Security and Internal Access Controls

Security controls are specific to the type and sensitivity of information held across the organisation, rather than a ‘one size fits all’ approach.

Regular auditing of systems is undertaken to ensure appropriate access.

Organisation follows industry guidelines and security standards relevant to its business context.

There is a remediation plan for managing and/or replacing legacy systems (where necessary).

Identified risks are proactively managed. For example, by incorporating them into the organisation’s risk and assurance reporting processes to ensure visibility.

Organisational controls (i.e. policies, procedures, and decisions) are regularly reviewed and fit for purpose.

Physical – for example, building access, physical documents, and mobile device protection.

Technical – for example, IT systems and cyber security.

Organisational – for example, policies and procedures, staff behaviour, training, and awareness.

How sensitive is the personal information involved?

What are you using the personal information for?

What security measures are available, and how will using these measures impact on your organisation’s functions?

What might the consequences be for the individual if the information is not kept secure?

Establish email procedures, such as:

• Double-checking the address to ensure it is correct before pressing ‘send’.
• Ensuring the correct attachments are attached.
• When sending mass-emails, double-checking that all email addresses are in the bcc not cc field if it’s not appropriate for recipients to be able to see each other’s email addresses.
• Avoiding long chain emails, as these can increase the risk of unauthorised disclosure if the email recipients change during a lengthy discussion.
• Requiring staff to use delay-send functions to reduce the risk of breaches.

Have a policy on the types of information that staff can send by email.

If sending a large volume of information, or particularly sensitive information, get employees to check if the entire document needs to be sent or if there is a way of extracting only the relevant information intended for the recipient.

Spreadsheets can contain a lot of information. Protect them and other types of attachments using passwords, and check if other personal information is hidden behind spreadsheet document tabs and in pivot tables.

Set a delay send on emails to allow for time to catch mistakes.

Use of Data Loss Prevention tools when appropriate and available to restrict types of files which can be sent or shared.

Disabling ‘auto-fill’ functionality in email address books and require the use of contact lists.

Lock devices, such as laptops, when not using them to prevent inappropriate access or use of your email

Review your organisation’s policy about the types of information that can be stored on a portable device.

Have a comprehensive workplace security policy for bringing your own device.

Have a ‘work from home’ policy in place to set rules and expectations in relation to security.

Use extra security measures for portable devices such as encryption, password locks, and remote wiping.

Delete personal information and other data when it’s no longer needed.

 Protect sensitive documents and information using physical security measures such as locked filing cabinets.

Lock workstations and laptops, even when briefly stepping away.

Ensure papers, computers or other electronic devices aren’t visible in homes, public places or in parked cars.

Collect sensitive documents from printers and photocopiers straight away, so they aren’t lying around.

Only use secure Wi-Fi networks when working with or sending data.

Use secure sites to share information (for example, SharePoint) to avoid emailing unencrypted sensitive information.

Check for sensitive information in email attachments, especially when forwarding them to others.

Use security classifications on documents and ensure staff know what they mean and how to handle the documents to keep them safe.

Ensure that sensitive information cannot be accessed publicly through your website, the internet, or your intranet. If you can access it online without a password, so can others.

Where systems enable it, establish role-based access rules and review these regularly to ensure they’re up to date.

Send data safely, especially in remote access and client/server transmissions.

Store sensitive paper records in locked filing cabinets.

Know who has physical access to sensitive information – for example, secure areas or rooms in your facilities.

Keep a register of where your physical documents are stored.

Ensure you have policies and procedures in place for disposing of information you no longer need.

Establish practices for dealing with multiple copies of information. For example, ensure documents are filed in the correct place and any duplicates are securely disposed of.

Check whether you have obligations under the Public Records Act or other legislation (for example, if your organisation is subject to anti-money laundering law) – ensure you know what these are and have them documented, for example, retention and disposal schedules.

Check whether the IT systems you use, including cloud-based systems, can automate your data retention and disposal rules. This could save you time and reduce your risk.

Destroy or securely delete sensitive information prior to re-use or disposal of equipment or media.

Shred physical records of personal information you no longer need.

Don’t re-use paper files.

If you are disposing of filing cabinets, or other equipment used to store documents, check thoroughly to ensure that no documents have been left in there. For example, remove drawers to check that no documents have slipped behind them.

Carry out regular security checks and audits.

Only click on links or attachments that are known or expected. Run training sessions across the organisation to test this so that everyone knows what to look out for.

Avoid opening files sent via instant messaging software on a device that contains restricted data. These files can bypass anti-virus screening.

Restrict the ability for staff to install software on your organisation’s devices. Only install programmes that have been checked and approved by your organisation’s security and/or IT functions.

Computer operating systems and mobile device apps need to be kept up to date to avoid system vulnerabilities. Patches are regularly issued by Microsoft, Google, Apple and others. Updating your device software protects you from hackers and makes devices more secure.

Use strong passwords – change them regularly and don’t share or reveal them.

Foster and maintain a culture of respect for personal information, and ensure employees understand that accessing information that isn’t necessary for their role is a privacy breach.

Include a policy about employee browsing in the code of conduct with clear consequences for violations of the code and ensure that your contracts of employment or contracts for services requires people to comply with the code of conduct.

Run intranet stories or a poster campaign about employee browsing.

Ensure that staff members are aware of organisational practices around monitoring and auditing of file access.

If an employee deliberately discloses information without permission, disable their access to electronic systems and ensure they return keys and access cards.

Make sure employees understand the importance of protecting personal information when working from home.

Keep a log of user access to systems holding personal information and ensure your information repositories have the appropriate functionality to enable the logging and monitoring of user access, particularly when procuring new technical solutions or updating existing systems.

Regularly review access to systems and facilities and adjust or remove access where appropriate, for example when an employee changes their role or leaves the organisation.

Have different levels of security for types of files, for example, general access and restricted.

Ensure there are systems in place that monitor employee access to files. Where this is not possible, or as in interim measure, you should adopt random monitoring such as spot audits.

If you are developing a new IT system, employ Privacy by Design and Security by Design techniques to reduce future risk.

Use role-based access controls:

• CERT NZ Principle of least privilege(external link).
• CERT NZ Enforcing the principle of least privilege(external link).

Keep files separate on content management systems, put in place access controls, and carry out routine audits.

Ensure no personal information is stored on obsolete databases.

Ensure each database or system has an assigned business owner who actively manages that system’s security, data and retention.

Store sensitive paper records in locked filing cabinets. Lock mobile phones, laptops, and other portable storage devices when not in use.

CERT NZ top online security tips for your business.(external link)

NCSC Joint guidance: Principles for security by design and default.

NCSC UK Cyber Assessment Framework(external link)

Archives NZ Information and Records Management Standard (mandatory standard for public sector organisations)(external link)

Reach High engages an IT security consultancy to conduct an annual security gap assessment and provide an action plan to address any security risks.

As part of the security assessment, the IT security consultancy provides Reach High with an internal IT Security Policy and associated procedures.

Reach High uses only cloud-based systems to store and process its data, including personal information. It selects these systems based on their security credentials, looking to systems that are ISO-270001 certified.

Reach High also uses a separate managed IT services provider to run periodic tests on its systems and settings, and to generally manage day-to-day IT issues and risks.

Reach High has robust third-party contracting processes including notification requirements in the case of a data breach.

Finally, Reach High obtains access to an online security training service, which provides its employees with access to regular short security training modules.