• Table of Contents:
• Title Page
• Chapter 1: Security Policy
• Chapter 2: Security Organisation
• Chapter 3: Information Classification
• Chapter 4: Control of Classified Material
• Chapter 5: Personnel Security
• Chapter 6: Contractors and Other Third-Party Access
• Chapter 7: Physical and Environmental Security
• Chapter 8: Communications and Systems Security Management
• Chapter 9: Control of Access to Information Systems
• Cross-Reference to AS/NZ ISO/IEC 17799:2001
• Glossary of Abbreviations

Chapter 1: Security Policy

Policy Statement

1. The Government requires that information important to its functions, its official resources and its classified equipment is adequately safeguarded to protect the public and national interests and to preserve personal privacy. This policy addresses the protection of the Confidentiality [Confidentiality - information must not be made available or disclosed to unauthorised individuals, entities, or processes.] , Integrity [Integrity - data must not be altered or destroyed in an unauthorised manner, and accuracy and consistency must be preserved regardless of changes.] and Availability [Availability - information must be accessible and useable on demand by authorised entities.] of all official information. Official information includes information that is produced, transmitted, and stored in electronic form. This policy also addresses the classified equipment used to produce, transmit and store official information.

2. Chief Executives and heads of government departments and agencies, State Owned Enterprises and Crown Entities are responsible for implementing and managing effective security arrangements within their organisations. They must create and maintain appropriate security environments to adequately protect official information and classified equipment. The level of protection must correspond to the assessed level of risk.

3. Protective security usually incorporates the following measures:

• personnel security

• physical security

• communications security

• computer security

• technical security.

4. These measures may be expensive to implement and have an impact on the operations of the organisation. However, security decisions are no different from other administrative decisions; they must be formulated on a sound factual, financial, lawful and ethical basis. Most importantly, they must be based on an assessment of risk.

5. The environment conducive to good security is not necessarily secret. In fact, the decision-making process must be as transparent as possible. This will ensure accountability to the New Zealand public.

Security Framework

6. This manual provides general guidance and broad advice on protective security matters. Government organisations responsible for providing security advice may produce their own documentation to supplement this manual.7. An appropriate security environment requires a systematic and co-ordinated approach. An organisation must first identify and assess its risk environment, then develop its security plan. To be effective, planning for the management of security risks should become part of an organisation's culture. Security should be integrated into the organisation's philosophy, practices and plans. It should not be treated as a separate activity. All managers should be encouraged to recognise that risk management and good security practices are a fundamental part of management.

8. While each organisation's security plan will relate directly to its culture, environment, geographic location, function and corporate structure, all government organisations must demonstrate a commitment to the Government's security policy, principles and minimum standards.

9. A security classification system has been developed for official information held by or shared between government organisations. This system ensures that information is protected according to the degree of harm that could result from its unauthorised disclosure. When official information has a security classification, the minimum standards for its handling and protection must be followed. The decision to classify information must be based solely on the guidelines in Chapter 3: Information Classification.

10. To access certain classified information or equipment, a person must receive security clearance from the Chief Executive or head of a government organisation on behalf of the Government as a whole. For the personnel security clearance system to operate efficiently and effectively, the authority granting a security clearance must adhere to minimum standards found in Chapter 5: Personnel Security.

11. Minimum standards also apply to the physical environments that store classified information or equipment. These standards are found in Chapter 7: Physical and Environmental Security.

Risk Management

12. Regardless of an organisation's functions or security concerns, the key messages for managing security risks remain the same:

• security risk management is everyone's business

• risk management, including security risk management, is part of day-to-day business

• the process for managing security risk is logical and systematic, and should become a habit.

13. Part of the organisation's risk management strategy is to decide on how much protection is required. The methodology should be based on the principles of general risk analysis and risk management found in the Australian/New Zealand Standards AS/NZS 4360:1999 - Risk Management and AS/NZS ISO/IEC 17999:2001 -Information Technology Code of Practice for Iinformation Security Management.

