This is an HTML version of an attachment to the Official Information request 'Classification system review'.

Released under the Official Information Act 1982
 
IN CONFIDENCE  
 
 
Meeting Date: 
 
October 2020 
Responsible Agency: 
New Zealand Security and Intelligence Service (NZSIS) 
Title of item: 
Review of the New Zealand Government Classification System 
(the System) 
 
Background 

The purpose of the System is to define how government information is classified to 
ensure it is appropriately protected and meets relevant requirements. Each 
classification indicates the sensitivity of the information and provides a base set of 
security measures that protect information against common threats and minimise the 
risk of compromise. 

The System applies to all New Zealand government state sector organisations and its 
information used to conduct business including any information exchanged with 
external partners and personal information collected from the public. 

The System is not mandated or required by any statute. It is an administrative act, 
done within a legal framework that provides public rights of access to official 
information and emphasises the democratic value of open government. The 
foundational statute in this framework is the Official Information Act 1982 (OIA). 

In December 2018, a review was initiated under direction from SIB (the Review) on 
the back of a report1 written by the Inspector-General of Intelligence and Security 
(IGIS) having undertaken a voluntary review of the System. The IGIS found that the 
System was not well understood, consistently applied, or well supported by effective 
systems or processes across wider government.  It further found: 
 
Classifiers need to make inherently difficult judgements about degrees of harm 
to national interests. 
 
The distinction between policy/privacy and national security classifications is 
not widely understood and serves little purpose generally. 
                                                 
1 A review of the New Zealand Security Classification System Report, Inspector-General of Intelligence and 
Security, August 2018 
    
 1 

link to page 12 link to page 12 Released under the Official Information Act 1982
 
IN CONFIDENCE and CONFIDENTIAL are very often confused; often 
notionally assumed to mean the same thing. CONFIDENTIAL has been 
removed by other the UK and Australia in their recent classification system 
reform projects. U.S.A. has asked organisations to refrain from its use. 
 
There is little difference between the handling measures and protections 
between SENSITIVE and RESTRICTED. 
 
There is need for a declassification regime and practices to be introduced. This 
finding was reinforced by observations by the Operation Burnham Inquiry that 
classified material complicated and delayed their work and although 
information was eventually obtained and approved for release to the public, it 
remained classified at the source. 

The System has been unchanged since 2000. The System is nominally owned by 
Department of Prime Minister and Cabinet (DPMC); however the Director General of 
NZSIS has taken the lead on the review of the System. As part of this process, it is 
proposed to have Cabinet approve the proposed change in the System’s ownership to 
the Director, NZSIS as part of the Government Protective Security Lead (GPSL) role.  
The System Review 

The purpose of the Review was to understand the appetite for change of the System 
across government, design a more fit-for-purpose System, and to assess the impacts of 
changing the System on government. 

Following the IGIS review, a Discussion Document was sent to 107 agencies in 
December 2018. Its purpose was to assess the appetite for change of the System, seek 
feedback on the IGIS’ findings and recommendations, and understand the implications 
and issues a change to the system would bring. 26 agencies responded with unanimous 
support for changing the System and confirmation of the IGIS findings. However, 
there was no consensus on what a simplified System should look like. 

A Reference Group of 17 agencies was formed and met over the course of 2019 to 
consider options to simplify the System. Refer to Appendix B: Fit for Purpose 
Classification System (Draft) 
for details on the recommended System. 

In December 2019, a Change Proposal was socialised with the 36 PSR mandated 
agencies outlining the proposed System and outlined two options for change - Option 
A: Focus Guidance and Education and Option B: Change to the Fit-For Purpose 
System). It also requested volunteers to participate in the impact assessment process. 
10 
During the first half of 2020, 21 agencies participated in the impact assessment 
process to assess the preferences, costs, and benefits of each option. 
Key review findings 
11 
The key findings of the Review were: 


Released under the Official Information Act 1982
 
 
There was unanimous support for changing the System and confirmation of the 
IGIS findings by all agencies engaged during the Review. 
 
