Managing information prior to release in a digital environment
Understand how to protect your information until it's ready for publishing.
There are 2 important aspects you need to consider when preparing information before it's officially published.
1. Do an assessment of your content
Understand the information you need to protect, its value to your organisation and the impact of loss or compromise.
Assess the risks to your content to determine the sensitivity and classification level.
It’s important to do this because the controls required to prevent unauthorised access to your content are dependent on the classification of the information. The risk assessment will identify the controls needed to keep your information safe.
Who you could talk to
- Chief Information Security Officer
- Chief Privacy Officer
2. Separate your content prior to release to control access to it
The classification of content before it's published will be higher than when it's published. This means that the identified security controls must be sufficient to protect the highest identified classification level of your content.
An important consideration should be whether your information needs to be prepared in a different publishing environment to your production environment (your current live website) to prevent it from being released inadvertently.
This would mean setting up a copy of your website where you can safely prepare and test your content.
Up to — and including — SENSITIVE content
If your content is classified SENSITIVE or lower, the minimum separation would be software-controlled publishing.
This means the content is loaded into the content management system (CMS) of your public-facing website and held in draft until ready for publishing.
RESTRICTED —and above — content
If your content is classified RESTRICTED or higher, then a higher level of separation for staging (preparing) your content is recommended.
Avoid using the CMS of your public-facing website (your production environment). Prepare the content in a separate testing environment.
To avoid inadvertently exposing information prior to release, these environments must not be able to communicate with each other.
When setting up multiple environments, it’s recommended that you:
- separately configure your production and testing environments
- automate the setup of your production and testing environments (this avoids human error in the configuration of environments)
- only give approved individuals access to the environments the content is staged (prepared) on
- disable caching and search in the test environment.
Who you could talk to
- Your development team
- Your vendor
Government expectations of agencies
The government has expectations about the security of information held on agency websites. These expectations are set out in the Protective Security Requirements (PSR) and the New Zealand Information Security Manual (NZISM).
These are the relevant areas of the PSR that deal with information prior to release:
Mandatory Protective Security Requirements
The NZISM specifies mandatory baseline controls for NZ Government agencies, based on the classification of your information, and a series of additional controls to treat your identified risks:
NZISM related chapters
Information security incident reporting obligations
The NZISM states that agencies MUST report significant information security incidents to the National Cyber Security Centre (NCSC) (7.2.14).
Non-significant information security incidents SHOULD be reported to the NCSC (7.2.15).