Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It’s easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Establish a risk profile

Risk profiles should inform design requirements.

What you need to know

Align your risk management efforts around the impact of a risk, rather than the likelihood of it happening.
Assess and categorise the risks for every website, existing and planned.
Create and record a site risk profile – high or moderate sites require more extensive security requirements and testing procedures than low risk sites.

Proactive protection

Websites and services need to be proactively protected.

You should assume that any sites or service are regularly scanned for vulnerabilities by those looking to exploit them.

Because of this high level of threat activity on the internet, and because it is difficult to assign precise risk levels for every individual type of threat, you should align your risk management efforts around the impact of a risk, rather than its perceived likelihood.

In most cases, likelihood of internet threats can be treated as high or very high.

Common online threats

Common threats include:

data and information theft: data and information can be stolen, and sometimes publicised. This data and information can range from user’s email addresses and passwords, to protected government or public material or users’ private information. This can include identity theft
defacement: sites can be defaced, often with objectionable or political content
take-down: a site is slowed or stopped, as in ‘denial of service’ attacks
drive-by attacks: malware is implanted in insecure sites, which are then used to attack site visitors for the purposes of growing botnets or stealing user data such as credit card numbers from site visitors.

More information is available from the Australian Attorney General's office:

Policy amendment – Safeguarding information from cyber threats | Protective Security Policy Framework

Do a risk impact assessment

You need to assess and categorise the risks according to the severity of the impact of a security or privacy breach.

Use a standard process to assess breach impact.

Example assessment

The business team convenes a group of people who are knowledgeable about the site’s content and organisational risk. The group includes the business owner, web or IT adviser, the project lead (where the work is part of a web project) and the Privacy Officer (where personal information is included).
The assessment team:
1. classifies site information according to government security classifications, including endorsements
2. establishes whether the site holds personal information, as defined by the Privacy Act
3. establishes whether the site holds any unpublished and protected information. This may include business rules embedded in a web application, or API keys enabling access to a service, for example
4. considers the likely impact of a security breach using the agency’s risk assessment framework. The aim is to establish the likely consequences of information theft, or the defacement, corruption or permanent loss of the site and its content. The impact of the breach of personal information on the individuals affected should also be considered.

Guidance from the Government Chief Digital Officer (GCDO) on the risk assessment process:

Risk assessments for government organisations

Assign a risk profile

After analysis you can create a site risk profile, taking into account what risks your agency deems acceptable.

You should assign a risk profile of high or moderate to websites that meet one or more of the following criteria, and seek further advice:

the website stores users’ personal information beyond contact details for the purpose of notifying updates
the website content carries unpublished protected information
the site provides high-stakes information or services such as emergency management information or important health and safety information
an agency chooses to elevate the risk profile for a site for other reasons (for example, high public profile, high traffic, or the possibility of attracting ‘hacktivist’ interest).

Security requirements and testing procedures should be more extensive for sites with a high or moderate risk profile.

Designing for security and privacy

A risk profile of ‘low’ can be assigned to sites which:

are informational, and do not provide ‘high stakes’ information
limit the collection and storage of user information to basic contact details, such as for the purpose of notifying updates.

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It’s easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you’re unable to turn on JavaScript — email your feedback to info@digital.govt.nz.

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 21 March 2024