| 127 |
1.1.63.C.01. |
All Classifications |
Must |
System owners seeking a dispensation for non-compliance with any essentialbaseline controls in this manual MUST be granted a dispensation by their Accreditation Authority. Where High Grade Cryptographic Systems (HGCS) are implemented, the Accreditation Authority will be the Director-General GCSB or a formal delegate. |
| 131 |
1.1.64.C.01. |
All Classifications |
Must |
System owners seeking a dispensation for non-compliance with essentialbaseline controls MUST complete an agency risk assessment which documents:
the reason(s) for not being able to comply with this manual;
the effect on any of their own, multi-agency or All-of-Government system;
the alternative mitigation measure(s) to be implemented;
The strength and applicability of the alternative mitigations;
an assessment of the residual security risk(s); and
a date by which to review the decision.
|
| 143 |
1.1.66.C.01. |
All Classifications |
Must |
If a system processes, stores or communicates data and information with multiple agencies or forms part of an All-of-Government system, interested parties MUST be formally consulted before non-compliance with any essentialbaseline controls. |
| 151 |
1.1.68.C.01. |
All Classifications |
Must |
Agencies MUST retain a copy and maintain a record of the supporting risk assessment and decisions to be non-compliant with any esbaselintiale controls from this manual. |
| 284 |
3.1.8.C.03. |
All Classifications |
Should |
Where the head of a smaller agency is not able to satisfy all segregation of duty requirements because of scalability and small personnel numbers, all, potential conflicts of interest SHOULD be clearly identified, declared and actively managed. |
| 570 |
4.3.18.C.02. |
All Classifications |
Must |
The Information Security Policy (SecPol) MUST be reviewed by the auditor to ensure that all reapplicablevant controls specified in this manual are addressed. |
| 780 |
5.2.3.C.01. |
All Classifications |
Should |
The Information Security Policy (SecPol) SHOULD document the information security, guidelines, standards and responsibilities of an agency. |
| 1066 |
6.2.5.C.01. |
All Classifications |
Should |
Agencies SHOULD conduct vulnerability assessments in order to establish a baseline. This SHOULD be done:
before a system is first used;
after any significant incident;
after a significant change to the system;
after changes to standards, policies and guidelines; and/or
as
when specified by an ITSM or the system owner.
|
| 1120 |
6.4.5.C.01. |
All Classifications |
Must |
Agencies MUST determine availability and recovery requirements for their systems and implement appropriate measures consistent with the agency's SRMP to support them. |
| 1153 |
7.1.7.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies MUST develop, implement and maintain tools and procedures covering the detection of potential information security incidents, incorporating:
user awareness and training;
counter-measures against malicious code, known attack methods and types;
intrusion detection strategies;
data egress monitoring & control;
access control anomalies;
audit analysis;
system integrity checking; and
vulnerability assessments.
|
| 1154 |
7.1.7.C.02. |
All Classifications |
Should |
Agencies SHOULD develop, implement and maintain tools and procedures covering the detection of potential information security incidents, incorporating:
user awareness and training;
counter-measures against malicious code, known attack methods and types;
intrusion detection strategies;
data egress monitoring & control;
access control anomalies;
audit analysis;
system integrity checking; and
vulnerability assessments.
|
| 1155 |
7.1.7.C.03. |
All Classifications |
Should |
Agencies SHOULD use the results of the security risk assessment to determine the appropriate balance of resources allocated to prevention versus resources allocated to detection of information security incidents. |
| 1205 |
7.2.17.C.02. |
All Classifications |
Should |
Agencies SHOULD:
encourage personnel to note and report any observed or suspected security weaknesses in, or threats to, systems or services;
establish and follow procedures for reporting system, software or other malfunctions;
put mechanisms in place to enable the types, volumes and costs of information security incidents and malfunctions to be quantified and monitored; and
deal with the violation of agency information security policies and procedures by personnel through training and, where warranted, a formal disciplinary process.
