Skip to main content

Protective Security Requirements: Information Security

hero banner for desktop hero banner for mobile

Protective Security Requirements: Information Security

In this series of posts, FIRST Security’s Chief Operating Officer Steve Sullivan looks at the New Zealand Government’s Protective Security Requirements (PSR). Although originally designed for government, the PSR is just as relevant for the private sector.

In my previous PSR post, we looked at the mandatory requirements for the Security Governance (GOVSEC) domain of the Protective Security Requirements. In contrast to the eight mandatory requirements of that domain, the information security domain contains just four.

Before going any further, it’s important that we clarify just what ‘information’ means in the context of information security. Here the PSR instructs us to think of information “in the broadest sense, not just in terms of information technology.” Information can appear in many forms, including electronic, printed, and spoken), and it could reside inside or outside your organisation.

Your information – in all its forms – needs to be appropriately protected. Information stored and processed on IT systems or mobile devices is vulnerable to cyber-specific threats, whereas printed information may be vulnerable to potential physical breach.

INFOSEC1 - Understand what you need to protect

Identify the information and ICT systems that your organisation manages. Assess the security risks (threats and vulnerabilities) and the business impact of any security breaches.

According to the New Zealand Information Security Manual (NZISM), Security Risk Management Plans (SRMP) identify security risks and appropriate treatment measures for systems.

Using a risk-based approach that applies sound risk management will best allow you to tailor an information security framework to your organisation’s operating context and the threats it may face.

As part of a risk-based approach, it is important to understand that not all information should be treated equally. Some information is more valuable or sensitive, requiring a greater level of protection. “You must understand the value, importance, and sensitivity of your information,” states the PSR guidance. “This will determine the minimum requirements you need to protect it from harm.”

The Business Impact Levels (BILs) are referred to throughout the PSR as an element of its risk-based approach. The BILs is a tool that can be used to assess the value of your information and the potential impact if your information is compromised. “Along with assessing event likelihood, threats, and vulnerabilities, BILs should inform a robust risk assessment.”

 

INFOSEC2 - Design your information security

Consider information security early in the process of planning, selection, and design.

Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with:

  • the New Zealand Government Security Classification System
  • the New Zealand Information Security Manual
  • any privacy, legal, and regulatory obligations that you operate under.

Adopt an appropriate information security management framework that is appropriate to your risks.

There’s a quite a bit to take in with this requirement, but two key elements of it are the concept of ‘security by design’ and the value of the NZISM as a source of guidance on security measures.

The logic of ‘security by design’ is simple: if you build security into the design of a system from the ground up then not only are you more likely to achieve a more secure result but that security is achieved far less expensively compared to adding it on after the design phase.

In terms of adopting an information security management framework that is appropriate to your risks, the NZISM states that your organisation “should establish a framework to direct and coordinate the management of your information security,” and that the framework must:

  • be appropriate to the level of security risk in your information environment
  • be consistent with your business needs and legal obligations
  • integrate with any other frameworks governing your organisation’s security.

According to the NZISM, your framework should also cover how you’ll ensure that your organisation:

  • understands and follows security policies and processes
  • is alerted to changes to systems, risks, or standards
  • marks, accesses, and declassifies protected information correctly manages and controls access to information.

 

INFOSEC3 - Validate your security measures

Confirm that your information security measures have been correctly implemented and are fit for purpose.

Complete the certification and accreditation process to ensure your ICT systems have approval to operate.

Certification and accreditation are two distinct and critical parts of the process, and they are explained in some detail in the NZISM.

Certification is based on a comprehensive evaluation or systems audit, and, according to the NZISM, “is an assertion that an ICT system complies with the minimum standards and controls described in the NZISM, any relevant legislation and regulation and other relevant standards.” Accreditation is the formal authority to operate a system, including evidence that governance requirements have been addressed and risk management requirements have been fulfilled.

 

INFOSEC4 - Keep your security up to date

Ensure that your information security remains fit for purpose by:

 monitoring for security events and responding to them

  • keeping up to date with evolving threats and vulnerabilities
  • maintaining appropriate access to your information.

With INFOSEC4 we complete the information security risk management loop. Chapters 6 and 7 of the NZSIM deal with monitoring and incidents respectively, and I suggest that you read these carefully. Needless to say, the requirements for information security in this regard in many ways reflects the monitoring, response and review requirements found in the physical security space. Prevent if possible; detect early; and respond quickly.

 

Coming up...

In my next PSR post, we’ll take a deeper dive into the information security domain. If you’d like to have a discussion about how we might be able to assist you in your protective security planning, feel free to contact me at steven.sullivan@firstsecurity.co.nz

ABOUT THE AUTHOR: Steve Sullivan is a highly experienced security and business operations leader with 30 years’ experience in the security industry. Prior to joining FIRST Security as its Chief Operations Officer, Steve was General Manager – Regional Operations for Wilson Security, based in Melbourne. His career has focussed on leading highly-respected security organisations to improved services, unparalleled customer service and success.