Security

A secure government digital product with regular recertification, testing and strict controls.

Business Connect has passed three MBIE system security certification checks since its launch in November 2019. Its certificate was most recently renewed in January 2024.

Business Connect is certified to hold Sensitive information.

The System Security Certificate provides the details you need to verify and accredit Business Connect for use. The certificate is available on request.


We secure the product in a few ways

To provide a secure platform, Business Connect restricts access by:

  • using the latest secure sockets layer (SSL) and transport layer security (TLS) standards
  • using multi-factor authentication for the production environment of the back-end admin portal
  • doing regular security patching and periodic penetration testing
  • aligning with the Control Validation Plan and approval defined by MBIE.

To verify end users’ data and identity, Business Connect:

  • integrates with the individual’s RealMe Login accounts and verifies the user by email
  • requires users to declare that data they have entered is true and correct, when they submit an application to an organisation via Business Connect.

To protect business data and information housed in Business Connect:

  • data is used only to the extent necessary to provide the services
  • technical and other reasonable safeguards are maintained, including suitable virus protection, to protect data from destruction, unauthorised access, misuse or disclosure
  • relevant data protection laws are followed
  • the security requirements in the New Zealand Information Security Manual (NZISM) are followed
  • privacy breaches will be reported and managed as soon as we learn about them.

You still need to do several things

You still need to take extra steps to check the identity of the applicant or business, if your organisation requires you to.

Business Connect has already obtained a system security certificate which can help with your internal security risk assessment.

Assurance processes have specifically identified the following considerations for councils and agencies:

  • Carry out your own risk assessment on information security, as with other technology that multiple agencies use to support business outcomes. Base your assessment on your own business context, risk appetite, and handling of personally identifiable information (PII) stored within Business Connect.
  • Determine, implement, and validate your requirements, so you can manage staff access appropriately. Ensure that access ends when staff leave your organisation.
  • Check if the current level of disaster recovery is suitable for you, if you intend to use Business Connect for critical processes.