The System is not being applied correctly or consistently within a significant 
portion of the agencies interviewed and many did not use it at all. 
 
Evidence was found that poor application of the System leads to increased 
security risks and costs, which are both increasing (globally and in NZ). 
 
Barriers exist that prevent successful security education within agencies. These 
need to be addressed whether a change is made to the System or not. 
 
Respondents indicated that some of the security guidance is not fit for purpose 
(i.e. low-side agencies) and some security measures are costly to implement. 
 
The System underpins all protective security activity and changing it is only 
part of the answer – it cannot be changed in isolation of other aspects of 
protective security (e.g. PSR, NZISM). 
Investment objectives 
12 
Any investment in change of the System must achieve the following objectives and 
benefits: 
 
Make it easier for government, staff, and suppliers to understand the System 
and correctly classify information 
 
Reduce over-classification and make information easier to share 
 
Improve guidance and education on protecting official government information 
in all its forms 
 
Make it easier to understand and apply appropriate security measures to protect 
information and reduce security risks and incidents 
 
Reduce costs that results from System complexity, misclassification, and 
management of security incidents and breaches 
 
Support the Government’s drive towards openness and transparency through 
regular declassification 
 
Improve alignment with international partners 
 
Make it easier and less costly for Government and suppliers to do business 
securely. 
13 
A change based on the previous objectives should achieve the following benefits for 
each organisation and the Government as a whole: 
 
Reduced risks, costs, and impacts from information security compromises 
    
 3 

link to page 15 Released under the Official Information Act 1982
IN CONFIDENCE 
 
Improved information security effectiveness and efficiency including 
improved capability maturity, compliance rates with requirements and 
standards, more secure information sharing, and clarity on methods required 
for secure use of technology and cloud providers 
 
Higher confidence and trust in New Zealand’s capability to protect information 
appropriately including more information transparency and openness and 
greater compliance with regulatory, legislative, and contractual requirements 
(e.g. OIA, Privacy). 
Options analysis 
14 
The two options (Option A: Focus Guidance and Education; Option B: Change to the 
Fit-For Purpose System) were reviewed with agencies, analysed and the indicative 
costs and benefits were estimated. Refer to Appendix C: Option A and B Overview for 
more information. 
15 
Before assessment of the overall costs, Option B was the preferred option by 20 of 21 
agencies interviewed. 1 agency had no preference. 
16 
The cost benefit analysis undertaken is indicative in nature with a moderate 
confidence level of 50%. To achieve a greater confidence level, Phase 1 of the 
proposed work programme will need to be undertaken to fully plan and confirm the 
business case for the change.  
17 
The cost benefit analysis assumes implementation across the 37 PSR mandated 
agencies plus 2 voluntary agencies and models the costs and benefits of doing so over 
a 21-year investment period. 
Option A – Focus, standardise, and centralise Education 
18 
Option A does not change the System but looks to improve guidance and standardise 
and centralise security education. 
 
Although Option A does not change the System, it would simplify the System 
through the phase out and retirement of some classification levels over time 
and would deemphasise the distinction between Policy and Privacy versus 
National Security separation. The education would focus on the remaining core 
classification levels and provide guidance on how to phase out and handle 
information still classified at retired levels. 
 
No agency preferred this option as the final solution. Most agencies 
interviewed felt that the benefits could not be realised through education 
without simplifying the System and underlying security measures. 
 
The analysis assumes that Option A could achieve 0 to 5% reduction in risk of 
compromise and a 0 to 5% improvement in protective security effectiveness 
and efficiency. This translates into 20-year benefits ranging from $59.8M (best 
case) to nil (worst case). 


link to page 12 link to page 12 Released under the Official Information Act 1982
 
 
Option A analysis indicates an investment required of $12.6M: $0.5M upfront 
for 6 month detailed design phase, $3.7M transition over 2 years, and $0.4M 
per annum ongoing over 20 years.  
 
At best, Option A has a return on investment within 3 years, or never in the 
worst case. 
 