14. The New Zealand Security Intelligence Service (NZSIS) has provided more detail about security risk management in the Protective Security Manual.

Business Continuity Management

15. There should be a managed process in place for developing and maintaining business continuity throughout the organisation. This manual discusses only the business continuity related to the security of IT systems.

16. A Business Continuity Plan (BCP) should be developed for each site or system. This will assist in a managed recovery of processing facilities and databases from a major disaster or system failure. The BCP should:

• include measures to identify and manage risks

• limit the consequences when a problem occurs

• ensure that essential operations are quickly resumed.

17. For further guidance on the development of a BCP, see Chapter 9 of NZ Security of Information and Technology Publication (NZSIT) 101.

Responsibility for Security

18. Each government department or agency, State Owned Enterprise or Crown Entity is responsible for its own protective security arrangements. The success of this system depends on:

• effective security arrangements within each organisation

• inter-organisational agreement on security policy and common minimum standards

• access by organisations to security intelligence records and specialist advice on specific security problems.

19. To help organisations meet this responsibility, a number of security agencies and committees decide security policy, provide advice and offer guidance. These agencies and committees analyse policy issues on security matters, generate ideas, achieve consensus and make policy recommendations to Government.

Security Agencies

New Zealand Security Intelligence Service (NZSIS)

www.nzsis.govt.nz

20. The NZSIS establishes personnel and physical security standards for the protection of national security information, as authorised by the NZSIS Act 1969 (including amendments).

21. The NZSIS informs the Government about matters of concern exposed by intelligence-gathering operations.

22. The NZSIS advises government departments and agencies, State Owned Enterprises and Crown Entities on personnel and physical security relating to the protection of national security information.

23. On the request of government organisations, NZSIS vets personnel requiring security clearances for access to classified material.

Government Communications Security Bureau (GCSB)

www.gcsb.govt.nz

24. The GCSB is the national authority for Information Systems Security (INFOSEC). INFOSEC, in the government context, is the protection of official information against unauthorised disclosure, manipulation, destruction or alteration. This embraces Communications Security (COMSEC), Technical Security (TECSEC), and Computer Security (COMPUSEC).

25. GCSB's responsibilities include:

• Promulgating national INFOSEC doctrine and standards for government

• advising government organisations on applying national INFOSEC policy and standards

• providing INFOSEC inspection service for government

• providing an INFOSEC education and training programme for governmnet personnel.

Interdepartmental Security Committees

Officials Committee for Domestic and External Security Co-ordination (ODESC)

26. The Officials Committee for Domestic and External Security Co-ordination (ODESC) is the committee of government officials charged with giving the Prime Minister strategic policy advice on domestic and external security matters. The committee reports to the Prime Minister and is chaired by the Chief Executive of the Department of the Prime Minister and Cabinet, with membership being drawn from Chief Executives of appropriate government agencies.

27. One of the functions of ODESC is to maintain oversight of security within government departments and agencies, including the setting of appropriate security standards.

Interdepartmental Committee on Security (ICS)

28. All government organisations must follow common minimum standards of security so that information can be passed knowing that each party handles it with equal care. The ICS is responsible for formulating and co-ordinating the application of all aspects of security policy and common minimum standards of security and protection. The ICS Terms of Reference are detailed at Annex A to this Chapter.

The Government Communications Security Committee (GCSC)

29. The GCSC is responsible for formulating and reviewing New Zealand's COMSEC doctrine and standards. The core committee membership of the GCSC comes from the GCSB, MFAT, NZDF and NZSIS. Additional representatives may be co-opted from other government departments where necessary. The GCSC Terms of Reference are detailed at Annex B to this Chapter.

The Departmental Committee on Computer Security (DCCS)

30. The DCCS is responsible for formulating national COMPUSEC doctrine and standards for protecting classified official information stored or processed in government or contracted private computer systems. The DCCS is chaired by the GCSB. The core membership of the DCCS comes from the GCSB, MFAT, NZDF, NZSIS, NZ Police, Customs, and the State Services Commission. The DCCS Terms of Reference are detailed at Annex C to this Chapter.

