Released under the Official Information Act 1982
IN CONFIDENCE
Meeting Date:
October 2020
Responsible Agency:
New Zealand Security and Intelligence Service (NZSIS)
Title of item:
Review of the New Zealand Government Classification System
(the System)
Background
1
The purpose of the System is to define how government information is classified to
ensure it is appropriately protected and meets relevant requirements. Each
classification indicates the sensitivity of the information and provides a base set of
security measures that protect information against common threats and minimise the
risk of compromise.
2
The System applies to all New Zealand government state sector organisations and its
information used to conduct business including any information exchanged with
external partners and personal information collected from the public.
3
The System is not mandated or required by any statute. It is an administrative act,
done within a legal framework that provides public rights of access to official
information and emphasises the democratic value of open government. The
foundational statute in this framework is the Official Information Act 1982 (OIA).
4
In December 2018, a review was initiated under direction from SIB (the Review) on
the back of a report1 written by the Inspector-General of Intelligence and Security
(IGIS) having undertaken a voluntary review of the System. The IGIS found that the
System was not well understood, consistently applied, or well supported by effective
systems or processes across wider government. It further found:
Classifiers need to make inherently difficult judgements about degrees of harm
to national interests.
The distinction between policy/privacy and national security classifications is
not widely understood and serves little purpose generally.
1 A review of the New Zealand Security Classification System Report, Inspector-General of Intelligence and
Security, August 2018
1
link to page 12 link to page 12
Released under the Official Information Act 1982
IN CONFIDENCE and CONFIDENTIAL are very often confused; often
notionally assumed to mean the same thing. CONFIDENTIAL has been
removed by other the UK and Australia in their recent classification system
reform projects. U.S.A. has asked organisations to refrain from its use.
There is little difference between the handling measures and protections
between SENSITIVE and RESTRICTED.
There is need for a declassification regime and practices to be introduced. This
finding was reinforced by observations by the Operation Burnham Inquiry that
classified material complicated and delayed their work and although
information was eventually obtained and approved for release to the public, it
remained classified at the source.
5
The System has been unchanged since 2000. The System is nominally owned by
Department of Prime Minister and Cabinet (DPMC); however the Director General of
NZSIS has taken the lead on the review of the System. As part of this process, it is
proposed to have Cabinet approve the proposed change in the System’s ownership to
the Director, NZSIS as part of the Government Protective Security Lead (GPSL) role.
The System Review
6
The purpose of the Review was to understand the appetite for change of the System
across government, design a more fit-for-purpose System, and to assess the impacts of
changing the System on government.
7
Following the IGIS review, a Discussion Document was sent to 107 agencies in
December 2018. Its purpose was to assess the appetite for change of the System, seek
feedback on the IGIS’ findings and recommendations, and understand the implications
and issues a change to the system would bring. 26 agencies responded with unanimous
support for changing the System and confirmation of the IGIS findings. However,
there was no consensus on what a simplified System should look like.
8
A Reference Group of 17 agencies was formed and met over the course of 2019 to
consider options to simplify the System. Refe
r to Appendix B: Fit for Purpose
Classification System (Draft) for details on the recommended System.
9
In December 2019, a Change Proposal was socialised with the 36 PSR mandated
agencies outlining the proposed System and outlined two options for change - Option
A: Focus Guidance and Education and Option B: Change to the Fit-For Purpose
System). It also requested volunteers to participate in the impact assessment process.
10
During the first half of 2020, 21 agencies participated in the impact assessment
process to assess the preferences, costs, and benefits of each option.
Key review findings
11
The key findings of the Review were:
2
Released under the Official Information Act 1982
There was unanimous support for changing the System and confirmation of the
IGIS findings by all agencies engaged during the Review.
The System is not being applied correctly or consistently within a significant
portion of the agencies interviewed and many did not use it at all.
Evidence was found that poor application of the System leads to increased
security risks and costs, which are both increasing (globally and in NZ).
Barriers exist that prevent successful security education within agencies. These
need to be addressed whether a change is made to the System or not.
Respondents indicated that some of the security guidance is not fit for purpose
(i.e. low-side agencies) and some security measures are costly to implement.
The System underpins all protective security activity and changing it is only
part of the answer – it cannot be changed in isolation of other aspects of
protective security (e.g. PSR, NZISM).
Investment objectives
12
Any investment in change of the System must achieve the following objectives and
benefits:
Make it easier for government, staff, and suppliers to understand the System
and correctly classify information
Reduce over-classification and make information easier to share
Improve guidance and education on protecting official government information
in all its forms
Make it easier to understand and apply appropriate security measures to protect
information and reduce security risks and incidents
Reduce costs that results from System complexity, misclassification, and
management of security incidents and breaches
Support the Government’s drive towards openness and transparency through
regular declassification
Improve alignment with international partners
Make it easier and less costly for Government and suppliers to do business
securely.
