencies use.

Trusted Computing & Digital Rights Management

In 2006, a cross-government working group issued a paper about principles and policies agencies should apply when considering use of digital rights management technologies - so that the integrity of government-held information is preserved. Archives New Zealand is the current custodian of this area of advice.

Trust and Security on the Internet

Trust and Security on the Internet, was a State Services Commission report that assesses some of the key threats on the Internet as they relate to online government services. This paper from November 2004 signalled the advice to agencies that would be developed in subsequent years.

Page last updated: 14/02/2017