Skip to content.
|Networking government in New Zealand.

Security and integrity risks

The same risks to personnel security, physical security and ICT security exist in foreign jurisdictions as in New Zealand. However, the likelihood of those risks occurring in some places can be significantly higher because of economic, social and legal differences. Furthermore, the ability of a New Zealand government agency to manage those risks or an actual security breach can be frustrated by distance, language, contractual provisions and the absence of legal authority.

Industrial espionage by governments, commercial organisations or political extremists can be commonplace in foreign jurisdictions. These activities can be aimed at gaining advantage over New Zealand trade or the trade of New Zealand's economic partners. Significant financial incentives may be offered in return for compromising New Zealand's services and data. Agencies should also consider the potential for interest in their data from organised crime. In those jurisdictions, New Zealand may have insufficient control, as well as criminal or civil remedies to prevent or penalise such a compromise.

Threats to service integrity and accessibility of information can arise because offshore service delivery may be compromised by events or activities outside the control of the New Zealand government.  This is particularly sensitive when continuous service is required, and could arise from technical failure of the service provider or from some industrial, social, political or physical event in the offshore supplier's country. In those situations, government information including personal information might be compromised or no longer available.

Similar concerns could arise from the application of foreign legislation, which may confer less protection than New Zealand's information and privacy laws. An offshore company will be subject to laws and regulations other than those of New Zealand.

Specific threats to the continuity of services relate to the extension of the supply chain to offshore locations. Offshoring services can introduce support issues because of differing time zones and languages. For example:

  • while an offshoring contract might stipulate 24x7 help desk support, continuity of services in New Zealand business hours might be degraded when key second and third level support staff have, say, 2 hour response times or are only available remotely. Those second and third level support staff might also need to refer to other outsourced or third party staff that are inaccessible during New Zealand business hours.
  • the distances involved introduce additional risks to infrastructure. For example, a government agency offshoring an ICT service significantly increases its risk of telecommunications infrastructure failure because it relies on both domestic and foreign telecommunications infrastructures. This may be exacerbated by the presence of "single points of failure" for which network resilience and redundancy cannot be provided.


These concrete concerns may be accompanied by less tangible concerns around, for example, compliance with the Standards of Integrity and Conduct for the State Services, specifically the requirement that "We must treat information with care and use it only for proper purposes."

Security and other stewardship concerns arise for reasons similar to some of the privacy concerns, i.e. the risk of information being lost, stolen (copied), corrupted, or provided to or compulsorily obtained by a foreign government or non-government (and possibly criminal) organisation. Clearly, copied and corrupted data are hazards wherever the data is held. However, because the loss, theft, or corruption of offshore data may not be immediately obvious to the New Zealand Government, the potential damage from using corrupt data, identity fraud, or other misuse may be exacerbated because of delays in recognising the problem. Delay in being able to deal with problems and implement solutions in foreign jurisdictions is also a potential risk.

Concerns can also arise from the possibility that communicating with an offshore provider can create a risk that software applications or data transmissions could be corrupted or infected with viruses or other malware. The distances involved, time zones and language differences may all mean that threats and events are never identified properly or communicated to the New Zealand government agency. Similarly, the use of offshore facilities may place government data outside the support scope of any potential malware mitigation measures provided by the Centre for Critical Infrastructure Protection (CCIP). Jurisdictional issues may mean that New Zealand government agencies are unable to adequately identify, investigate, mitigate, and prosecute security breaches when they are identified. These risks apply to maintenance, support, and control from offshore even if the data remains in New Zealand.

Existing security classifications of government-held data may need to be reassessed on their possible increased value as an aggregated collection, rather than as individual pieces of information, if the data is to be located or processed offshore. There may also be valuable intellectual property encapsulated in the systems and business processes underlying the ICT functions and data. Cabinet approved a set of Guidelines for the Treatment of Intellectual Property Rights in ICT Contracts that were released in January 2008. The aim of those Guidelines is to make newly developed intellectual property rights more readily available to the New Zealand commercial sector.

As a practical example, while usually thought of as relatively innocuous, if a website is closely linked to an agency network, or it collects sensitive information, tools such as website analytics provided through an offshore server may introduce security risks:

  • Unauthorised access to private or government data by individuals or organisations not subject to New Zealand law.
  • The service provider's computer code or equipment supporting  government websites might introduce security vulnerabilities to the government agency web server or to the visitor's computer.
  • Communications between the client, the web server and the service provider might be intercepted, modified, spoofed or otherwise compromised.

Security and integrity risks

Security General

  • There is a risk of industrial espionage (initiated by government, commercial organisations or political extremists) aimed at gaining advantage over New Zealand trade or the trade of New Zealand's economic partners. Financial incentives in return for compromises of New Zealand services and data in other jurisdictions may have no criminal or civil remedies.
  • Non-compliance with New Zealand government security policy
  • Higher risk because of greater volume of information offshore (the classification of individual documents may not reflect value of a collection of information)
  • Non-compliance with Protective Security Manual (PSM), impact on physical security, difficulties with enforcing physical security
  • Non-compliance with other relevant NZ standards - standards applied may not agree with NZ standards

Confidentiality

  • Theft of hardware
  • Theft of data or loss of data
  • Insertion of backdoors or other extraneous code if software is developed offshore
  • Intelligence gathering - commercial and by government(s), including aggregating New Zealand's Government's information about its citizens with information gathered by other means
  • External threats - war, revolution, civil unrest, terrorist attack

Availability

  • Technical barriers, processes or policy that restrict access to data and services
  • Theft of hardware
  • Theft of data or loss of data
  • Natural hazards such as earthquakes or civil infrastructure breakdowns (power, transport, telecommunications), undersea cables cut

Integrity

  • Corruption of data - stored or in transmission
  • Poor quality control over data input or processing
  • Lack of sustainability of digital information. Digital information needs to be actively managed over time to ensure ongoing accessibility and usability.
  • Interception of communications or loss in transit (electronic, courier, etc)

Example mitigations

 

  • Contract for compliance with New Zealand government security requirements
  • Undertake regular threat assessments
  • Train offshore service providers
  • Regularly audit offshore service providers
  • Establish a formal security governance structure
  • Ensure appropriate security monitoring
  • Ensure security incident management processes are in place at the offshore service provider and the government agency
  • Contract and test for redundancy and business continuity
  • Ensure consideration is given to the potential value of the information, when matched with other sources
  • Establish Government agency business continuity planning in case of offshore service failures
  • Ensure local backup for data and services in case of extended offshore service failures (e.g. natural disaster, war).

 

 

 

 

 

  

 

 

 

Integrity

  • Establish and monitor data quality measures
  • Ensure data quality and sustainability are covered in the contract


[ Previous | Next ]