13
A change based on the previous objectives should achieve the following benefits for
each organisation and the Government as a whole:
Reduced risks, costs, and impacts from information security compromises
3
link to page 15
Released under the Official Information Act 1982
IN CONFIDENCE
Improved information security effectiveness and efficiency including
improved capability maturity, compliance rates with requirements and
standards, more secure information sharing, and clarity on methods required
for secure use of technology and cloud providers
Higher confidence and trust in New Zealand’s capability to protect information
appropriately including more information transparency and openness and
greater compliance with regulatory, legislative, and contractual requirements
(e.g. OIA, Privacy).
Options analysis
14
The two options (Option A: Focus Guidance and Education; Option B: Change to the
Fit-For Purpose System) were reviewed with agencies, analysed and the indicative
costs and benefits were estimated. Refe
r to Appendix C: Option A and B Overview for
more information.
15
Before assessment of the overall costs, Option B was the preferred option by 20 of 21
agencies interviewed. 1 agency had no preference.
16
The cost benefit analysis undertaken is indicative in nature with a moderate
confidence level of 50%. To achieve a greater confidence level, Phase 1 of the
proposed work programme will need to be undertaken to fully plan and confirm the
business case for the change.
17
The cost benefit analysis assumes implementation across the 37 PSR mandated
agencies plus 2 voluntary agencies and models the costs and benefits of doing so over
a 21-year investment period.
Option A – Focus, standardise, and centralise Education
18
Option A does not change the System but looks to improve guidance and standardise
and centralise security education.
Although Option A does not change the System, it would simplify the System
through the phase out and retirement of some classification levels over time
and would deemphasise the distinction between Policy and Privacy versus
National Security separation. The education would focus on the remaining core
classification levels and provide guidance on how to phase out and handle
information still classified at retired levels.
No agency preferred this option as the final solution. Most agencies
interviewed felt that the benefits could not be realised through education
without simplifying the System and underlying security measures.
The analysis assumes that Option A could achieve 0 to 5% reduction in risk of
compromise and a 0 to 5% improvement in protective security effectiveness
and efficiency. This translates into 20-year benefits ranging from $59.8M (best
case) to nil (worst case).
4
link to page 12 link to page 12
Released under the Official Information Act 1982
Option A analysis indicates an investment required of $12.6M: $0.5M upfront
for 6 month detailed design phase, $3.7M transition over 2 years, and $0.4M
per annum ongoing over 20 years.
At best, Option A has a return on investment within 3 years, or never in the
worst case.
The outcomes from Option A would include:
a
Achieve economies of scale through a single source of education
resources
b
Overcome security education barriers and constraints
c
Make protective security more relevant, relatable and easy to use for
all staff (including suppliers) – not just security practitioners
d
Improve adoption, understanding, and correct usage of the System,
information handling and secure behaviours (including security risk
assessment capability).
Option B – Change to the Fit for Purpose System
19
Option B transitions to the proposed future state System. Refe
r to Appendix B: Fit for
Purpose Classification System (Draft) for details. It also includes revisions to PSR,
NZISM, and underlying guidance to align to the changed System and to make the
guidance easier to use and adopt. In addition, standardised and centralised education
as defined in Option A is also a key component within this option.
The goals of this option are to address the issues identified by IGIS, improve
protective security effectiveness and efficiency and lower the cost of security,
reduce information security risks and breaches and their resulting impacts and
costs, and would better align the System with international partners such as the
UK and Australia.
Based on agencies assessment, the analysis assumes that Option B could
achieve 10 to 20% (15% midpoint) reduction in risk of compromise and a 10 to
20% (15% midpoint) improvement in protective security effectiveness and
efficiency. This translates into 20-year benefits ranging from $352M (best
case) to $58M (worst case) and $179M (most likely case).
Option B analysis indicates the greatest overall investment ranging from $28M
(best case) to $44.9M (worst case), with $35.4M (most likely case): $2.3M
upfront for a 13 month detailed design phase, $24.8M transition phase over 3
years, and $0.4M per annum ongoing over 20 years.
Option B provides a most likely case return on investment within 6 years and a
20-year NPV of $55M.
