Information classification quick reference

This page provides the quick reference which supports the Information Classification section of the Security and privacy guidance.

Back to Information Classification

Quick reference guide for website owners and managers

This quick reference guide provides an overview of the relevance of information classification to the public web. It is intended to help web teams and managers be aware of risks and help you stay within the constraints of Security in the Government Sector and NZ Information Security Manual. If your processes don't fit in this quick reference, you should validate them with your IT Security Manager and/or Chief Information Security Officer.

All government-held information should have a protective marking or classification to ensure it is treated appropriately.

Security Classifications – National Security Security Classifications – Policy Online storage accessible from the internet Access and transmission via the internet (email and web)
Top Secret: Compromise would damage national interests in an exceptionally grave manner.

Access: Authorised personnel

-- Not connected to public internet Not connected to public internet
Secret: Compromise would damage national interests in a serious manner.

Access: Authorised personnel

-- Not connected to public internet Not connected to public internet
Confidential: Compromise would damage national interests in a significant manner.

Access: Authorised personnel

Sensitive: Compromise would

  • damage the interests of New Zealand
  • endanger the safety of its citizens.

Access: Authorised personnel

Not stored on systems accessible from the public internet. Systems certified and accredited in accordance with risk profile. Not transmitted via email. GCSB-approved encrypted access. RealMe login authentication.
-- In Confidence: Compromise would

  • prejudice the maintenance of law and order
  • impede the effective conduct of government in New Zealand
  • adversely affect the privacy of its citizens.

Access: Need to know

Personal information is ONLY stored on web server with user’s informed consent. Systems certified and accredited in accordance with risk profile.

Note: Aggregation Effect: Systems handling large volumes of In Confidence data may need to be classified as Sensitive overall.

SEEMail, or password-protected attachment. Encrypted access. RealMe login authentication.
-- Unclassified: No reason exists to apply a particular classification. As required by normal business need. Systems certified and accredited in accordance with risk profile. As required by normal business need.

Back to Information Classification