You are on page 1of 3

1 Introduction

1.1 Purpose
The purpose of these requirements is to:
 provide a common set of definitions and a consistent approach to categorising security
risks and impacts across government
 help agencies to consistently assess business impacts across New Zealand government
 provide a structured approach to determining the impacts of the loss or compromise of
information, people and/or assets
 assist agencies to manage security risks by informing the identification of appropriate
controls and providing assurance when information is shared between agencies.

1.2 Audience
The audience of these requirements is personnel within the New Zealand government
responsible for defining the Business Impact Levels (BILs) relating to the security of government
assets, including information and Information and Communications Technology (ICT) systems,
 New Zealand government security management staff
 contractors to the New Zealand government providing security advice and services
 any other body or person responsible for the security of New Zealand government
people, information or assets.

1.3 Scope
The New Zealand government needs standardised and scalable security-focused BILs that can
be associated with assets of different sensitivity and trust levels.
Common definitions will allow agencies to effectively share the implications of particular risks with
their partners.
These requirements relate to protective security measures:
 within New Zealand government facilities
 within other facilities handling New Zealand government information and assets
 where New Zealand government personnel are located.
Where legislative requirements are higher than controls identified in these requirements the
legislative controls take precedence and should be applied.

1.4 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is
mandatory. These are the baseline controls unless the control is demonstrably not relevant to the
respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered
good and recommended practice. Valid reasons for not implementing a control could exist,
1. a control is not relevant because the risk does not exist
2. or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual
risk for the agency. This residual risk needs to be agreed and acknowledged by the agency
head. In particular an agency should pose the following questions:
1. Is the agency willing to accept additional risk?

integrity or availability of individual or aggregated information. which provides a framework that allows agencies to assess the BIL for compromises of the confidentiality. Figure 1 demonstrates possible impact levels in relation to security classifications. loss of integrity or unavailability of agency assets they hold or generate. information and assets. nor does the impact level alone determine the protective marking. . Agencies should consider all factors when applying a BIL. for example. at the conclusion of a project.2. agencies should refer to the BIL to help determine the criticality of agency assets. Refer to Annex A. the Information Security Management Protocol and the New Zealand Government Security Classification System. Also refer to the Strategic Security Objectives. Figure 1: Likely relationship between protective markings and BILs Individual document marking BIL Unclassified (may not be marked) 1 Low IN CONFIDENCE 2 Medium SENSITIVE or RESTRICTED 3 High CONFIDENTIAL 4 Very High SECRET 5 Extreme TOP SECRET 6 Catastrophic In addition to considering classifications when assessing impact levels. and the Mandatory Requirements for Agencies. The PSR provides agencies with mandatory and best practice security measures. A protective marking alone does not determine the impact level. Have any implications for All of Government security been considered? 3. Core Policies. Agencies should identify when impact levels will change due to changes in an asset's importance or change in circumstance. ICT systems and assets. Using a BIL is part of an agency’s risk assessment and should include consultation on the agency classification policy. If so. Refer to figure 1 for more information. At times there may be a relationship between security classification of official information and BILs. agencies should also take into account:  the impact of aggregated information  the impact that the loss or compromise of an asset or information would have on the agency or government. The BIL scale ranges from 1 (low) to 6 (catastrophic) impacts. including people. 2 Using Business Impact Levels (BILs) 2. The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements. agencies should be able to articulate the impact resulting from the compromise of confidentiality.1 Impacts of confidentiality and security classifications Where a protective marking has been applied to an asset. what is the justification? A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency. As part of applying the BIL.

3 Relationship to security risk management Agencies must ensure the BILs used indicate the true implications of a security risk event for that agency. The ability to share commonly understood terms regarding assessed risk allows for proper negotiation between agencies over the risk controls or mitigations that should be employed. BILs provide agencies with a common understanding of the resulting consequences for national security. integrity or availability. Security risks relating to an asset held by one agency may be assessed with different impact levels than the same type of asset at a different agency. The same is true for financial implications resulting from a loss of confidentiality.2 Benefit to agency collaboration BILs will vary greatly between agencies based on their functions and size. Agencies must consider inter-agency or partner consultation when assessing the BILs of collaborative work. the New Zealand government. 2. to aid them in performing effective risk assessments and analysis. . individuals and organisations.2.