5
Released under the Official Information Act 1982
The outcomes of Option B would include:
a
Act as a catalyst for increased focus on protective security
b
Improve adoption, understanding, and correct usage of the System,
information handling and secure behaviours (including security risk
assessment capability).
c
Introduce mechanisms to address over-classification and ensure that
declassification regimes are in place.
d
Improve protective security effectiveness and efficiency and lower
costs of maintaining security measures at fewer classification levels
e
Greater alignment with the revised classification systems of
Australia and the UK
f
Reduce information security risks and breaches and the resulting
impacts and costs
g
Support government’s mandates (e.g. openness and transparency,
use of cloud) in a more secure way.
Late introduction of Option C- A phased approach
20
While the Review was underway, COVID19 hit and changed the world we live in.
Given that many people do not fully understand how to handle information securely
under normal circumstances and working practices have changed, there are greater
risks of information compromise:
Increased insecure information usage and storage while working from home,
video conferencing, and conversations in insecure environments
Greater international tension
Increased commercial and IP theft
Greater cyber exploitation of changed and potentially insecure working
practices.
21
In addition, New Zealand’s economic climate and government funding priorities have
changed.
22
With COVID19, government agencies attention, focus, and priorities have shifted
highlighting the need for a slower more phased approach.
23
In the long term, the preferred option by most agencies is to move to the fit-for-
purpose System (Option B) but the estimated cost of undertaking this option is high
and may not be a priority in the current economic climate.
6
IN CONFIDENCE
link to page 11 link to page 11
Released under the Official Information Act 1982
IN CONFIDENCE
24
Option C would implement the proposed System gradually over the next eight to ten
years that will:
Signal the desired future state to all stakeholders
Enable effective action planning with stakeholders
Leverage implementation of the System as part of other priority security work
programmes including technology initiatives
Flatten and reduce the investment burden over time.
Preferred Option
25
Given the current issues and growing risks, the PSR Governance Group recommends
going forward with Option C:
The fit-for-purpose System (Option B) is the long game outcome with Option
A being used as a stepping-stone to get there.
The path forward needs to cater for the current economic climate and provide a
slow but phased, focused, and managed work programme.
The work programme delivery will require a partnership between Government
Protective Security Lead (GPSL), Government Chief Information Security
Officer (GCISO), Government Chief Privacy Officer (GCPO), and
Government Chief Digital Officer (GCDO).
Criteria will be developed at the outset to define and measure the success of
the work to be undertaken and to assess the readiness to move forward through
future phases.
26
The work programme involves three multi-year phases (Refe
r to Appendix A:
Classification System Review Phased Roadmap for an the visual A3 view):
Phase 1: Plan and Engage (1 to 2 years)
a
Create greater security awareness and engagement, especially for
agencies who operate in the RESTRICTED and lower classification
levels.
b
Develop and deliver a government wide stakeholder engagement and
communication campaign (agencies, industry, and suppliers) that
will be run across all phases of the programme.
c
Identify and create change champions (up to 6) and help leaders to
understand the value of their information and the cost of information
compromise.
7
Released under the Official Information Act 1982
d
Develop and deliver guidance and education quick wins that support
delivery of priority security work programmes.
e
Define the requirements for the Phase 2 education programme (e.g.
success measures, strategy, approach, modules, roles and
responsibilities, mechanisms).
f
Engage with agencies to develop an informed action plan for how to
phase out of some classification levels.
g
Assess readiness for future phases and develop plan and budget to
undertake the next phase.
h
Develop and approve the business case and roadmap for the rest of
the work programme.
Phase 2: Educate (Option A) (2 to 4 years)
a
Simplify the System through the phase out of some classification
levels and to address underlying issues and education barriers.
b
Build standardised security education programme and guidance and
implement mechanisms for delivery and measuring success.
c
Roll out the education programme across the 37 PSR mandated
agencies. However, the material would be made available and
communicated such that non-mandated agencies and private sector
organisations could take advantage of it to improve their own
security education and overall capability.
d
Assess and measure the effectiveness and success of education
programme.
e
Review and refine the fit-for-purpose System design to confirm and
ensure that it still meets requirements.
f
Define the requirements for the transition to the fit-for-purpose
System (e.g. finalise changes to the System, policies, controls, ICT,
processes, and guidance).
g
Identify and leverage future ICT and other work programmes to
deliver on Phase 3 requirements and thus reduce the overall cost and
impact of implementing Phase 3.
h
Engage widely to define the action plan to move to the revised
System and confirm the business case for change. Assess readiness
and obtain approvals and funding.