The outcomes from Option A would include: 

Achieve economies of scale through a single source of education 
resources 

Overcome security education barriers and constraints 

Make protective security more relevant, relatable and easy to use for 
all staff (including suppliers) – not just security practitioners 

Improve adoption, understanding, and correct usage of the System, 
information handling and secure behaviours (including security risk 
assessment capability). 
Option B – Change to the Fit for Purpose System 
19 
Option B transitions to the proposed future state System. Refer to Appendix B: Fit for 
Purpose Classification System (Draft) 
for details. It also includes revisions to PSR, 
NZISM, and underlying guidance to align to the changed System and to make the 
guidance easier to use and adopt. In addition, standardised and centralised education 
as defined in Option A is also a key component within this option. 
 
The goals of this option are to address the issues identified by IGIS, improve 
protective security effectiveness and efficiency and lower the cost of security, 
reduce information security risks and breaches and their resulting impacts and 
costs, and would better align the System with international partners such as the 
UK and Australia. 
 
Based on agencies assessment, the analysis assumes that Option B could 
achieve 10 to 20% (15% midpoint) reduction in risk of compromise and a 10 to 
20% (15% midpoint) improvement in protective security effectiveness and 
efficiency. This translates into 20-year benefits ranging from $352M (best 
case) to $58M (worst case) and $179M (most likely case). 
 
Option B analysis indicates the greatest overall investment ranging from $28M 
(best case) to $44.9M (worst case), with $35.4M (most likely case): $2.3M 
upfront for a 13 month detailed design phase, $24.8M transition phase over 3 
years, and $0.4M per annum ongoing over 20 years. 
 
Option B provides a most likely case return on investment within 6 years and a 
20-year NPV of $55M. 
    
 5 

Released under the Official Information Act 1982
 
The outcomes of Option B would include: 

Act as a catalyst for increased focus on protective security 

Improve adoption, understanding, and correct usage of the System, 
information handling and secure behaviours (including security risk 
assessment capability). 

Introduce mechanisms to address over-classification and ensure that 
declassification regimes are in place. 

Improve protective security effectiveness and efficiency and lower 
costs of maintaining security measures at fewer classification levels 

Greater alignment with the revised classification systems of 
Australia and the UK 

Reduce information security risks and breaches and the resulting 
impacts and costs 

Support government’s mandates (e.g. openness and transparency, 
use of cloud) in a more secure way. 
Late introduction of Option C- A phased approach 
20 
While the Review was underway, COVID19 hit and changed the world we live in. 
Given that many people do not fully understand how to handle information securely 
under normal circumstances and working practices have changed, there are greater 
risks of information compromise: 
 
Increased insecure information usage and storage while working from home, 
video conferencing, and conversations in insecure environments 
 
Greater international tension 
 
Increased commercial and IP theft 
 
Greater cyber exploitation of changed and potentially insecure working 
practices. 
21 
In addition, New Zealand’s economic climate and government funding priorities have 
changed. 
22 
With COVID19, government agencies attention, focus, and priorities have shifted 
highlighting the need for a slower more phased approach. 
23 
In the long term, the preferred option by most agencies is to move to the fit-for-
purpose System (Option B) but the estimated cost of undertaking this option is high 
and may not be a priority in the current economic climate. 

IN CONFIDENCE 

link to page 11 link to page 11 Released under the Official Information Act 1982
 
IN CONFIDENCE  
24 
Option C would implement the proposed System gradually over the next eight to ten 
years that will: 
 
Signal the desired future state to all stakeholders 
 
Enable effective action planning with stakeholders 
 
Leverage implementation of the System as part of other priority security work 
programmes including technology initiatives 
 
Flatten and reduce the investment burden over time. 
Preferred Option 
25 
Given the current issues and growing risks, the PSR Governance Group recommends 
going forward with Option C: 
 
The fit-for-purpose System (Option B) is the long game outcome with Option 
A being used as a stepping-stone to get there. 
 
