Protect
People trust that the information they share with us will be safely managed and carefully protected
Protecting data and information refers to keeping it safe from inappropriate access and misuse while still making it available to those who need it to deliver services.
Protecting information is important because…
If people are going to entrust their information with us, they need to know that we will keep it safe. Many of the ways we want to work in the future depend on clients consenting to new and different information uses. For them to do so they need to trust that we will protect it; in doing so we are demonstrating mana manaaki.
There have been a number of serious breaches of security across Government, including at MSD, that have resulted in ongoing high levels of expectation of the security environment for government agencies. This has led to centrally mandated obligations for agencies and regular assessment and reporting against those obligations. MSD has reported increasing compliance and maturity against these measures but further maturing of our security environment is desired. Our current levels of compliance and maturity are heavily reliant on manual or inefficient measures that are assessed retrospectively. These should be modernised with more automated methods that are proactive and forward looking.
Moving from:
- Controls to protect information do not always operate effectively and impact negatively on user experience. We do not take a risk / value-based approach to protecting information.
- We have a dependency on our network perimeter as a hard boundary to protect our systems and information with few effective security controls inside our networks.
- Identity is inconsistently verified across our applications and systems. Access to our network implies authorisation and assumes identity has been verified.
To:
- We protect information according to its value and risk; security and privacy controls are right sized, easily scalable and embedded in the design of a system or process.
- We protect our information wherever it is, relying on identity defined boundaries that enable the right information to be presented at the right time to the right people.
- Information is classified and tagged across all our systems with automated management of access, retention and disposal based on this.
When this is working well:
We know what information we hold and we protect it according to its value and risk through a range of proactive and flexible measures. Where information is highly sensitive we ensure it is highly protected (protection outweighs availability). But where information is lower sensitivity, or the value of opening up protections is high, we can scale our protections to ensure maximum value can be leveraged. From our roadmap Identity and Access Management, Metadata Management, Master Data Management and Data & Information Governance will deliver this.
Identity centric security controls the availability of data and information regardless if it is inside or outside of the organisation. Identity centric security also enables traceability of data and information where we know who owns, accesses, modifies, views and uses data. From our roadmap Identity and Access Management will deliver this. The Technology Strategy and Roadmap also sets out a range of initiatives to move away from a traditional on-premise network-based environment to a zero-trust cloud-based environment
Classification of information and the automated management of its retention and disposal will be enabled by Information and Data Lifecycle Management and Metadata Management, which captures the contextual data required during the consent process to manage data appropriately. From our roadmap Information Maturity (Enterprise Content Management) will deliver this for corporate information.
Protection will be built into the design of our systems, through patterns and automation where possible, and ongoing monitoring will provide assurance that protections remain fit for purpose. Further maturity in the application of our Service Design Principles, move to cloud-based systems as outlined in the Technology Strategy and Roadmap and delivery of the foundational capabilities outlined in the security roadmap will enable this.