Phase 3: Invest (Option B: Transition to fit-for-purpose System) (3 to 4 years)
8
Released under the Official Information Act 1982
a
Transition the System to the proposed fit-for-purpose System and
align security policy, requirements, technology, and controls to the
revised System. This includes making necessary changes to PSR,
NZISM, and underpinning processes, guidance, and systems.
b
Refresh the education to reflect the changes to the System.
c
The aim is to make it easier for agencies and act as a catalyst for
increased adoption and compliance with the System and consistent
application of appropriate security measures across Government.
d
The revised System would be rolled out across the 37 PSR mandated
agencies. However, the material would be made available and
communicated such that non-mandated agencies and private sector
organisations could also take advantage of it to improve their own
security education and overall capability.
27
The initial investment required to undertake Phase 1 would be $0.5M and would
require the following resources. We are requesting approval to proceed into Phase 1.
Role
Responsibilities
(FTE)
Project Manager
Overall liaison and responsibility for the delivery of
1
(NEW)
outcomes, the plan for the next phase, gauging existing
work programmes from leads, and handling the decision-
making process
Business Analyst /
A focus on modelling, analysis and requirements
1
Consultant 1 (NEW)
Business Analyst /
A focus on engagement and awareness with agencies,
1
Consultant 2 (NEW)
including monitoring and testing in-agency
Resources from up to
Analysis, liaison, consultation, testing
6 x 0.25 = 1.5
6 champion agencies
Resources from lead
Governance and policy support from the System Leads:
3 x 0.5 = 1.5
agencies
GPSL, GCISO, GCPO (possibly with GCDO)
External expertise
Instructional design, education delivery solution
-
exploration, and general consultancy
28
Phase 2 and 3 investment requirements will be estimated and planned during Phase 1
as part of the business case and roadmap development.
9
Released under the Official Information Act 1982
IN CONFIDENCE
Proposed next steps
29
GPSL to brief the Minister
Draft and socialise a briefing paper for the incoming Minister.
Meet with the incoming Minister to determine appetite and preferences for
moving forward including the time frame for engaging with Cabinet.
30
Prepare and submit a paper to Cabinet, outlining all options and highlighting SIB’s
recommended option, along with the proposed change of ownership of the System.
31
If approved to proceed, wide consultation will occur during Phase 1 across all of
government and government suppliers.
Recommendations
It is recommended that SIB:
32
Note
SIB initiated this Review based on the IGIS review findings YES/NO
33
Agree
Ownership of the System change to GPSL
YES/NO
34
Discuss
The following options in the paper, noting that the PSR Governance
Group has recommended Option C:
A) Option A: Focus education and improve guidance on current
System but simplify it through the phase out and retirement of some
existing classification levels
OR
B) Option B: Change to the Fit for Purpose System
OR
C) Option C: Undertake a phased approach, moving to the fit-for-
purpose System over a longer period of time using Option A as a
stepping stone to get there (Recommended Option)
OR
D) Status quo – no change
A/B/C/D
35
Note
GPSL will socialise all options with the incoming Minister, and in
doing so will convey SIB’s preferences.
YES/NO
10
Released under the Official Information Act 1982
Appendix A: Classification System Review Phased Roadmap
11
IN CONFIDENCE
Released under the Official Information Act 1982
Appendix B: Fit for Purpose Classification System (Draft)
1 Placeholder phrase that will be used during initial design until a final term or phrase is agreed for this level.
2 ‘National interest’ means a matter that has or could have an impact on New Zealand‘s defence, security, international relations, law and governance, economic wellbeing, emergency services, and national infrastructure.
12
IN CONFIDENCE
Released under the Official Information Act 1982
3 National infrastructure refers to the fixed, long-lived structures that facilitate the production of goods and services, including transport, water, energy, social assets, and digital infrastructure such as broadband and mobile networks
13
IN CONFIDENCE
Released under the Official Information Act 1982
IN CONFIDENCE
4 Aggregated data is a collection of information (physical documents or digital collections) that may be more valuable than the single pieces of information it’s made up of and may require a higher classification and greater security controls to protect it. A risk assessment of the aggregated
information should consider “What could be deduced if the collection were compromised?” When viewed separately, the components of the collection retain their individual classification.
5 ‘New Zealand Government information’ is any information created or held by the New Zealand state sector. This includes official information as defined in the Official Information Act and personal information held by the state sector as defined in the Privacy Act. Information exists in
many forms (for example, electronic, printed, or spoken) and may reside inside or outside an organisation, including with its providers and clients, and in the cloud.
6 Endorsement markings warn people that the information has special requirements. Endorsement marking may indicate the specific nature of the information, temporary sensitivities, limitations on availability or releasability, and how recipients should handle the information. Organisations
should use endorsement markings when applicable. Note: Additional endorsement markings may be used by an organisation that pertains to specific sensitive information requirements in their industry or domain.
14
Released under the Official Information Act 1982
Appendix C: Option A and B Overview
15