|
| 1216 |
7.2.19.C.01. |
All Classifications |
Must |
The Agency ITSM, MUST report signiinficant information security incidents, or incidents related to m categorised as:
Critical;
Serious; or
incidents related to multi-agency or government systems, ;
to the NCSC (see also below) as soon as possible. |
| 1220 |
7.2.20.C.01. |
All Classifications |
Should |
Agencies SHOULD, through an ITSM, report non-significant information security incidents categorised as Low to the NCSC. |
| 1223 |
7.2.21.C.01. |
All Classifications |
Should |
Agencies SHOULD formally report information security incidents using the NCSC adon-line reporting fon of the TAXII, STIX and CyBox protocolsm. |
| 1226 |
7.2.22.C.01. |
All Classifications |
Must |
Agencies that outsource their information technology services and functions MUST ensure that the service provider advises and consults with the agency when an information security incident occurs. |
| 1233 |
7.2.23.C.01. |
All Classifications |
Must |
Agencies MUST notify all system users of any suspected or confirmed loss or compromise of keying material. |
| 1237 |
7.2.25.C.01. |
All Classifications |
Must |
Agencies MUST urgently notify GCSB of any suspected loss or compromise of keying material associated with HGCE. |
| 1285 |
7.3.8.C.03. |
All Classifications |
Should |
When a data spill involving classified information or contaminating classified systems occurs and systems cannot be segregated or isolated agencies SHOULD immediately contact the GNCSBC for further advice. |
| 1290 |
7.3.9.C.01. |
All Classifications |
Should |
Agencies SHOULD follow the steps described below when malicious code is detected:
isolate the infected system;
decide whether to request assistance from GNCSBC;
if such assistance is requested and agreed to, delay any further action until advised by GNCSBC;
scan all previously connected systems and any media used within a set period leading up to the information security incident, for malicious code;
isolate all infected systems and media to prevent reinfection;
change all passwords and key material stored or potentially accessed from compromised systems, including any websites with password controlled access;
advise system users of any relevant aspects of the compromise, including a recommendation to change all passwords on compromised systems;
use up-to-date anti-malware software to remove the malware from the systems or media;
monitor network traffic for malicious activity;
report the information security incident and perform any other activities specified in the IRP; and
in the worst case scenario, rebuild and reinitialise the system.
|
| 1300 |
7.3.12.C.01. |
All Classifications |
Should |
Agencies SHOULD ensure that any requests for GNCSBC assistance are made as soon as possible after the information security incident is detected and that no actions which could affect the integrity of the evidence are carried out prior to GNCSBC’s involvement. |
| 1327 |
8.1.11.C.02. |
All Classifications |
Should |
Agencies SHOULD position desks, screens and keyboards so that they cannot be away from windows and doorways so that they cannot be overseen by unauthorised peoprsons. If required, bleinds or drapes SHOULD be fixed to the inside of windows, or fix band doors kept clinds or drapes to the inside of windows and away from doorwaysosed to avoid oversight. |
| 1449 |
9.1.4.C.01. |
All Classifications |
Must |
Agency management MUST ensure that all personnel who have access to a system have sufficient training and ongoing information security awareness and training. |
| 1452 |
9.1.5.C.01. |
All Classifications |
Must |
Agencies MUST provide ongoing information security awareness and traininga training programme for personnel on topics such as responsibilities, legislation and regulation, consequences of non-compliance with information security policies and procedures, and potential security risks and counter-measures. |
| 1457 |
9.1.6.C.01. |
All Classifications |
Should |
Agencies SHOULD align the detail, content and coverage of information security awareness and training programmes to system user responsibilities. |
| 1484 |
9.2.6.C.02. |
All Classifications |
Should |
Agencies MSHOUSTLD:
limit system access on a need-to-know/need-to-access basis;
provide system users with the least amount of privileges needed to undertake their duties; and
have any requests for access to a system authorised by the supervisor or manager of the system user.
|
| 5626 |
10.6.29.C.01. |
Confidential, Secret, Top Secret |
Must |
Cabinet rails MUST be installed to
§ provide adequate room for patch cables and wire managers
§ A;
provide adequate space for cable management at front, sides, and rear
§ A; and
arrange switches and patch panels to minimize patching between cabinets & racks
.