Annex A - Terms of Reference: Interdepartmental Committee on Security

1. The Government requires that official information be given appropriate protection. All Government departments and agencies, State Owned Enterprises and Crown Entities and any other organisations or bodies which receive or hold information that is classified in accordance with the prescriptions in Cabinet Directive CO (01) 10 of 31 July 2001 are to apply common security standards and meet specified personnel requirements to ensure that the information is not improperly disclosed to a person or persons who are not authorised to receive that information.

2. To ensure that the Government's security requirements are met, the Interdepartmental Committee on Security will:

• Provide to Government and other organisations or bodies which receive or hold classified information, detailed advice on the policies and administrative procedures which are necessary to apply in a consistent manner the prescribed system of security classifications and protect classified material from unauthorised disclosure

• Advise the Government, through the ODESC, on those aspects of security policy where it considers action to be required, and at frequent intervals, review and update the manual entitled "Security in the Government Sector", in which the Committee shall prescribe standards necessary to ensure the proper handling of classified material and the application of appropriate personnel security criteria and standards. In doing so the Committee will take account of any changes in the threats to New Zealand interests, and developments or changes in the security standards applied by friendly countries which provide classified or other sensitive information to New Zealand. It shall be responsible for the publication and promulgation to relevant organisations and bodies of agreed amendments to the "Security in the Government Sector" manual.

3. The Committee shall also provide guidance on the use of endorsement marks, which may be used to identify the nature of the information being protected and the security standards required to protect the information.

4. The Committee shall not be responsible for the implementation and maintenance of security standards in Government and other relevant organisations. That shall remain the responsibility of the appropriate Chief Executive or Head.

5. The ICS is a sub-committee of the ODESC. The Chairman of the Committee shall report regularly to the ODESC.

Composition and Servicing of the Committee

6. The composition of the Committee shall be changed only with the approval or direction of the ODESC. It shall meet under the chairmanship of, and be serviced by, the Department of the Prime Minister and Cabinet. Its membership currently includes representatives of the MOD, MFAT, SSC, NZDF, NZ Police, Cabinet Office, NZSIS and GCSB.

Annex B - Terms of Reference: Government Communications Security Committee

1. The Government Communications Security Committee (GCSC) is established as a sub-committee of the Officials Committee for Domestic and External Security Co-ordination (ODESC).

2. The Committee comprises suitably qualified representatives representing MFAT, NZDF and NZSIS and is chaired by the Director, GCSB or his/her representative. The Committee may co-opt additional representatives from other Government organisations where necessary.

3. The GCSC is responsible to the ODESC for formulating and reviewing New Zealand's COMSEC doctrine and standards and for advice on the measures necessary to ensure the effectiveness of COMSEC, including:

• the security of cryptographic systems, principles and procedures

• the physical security of cryptographic materials and equipment

• personnel security standards applicable to cryptographic and allied duties

• emanations security standards

• the COMSEC aspects of practices and procedures used in government communications and information systems generally.

Annex C - Terms of Reference: Departmental Committee on Computer Security

1. The Departmental Committee on Computer Security (DCCS) is established as a sub-committee of the Officials Committee for Domestic and External Security Co-ordination (ODESC).

2. The Committee will comprise suitably qualified representatives of NZSIS, NZDF, NZ Police, MFAT, NZ Customs Service and the SSC and is chaired by the Director, GCSB or his/her representative. The Committee may co-opt additional representatives from other government organisations where necessary.

3. The DCCS is responsible to the ODESC for the co-ordination of governmental input into the formulation of national COMPUSEC doctrine and standards to ensure the protection of classified Government information which is:

• stored and/or processed in government-owned computer systems

• stored and/or processed in government-controlled private sector computer systems

• transmitted through data networks.

4. The DCCS will provide a forum for discussion of other matters of national COMPUSEC as ODESC may direct or members may wish to raise.

5. The Chairman of the DCCS is to provide an annual report to ODESC.

[ Previous | Next ]