Questions 3 to 9 — information classification

Table 1 lists who is responsible for answering each question.

Context and help for questions 3 to 9

Questions to answer

3. What is the security classification of the information based on the NZ government guidelines for protection of official information?
   
   • Classify information
   • Mandatory requirements — Protective Security Requirements (PSR)
4. Are there any specific concerns related to the confidentiality of the information that will be stored or processed by the public cloud service?
   
   • Classifications — PSR
5. Does the data include any personal information?
   
   • Policy and privacy classifications — PSR
6. Who are the users of the information?
7. What permissions to the information do the users need?
   • For example — do they require permissions to read, write, modify, delete or a combination of these?
8. What legislation applies to the information — for example, the Privacy Act 2020, Official Information Act 1982, Public Records Act 2005 or a combination of these or others?
   
   • New Zealand legislation — Parliamentary Counsel Office
9. What contractual obligations apply to the information?
   • For example — the Payment Card Industry (PCI) Data Security Standard — PCI Security Standards Council

Context and help for questions 3 to 9

The following guidance gives you context and help for answering questions about information classification.

Why government organisations must classify information

If you do not classify data that will be stored, processed and sent in a public cloud service, there may be a mismatch between the information’s classification level and a public cloud service’s:

• security controls
• cost
• availability to help in achieving your organisation’s business objectives.

Work out the classification level for the information

To do a risk assessment, the business owner and stakeholders need to classify the information they’re planning to use with a public cloud service.

Classify information

How to avoid mistakes in classifying information

The business owner leads the classification of the information and should make sure to:

• consult the right stakeholders
• use 2-way communication to learn the details needed for classifying the information.

Setting up a successful risk assessment

Classification levels that can use public cloud services

Government organisations are encouraged, with appropriate security controls, to use public cloud services for information that is:

• unclassified
• in-confidence
• sensitive
• restricted.

Classification levels that cannot use public cloud services

Government organisations, as decided by Cabinet, cannot use public cloud services for information that is:

• confidential
• secret
• top-secret.

Cabinet minutes and papers for public cloud services

Under-classifying information

If you wrongly classify information at a lower level than it is in reality, the public cloud service might:

• not have the needed security controls
• be used insecurely — the proper security controls exists, but you do not set them up because you think the information has less value and risk than it does in reality.

Be careful — confidential, secret and top-secret

If under-classifying information that’s actually confidential, secret or top-secret, you might end up using a public cloud service when it’s inappropriate to do so.

Over-classifying information

If you wrongly classify information at a higher level than it is in reality, the public cloud service might:

• have unnecessary security controls, increasing its cost for no reason
• be rejected.

Be careful — unclassified, in-confidence, sensitive and restricted

If over-classifying information that’s actually unclassified, in-confidence, sensitive or restricted, you might end up turning down public cloud services that could actually help your organisation to achieve its business objectives.