The path forward needs to cater for the current economic climate and provide a 
slow but phased, focused, and managed work programme. 
 
The work programme delivery will require a partnership between Government 
Protective Security Lead (GPSL), Government Chief Information Security 
Officer (GCISO), Government Chief Privacy Officer (GCPO), and 
Government Chief Digital Officer (GCDO). 
 
Criteria will be developed at the outset to define and measure the success of 
the work to be undertaken and to assess the readiness to move forward through 
future phases. 
26 
The work programme involves three multi-year phases (Refer to Appendix A: 
Classification System Review Phased Roadmap 
for an the visual A3 view): 
 
Phase 1: Plan and Engage (1 to 2 years) 

Create greater security awareness and engagement, especially for 
agencies who operate in the RESTRICTED and lower classification 
levels. 

Develop and deliver a government wide stakeholder engagement and 
communication campaign (agencies, industry, and suppliers) that 
will be run across all phases of the programme. 

Identify and create change champions (up to 6) and help leaders to 
understand the value of their information and the cost of information 
compromise. 
    
 7 

Released under the Official Information Act 1982

Develop and deliver guidance and education quick wins that support 
delivery of priority security work programmes. 

Define the requirements for the Phase 2 education programme (e.g. 
success measures, strategy, approach, modules, roles and 
responsibilities, mechanisms). 

Engage with agencies to develop an informed action plan for how to 
phase out of some classification levels. 

Assess readiness for future phases and develop plan and budget to 
undertake the next phase.  

Develop and approve the business case and roadmap for the rest of 
the work programme. 
 
Phase 2: Educate (Option A) (2 to 4 years) 

Simplify the System through the phase out of some classification 
levels and to address underlying issues and education barriers. 

Build standardised security education programme and guidance and 
implement mechanisms for delivery and measuring success. 

Roll out the education programme across the 37 PSR mandated 
agencies. However, the material would be made available and 
communicated such that non-mandated agencies and private sector 
organisations could take advantage of it to improve their own 
security education and overall capability. 

Assess and measure the effectiveness and success of education 
programme. 

Review and refine the fit-for-purpose System design to confirm and 
ensure that it still meets requirements. 

Define the requirements for the transition to the fit-for-purpose 
System (e.g. finalise changes to the System, policies, controls, ICT, 
processes, and guidance). 

Identify and leverage future ICT and other work programmes to 
deliver on Phase 3 requirements and thus reduce the overall cost and 
impact of implementing Phase 3. 

Engage widely to define the action plan to move to the revised 
System and confirm the business case for change. Assess readiness 
and obtain approvals and funding. 
 
Phase 3: Invest (Option B: Transition to fit-for-purpose System) (3 to 4 years) 


Released under the Official Information Act 1982
 

Transition the System to the proposed fit-for-purpose System and 
align security policy, requirements, technology, and controls to the 
revised System. This includes making necessary changes to PSR, 
NZISM, and underpinning processes, guidance, and systems. 

Refresh the education to reflect the changes to the System. 

The aim is to make it easier for agencies and act as a catalyst for 
increased adoption and compliance with the System and consistent 
application of appropriate security measures across Government. 

The revised System would be rolled out across the 37 PSR mandated 
agencies. However, the material would be made available and 
communicated such that non-mandated agencies and private sector 
organisations could also take advantage of it to improve their own 
security education and overall capability. 
27 
The initial investment required to undertake Phase 1 would be $0.5M and would 
require the following resources. We are requesting approval to proceed into Phase 1. 
Role 
Responsibilities 
(FTE) 
Project Manager 
Overall liaison and responsibility for the delivery of 

(NEW) 
outcomes, the plan for the next phase, gauging existing 
work programmes from leads, and handling the decision-
making process 
Business Analyst / 
A focus on modelling, analysis and requirements 

Consultant 1 (NEW) 
Business Analyst / 
A focus on engagement and awareness with agencies, 

Consultant 2 (NEW) 
including monitoring and testing in-agency 
Resources from up to 
Analysis, liaison, consultation, testing 
6 x 0.25 = 1.5 
6 champion agencies 
Resources from lead 
Governance and policy support from the System Leads: 
3 x 0.5 = 1.5 
agencies 
GPSL, GCISO, GCPO (possibly with GCDO) 
External expertise 
Instructional design, education delivery solution 

exploration, and general consultancy 
 
28 
Phase 2 and 3 investment requirements will be estimated and planned during Phase 1 
as part of the business case and roadmap development. 
 
