Skip to main content

Managing information prior to release in a digital environment

Understand how to protect your information until it's ready for publishing.


There are 2 important aspects you need to consider when preparing information before it's officially published.

1. Do an assessment of your content

Understand the information you need to protect, its value to your organisation and the impact of loss or compromise.

Assess the risks to your content to determine the sensitivity and classification level.

Classify information

It’s important to do this because the controls required to prevent unauthorised access to your content are dependent on the classification of the information. The risk assessment will identify the controls needed to keep your information safe.

Who you could talk to

  • Chief Information Security Officer
  • Chief Privacy Officer

2. Separate your content prior to release to control access to it

The classification of content before it's published will be higher than when it's published. This means that the identified security controls must be sufficient to protect the highest identified classification level of your content.

An important consideration should be whether your information needs to be prepared in a different publishing environment to your production environment (your current live website) to prevent it from being released inadvertently.

This would mean setting up a copy of your website where you can safely prepare and test your content.

Up to — and including — SENSITIVE content

If your content is classified SENSITIVE or lower, the minimum separation would be software-controlled publishing.

This means the content is loaded into the content management system (CMS) of your public-facing website and held in draft until ready for publishing.

RESTRICTED —and above — content

If your content is classified RESTRICTED or higher, then a higher level of separation for staging (preparing) your content is recommended.

Avoid using the CMS of your public-facing website (your production environment). Prepare the content in a separate testing environment. 

To avoid inadvertently exposing information prior to release, these environments must not be able to communicate with each other.

When setting up multiple environments, it’s recommended that you:

  • separately configure your production and testing environments
  • automate the setup of your production and testing environments (this avoids human error in the configuration of environments)
  • only give approved individuals access to the environments the content is staged (prepared) on
  • disable caching and search in the test environment.

Who you could talk to

  • Your development team
  • Your vendor

Government expectations of agencies

The government has expectations about the security of information held on agency websites. These expectations are set out in the Protective Security Requirements (PSR) and the New Zealand Information Security Manual (NZISM)

These are the relevant areas of the PSR that deal with information prior to release:

Mandatory Protective Security Requirements

The NZISM specifies mandatory baseline controls for NZ Government agencies, based on the classification of your information, and  a series of additional controls to treat your identified risks:

NZISM related chapters

Information security incident reporting obligations

The NZISM states that agencies MUST report significant information security incidents to the National Cyber Security Centre (NCSC) (7.2.14).

Non-significant information security incidents SHOULD be reported to the NCSC (7.2.15).

Contact the NCSC

Phone: 04 498 7654
Website: National Cyber Security Centre

More information

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated