Security and privacy governance

Action points

  • Agencies must have appropriate protective security governance arrangements in place (as required in the NZ Protective Security Requirements).
  • Ensure your websites have a clearly identified business owner, who is a senior manager, and a clearly defined manager and administrators.
  • Ensure you have adequate documentation for online systems and management procedures.
  • Raise any concerns with your Chief Information Security Officer.
  • Discuss this guidance with your IT Security Manager/s.


Roles and responsibilities

In accordance with with the Protective Security Requirements, agencies are mandated to appoint "a member of senior management as the Chief Security Officer (CSO), responsible for the agency protective security policy and oversight of protective security practices".

Senior management responsibilities

In addition to the provisions of the Protective Security Requirements, Chapter 3 of the New Zealand Information Security Manual (NZISM) identifies three key roles in information security governance in government.

These people are responsible for establishing each agency’s specific security policies and practice, and supporting owners and managers of websites or services. They are:

  • the Chief Executive (CE). “The agency head endorses and is accountable for information security within their agency.” "The agency head MUST provide support for the development, implementation and ongoing maintenance of information security processes within their agency." (NZISM p33-34)
  • the Chief Information Security Officer (CISO). “The Chief Information Security Officer (CISO) sets the strategic direction for information security within their agency.” "The CISO within an agency is responsible predominately for facilitating communications between security personnel, ICT personnel and business personnel to ensure alignment of business and security objectives within the agency. The CISO is also responsible for providing strategic level guidance for the agency security programme and ensuring compliance with national policy, standards, regulations and legislation." (NZISM p35-36)
  • IT Security Managers (ITSMs) “Information Technology Security Managers (ITSM) provide information security leadership and management within their agency.” "ITSMs are executives within an agency that act as a conduit between the strategic directions provided by the CISO and the technical efforts of systems administrators. The main area of responsibility of an ITSM is that of the administrative and process controls relating to information security within the agency.” (NZISM p41)

The responsibilities of system owners and users

The NZISM also defines responsibilities for owners, managers and administrators of government agency websites or services as follows:

  • System owners are senior managers responsible for the operation of an online system, which they may delegate to a system manager. This includes oversight of the system’s day-to-day operation, its certification and accreditation, and ensuring that adequate documentation is in place for systems and management procedures. Agencies should have clearly identified owners and managers for each of their websites.
  • System users are required to comply with their department’s security and privacy policies and requirements.

Responsibilities for maintaining the privacy of personal information

Ultimate accountability regarding privacy of information lies with the Chief Executive. However, in practice system owners, managers and users are responsible for ensuring that personal information is managed according to the Information Privacy Principles.

The Office of the Privacy Commissioner's website describes the function of an agency’s Privacy Officer as being to provide advice and guidance, ensure staff are adequately trained, provide leadership on privacy practices within agencies, and liaise with the Privacy Commissioner where necessary.

When you should seek further advice

  • If you do not have clear support from, and liaison with, each of these governance roles and a clear understanding of your own responsibilities for information security and privacy, you may not be able to gain adequate assurance that your websites and services are adequately secured and fit-for-purpose.
  • You should raise any concerns with your CISO. The CISO is responsible for ensuring that agency business and security practices are in alignment.
  • You should discuss this guidance with your ITSM (or his or her delegates), and your Privacy Officer if your sites collect any personally identifying information, including contact details.
  • If you have any governance responsibilities you should also be familiar with the New Zealand Cyber Security Strategy.