 
    
 9 

Released under the Official Information Act 1982
IN CONFIDENCE 
Proposed next steps 
29 
GPSL to brief the Minister 
 
Draft and socialise a briefing paper for the incoming Minister. 
 
Meet with the incoming Minister to determine appetite and preferences for 
moving forward including the time frame for engaging with Cabinet. 
30 
Prepare and submit a paper to Cabinet, outlining all options and highlighting SIB’s 
recommended option, along with the proposed change of ownership of the System. 
31 
If approved to proceed, wide consultation will occur during Phase 1 across all of 
government and government suppliers. 
Recommendations 
It is recommended that SIB: 
32 
Note   
SIB initiated this Review based on the IGIS review findings  YES/NO 
33 
Agree   
Ownership of the System change to GPSL   
    
   YES/NO 
34 
Discuss 
The following options in the paper, noting that the PSR Governance     
Group has recommended Option C: 
 A) Option A: Focus education and improve guidance on current 
System but simplify it through the phase out and retirement of some 
existing classification levels OR 
B) Option B: Change to the Fit for Purpose System OR 
C) Option C: Undertake a phased approach, moving to the fit-for-
purpose System over a longer period of time using Option A as a 
stepping stone to get there (Recommended Option) OR 
 D) Status quo – no change 
 
 
 
 
    A/B/C/D 
35 
Note   
GPSL will socialise all options with the incoming Minister, and in 
doing so will convey SIB’s preferences.  
 
 
 
 
    YES/NO 
10 


Released under the Official Information Act 1982
Appendix A: Classification System Review Phased Roadmap 
 
    
 11 
IN CONFIDENCE 


Released under the Official Information Act 1982
Appendix B: Fit for Purpose Classification System (Draft) 
 
 
1 Placeholder phrase that will be used during initial design until a final term or phrase is agreed for this level.  
2 ‘National interest’ means a matter that has or could have an impact on New Zealand‘s defence, security, international relations, law and governance, economic wellbeing, emergency services, and national infrastructure. 
12 
 
 
IN CONFIDENCE 


Released under the Official Information Act 1982
 
3 National infrastructure refers to the fixed, long-lived structures that facilitate the production of goods and services, including transport, water, energy, social assets, and digital infrastructure such as broadband and mobile networks   
 
    
 13 
IN CONFIDENCE 


Released under the Official Information Act 1982
IN CONFIDENCE 
 
4 Aggregated data is a collection of information (physical documents or digital collections) that may be more valuable than the single pieces of information it’s made up of and may require a higher classification and greater security controls to protect it. A risk assessment of the aggregated 
information should consider “What could be deduced if the collection were compromised?” When viewed separately, the components of the collection retain their individual classification.  
5 ‘New Zealand Government information’ is any information created or held by the New Zealand state sector. This includes official information as defined in the Official Information Act and personal information held by the state sector as defined in the Privacy Act. Information exists in 
many forms (for example, electronic, printed, or spoken) and may reside inside or outside an organisation, including with its providers and clients, and in the cloud.  
6 Endorsement markings warn people that the information has special requirements. Endorsement marking may indicate the specific nature of the information, temporary sensitivities, limitations on availability or releasability, and how recipients should handle the information. Organisations 
should use endorsement markings when applicable. Note: Additional endorsement markings may be used by an organisation that pertains to specific sensitive information requirements in their industry or domain.   
 
 
 
14 
 
 


Released under the Official Information Act 1982
Appendix C: Option A and B Overview 
 
    
 15