|
| 2767 |
11.5.16.C.03. |
All Classifications |
Must |
Where the use of personal wearable devices is permitted on medical grounds and used within a corporate or agency environment, agencies MUST ensure any relevant legislation and regulation pertaining to the protection of Personally Identifiable Information (PII) is properly managed and protectfollowed. |
| 3460 |
12.4.6.C.01. |
All Classifications |
Must |
Agencies MUST ensure that any firmware updates are performed in a manner that verifies the integrity and authenticity of the source and of the updating process or updating utility. |
| 3465 |
12.4.7.C.01. |
All Classifications |
Should |
Agencies SHOULD assess the security risk of continued usinge of software or IT equipment when a cessation date for support is announced or when the product is no longer supported by the developer. |
| 3709 |
12.7.21.C.01. |
All Classifications |
Should |
For equipment that is expected to have an extended operational life in a critical system, and in the event that the supplier is no longer able to supply these, agencies SHOULD provide for the acquisition of :
necessary licences and ;
information to produce spare parts, components, assemblies, ;
testing equipment and ; and
technical assistance agreements in the event that the supplier is no longer able to supply the equipment, products and essential spares.
|
| 3832 |
13.1.10.C.01. |
All Classifications |
Should |
Agencies SHOULD undertake a risk assessment with consideration given to proportionality in respect of :
scale and impact of the processes, data, ;
data;
users and ;
licences system and ;
usage agreements; and
service to be migrated or decommissioned.
|
| 2097 |
17.1.37.C.02. |
All Classifications |
Must |
Agencyies MUST consult the GCSB for further advice on the powered off status and treatment of specific psoftwaroduce, systems and IT equsagipment. |
| 2148 |
17.2.22.C.01. |
All Classifications |
Must |
Agencies using ECDSA, for the approved use of digital signatures, MUST implement the curves P-256 and P-384 (prime moduli). |
| 2158 |
17.2.26.C.01. |
All Classifications |
Should Not |
Agencies using AES or 3DES SHOULD NOT use eElectronic cCodeb Book mMode (ECB). |
| 2737 |
17.5.9.C.01. |
All Classifications |
Should |
Agencies that use SSH-agent or other similar key caching programs SHOULD:
only use the software on workstation and servers with screenlocks;
ensure that the key cache expires within four hours of inactivity; and
ensure that agent credential forwarding is used when multiple SSH transversal is needed.
|
| 3617 |
18.2.33.C.01. |
All Classifications |
Should |
The effective range of wireless communications outside an agency’s area of control SHOULD be limited by:
Minimising the output power level of wireless devices; and/or.
Implementing RF shielding within buildings in which wireless networks are used.
|
| 3777 |
18.3.17.C.01. |
All Classifications |
Should |
Agencies SHOULD use access control software to control USB ports on workstations using softphones and webcams by utilising the specific vendor and product identifier of the authorised phondevice. |
| 4710 |
19.5.24.C.07. |
All Classifications |
Must |
Agencies procuring or using VoIP or UC services to be used by multiple agencies MUST ensure all interested parties formally agree to the risks, essential controls and any residual risks of such VoIP and UC services. The lead agency normally has this responsibility (see Chapter 2 - Information Security within Government and Chapter 4 - System Certification and Accreditation). |
| 4715 |
19.5.25.C.01. |
All Classifications |
Must |
Agencies MUST follow the gateway requirements described in this Chapter 19 - Gateway Security. |
| 4742 |
19.5.27.C.06. |
All Classifications |
Should |
Event logs covering all VoIP and UC services SHOULD be maintained in accordance with the requirements of the NZISM. See section 16.5 - Event logging and Auditing and 13.1.12 - Archiving. |
| 4301 |
20.2.10.C.01. |
All Classifications |
Must |
To prevent the export of NZEO data to foreign systems, agencies MUST implement NZEO data filtering performed by a product specifically designed or configured for that purpose. |
| 4336 |
20.3.8.C.01. |
All Classifications |
Should |
Agencies SHOULD perform content/ conversion, file conversion or both for all ingress or egress data transiting a security domain boundary. |
| 4339 |
20.3.9.C.01. |
All Classifications |
Should |
Agencies SHOULD perform content/ and file sanitisation on suitable file types if content/ conversion or file conversion is not appropriate for data transiting a security domain boundary. |
| 4401 |
20.3.11.C.01. |
All Classifications |
Should |
Agencies SHOULD extract the contents from archive/ and container files and subject the extracted files to content filter tests. |
| 4402 |
20.3.11.C.02. |
All Classifications |
Should |
Agencies SHOULD perform controlled inspection of archive/ and container files to ensure that content filter performance orand availability is not adversely affected. |
| 4406 |
20.3.12.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies MUST identify, create and enforce a whitelist of permitted content types based on business requirements and the results of a security risk assessment. |
| 4407 |
20.3.12.C.02. |
All Classifications |
Should |
Agencies SHOULD identify, create and enforce a whitelist of permitted content types based on business requirements and the results of a security risk assessment. |
| 4483 |
21.1.13.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies unable to lower the storage and physical transfer requirements of a mobile device to an unclassified level through the use of encryption MUST physically store or transfer the device as a classified asset in accordance with the relevant handling instructions (refer to the PSR). |
| 4485 |
21.1.13.C.03. |
All Classifications |
Should |
Agencies unable to lower the storage and physical transfer requirements of a mobile device to an unclassified level through the use of encryption SHOULD physically store or transfer the device as a classified asset in accordance with the relevant handling instructions (refer to the PSR). |
| 4541 |
21.2.4.C.01. |
All Classifications |
Must Not |
Agencies MUST NOT allow personnel to access or communicate classified information on mobile devices outside of secure areas unless there is a reduced chance of being overheard orand having the screen of the device observed. |
| 4555 |
21.2.7.C.02. |
All Classifications |
Must |
Travelling personnel requested to decrypt mobile devices for inspection or from whom mobile devices are taken out of sight by customs personnel or from whom mobile devices are taken out of sight by customs personneborder control MUST report the potential compromise of classified information or the device to an ITSM as soon as possible. |
| 4650 |
21.4.10.C.16. |
All Classifications |
Must |
The responsibility for payment of voice and data plans and roaming charges MUST be specified and agreed. |
| 4658 |
21.4.11.C.04. |
All Classifications |
Must |
Network configuration policies and authentication mechanisms MUST be configured to allow access to agency resources ONLY through the BYOD network segment. |
| 4666 |
21.4.11.C.12. |
All Classifications |
Must |
BYOD MUST have a Mobile Device Management (MDM) solution implemented with a minimum of the following enabled:
The MDM is enabled to “wipe” devices of any agency data if lost or stolen;
If the MDM cannot discriminate between agency and personal data, all data, including personal data, is deleted if the device is lost or stolen;
The MDM is capable of remotely applying agency security configurations for BYOD devices;
Mobile device security configurations are validated (health check) by the MDM before a device is permitted to connect to the agency’s systems;
“Jail-broken”, “rooted” or settings violations MUST be detected and isolated;
“Jail-broken” devices are NOT permitted to access agency resources;
Access to agency resources is limited until the device and/orboth the device and user is fully compliant with policy and SOPs;
Auditing and logging is enabled; and
Changes of Subscriber Identity Module (SIM) card are monitored to allow remote blocking and wiping in the event of theft or compromise.
|
| 4667 |
21.4.11.C.13. |
All Classifications |
Must |
Appropriate iIntrusion detection systems MUST be implemented. |
| 4680 |
21.4.12.C.02. |
All Classifications |
Must |
Agencies MUST implement rogue AP and wireless “hot spot” detection and implement appropriate response procedures where detection occurs. |
| 4681 |
21.4.12.C.03. |
All Classifications |
Should |
Agencies SHOULD conduct a baseline survey to identify:
Known andAll authorised devices and AP’s; and
KAnown andy unauthorised devices and AP’s.
|
| 4686 |
21.4.13.C.03. |
All Classifications |
Must |
The use of virtual containers, sandboxes, wraps or similar mechanisms on the mobile device MUST be established for each authorised session for any organisational data. These virtual containermechanisms MUST be non-persistent and be removed at the end of each session. |
| 4687 |
21.4.13.C.04. |
All Classifications |
Must |
Any sensitive agency data MUST be removed/ and securely deleted, or encrypted at the end of a session. |
| 4690 |
21.4.13.C.07. |
All Classifications |
Must |
Agencies MUST disable split-tunnelling when using a BYOD device to connect to an agency network (See Section 21.1 – Agency Owned Mobile Devices). |
| 4692 |
21.4.13.C.09. |
All Classifications |
Must |
The use of passwords or PINs to unlock the BYOD device MUST be enforced in addition to all other agency authentication mechanisms agency access. |
| 4693 |
21.4.13.C.10. |
All Classifications |
Must |
BYOD device passwords MUST be distinct from any agency access and authentication passwords. |
| 4813 |
22.1.21.C.06. |
All Classifications |
Must |
Agencies procuring or using cloud services to be used by multiple agencies MUST ensure all interested parties formally agree the risks, essential controls and any residual risks of such cloud services. |