| 127 |
1.1.64.C.01. |
All Classifications |
Must |
System owners seeking a dispensation for non-compliance with any essentialbaseline controls in this manual MUST be granted a dispensation by their Accreditation Authority. Where High GradAssurance Cryptographic Systems (HACS) are implemented, the Accreditation Authority will be the Director-General GCS) are implemented, the Accreditation Authority will be the Director-General GCSB or a formal delegate. |
| 131 |
1.1.65.C.01. |
All Classifications |
Must |
System owners seeking a dispensation for non-compliance with essentialbaseline controls MUST complete an agency risk assessment which documents:
the reason(s) for not being able to comply with this manual;
the effect on any of their own, multi-agency or All-of-Government system;
the alternative mitigation measure(s) to be implemented;
The strength and applicability of the alternative mitigations;
an assessment of the residual security risk(s); and
a date by which to review the decision.
|
| 143 |
1.1.67.C.01. |
All Classifications |
Must |
If a system processes, stores or communicates data and information with multiple agencies or forms part of an All-of-Government system, interested parties MUST be formally consulted before non-compliance with any essentialbaseline controls. |
| 151 |
1.1.69.C.01. |
All Classifications |
Must |
Agencies MUST retain a copy and maintain a record of the supporting risk assessment and decisions to be non-compliant with any esbaselintiale controls from this manual. |
| 255 |
2.3.27.C.01. |
All Classifications |
Must |
Agencies intending to adopt cloud technologies or services MUST conduct a comprehensive risk assessment, in accordance with the guidance provided by the Government CIhief Digital Officer (GCDO) before implementation or adoption. |
| 283 |
3.1.8.C.02. |
All Classifications |
Should |
When the agency head devolvegates their authority, the delegate SHOULD be a senior executive who understands the CISOconsequences and potential impact to the business of the acceptance of residual risk. |
| 284 |
3.1.8.C.03. |
All Classifications |
Should |
Where the head of a smaller agency is not able to satisfy all segregation of duty requirements because of scalability and small personnel numbers, all, potential conflicts of interest SHOULD be clearly identified, declared and actively managed. |
| 311 |
3.2.8.C.05. |
All Classifications |
Should |
Where multhiple roles ofare held by the CISO is outsourced,any potential conflicts of interest in availability, response times or working with vendors SHOULD be identified and carefully managed. |
| 322 |
3.2.11.C.01. |
All Classifications |
Should |
The CISO SHOULD be responsible for establishing mechanisms and programs to ensuringe compliance with the information security policies and standards within the agency. |
| 323 |
3.2.11.C.02. |
All Classifications |
Should |
The CISO SHOULD be responsible for ensuring agency compliance with the NZISM through facilitating a continuous program of certification and accreditation bof asedll on security risk managency systements. |
| 334 |
3.2.13.C.02. |
All Classifications |
Should |
The CISO SHOULD liaise with agency technology architecture teams to ensure alignment between security and agency architectures. |
| 570 |
4.3.18.C.02. |
All Classifications |
Must |
The Information Security Policy (SecPol) MUST be reviewed by the auditor to ensure that all reapplicablevant controls specified in this manual are addressed. |
| 634 |
4.4.12.C.03. |
All Classifications |
Must |
Agencies MUST notify the Government CIhief Digital Officer (GCDO) where All-of-Government systems are connected to agency systems operating with expired accreditations. |
| 675 |
4.5.18.C.03. |
All Classifications |
Must |
The Accreditation Authority MUST advise the GCIDO where the accreditation decision may affect any All-of-Government systems. |
| 780 |
5.2.3.C.01. |
All Classifications |
Should |
The Information Security Policy (SecPol) SHOULD document the information security, guidelines, standards and responsibilities of an agency. |
| 781 |
5.2.3.C.02. |
All Classifications |
Should |
The Information Security Policy (SecPol) SHOULD include topics such as:
accreditation processes;
personnel responsibilities;
configuration control;
access control;
networking and connections with other systems;
physical security and media control;
emergency procedures and information security incident management;
vulnerability disclosure;
change management; and
information security awareness and training.
|
| 1048 |
6.1.9.C.01. |
All Classifications |
Should |
Agencies SHOULD review the components detailed in the table below. Agencies SHOULD also ensure that any adjustments and changes as a result of any vulnerability analysis are consistent with the vulnerability disclosure policy.
Component
Review
Information security documentation
The SecPol, Systems Architecture, SRMPs, SecPlans, SitePlan, SOPs, the VDP, the IRP, and any third party assurance reports.
Dispensations
Prior to the identified expiry date.
Operating environment
When an identified threat emerges or changes, an agency gains or loses a function or the operation of functions are moved to a new physical environment.
Procedures
After an information security incident or test exercise.
System security
Items that could affect the security of the system on a regular basis.
Threats
Changes in threat environment and risk profile.
NZISM
Changes to baseline or other controls, any new controls and guidance.
|
| 1066 |
6.2.5.C.01. |
All Classifications |
Should |
Agencies SHOULD conduct vulnerability assessments in order to establish a baseline. This SHOULD be done:
before a system is first used;
after any significant incident;
after a significant change to the system;
after changes to standards, policies and guidelines; and/or
as
when specified by an ITSM or the system owner.
|
| 1120 |
6.4.5.C.01. |
All Classifications |
Must |
Agencies MUST determine availability and recovery requirements for their systems and implement appropriate measures consistent with the agency's SRMP to support them. |
| 1153 |
7.1.7.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies MUST develop, implement and maintain tools and procedures covering the detection of potential information security incidents, incorporating:
user awareness and training;
counter-measures against malicious code, known attack methods and types;
intrusion detection strategies;
data egress monitoring & control;
access control anomalies;
audit analysis;
system integrity checking; and
vulnerability assessments.
|
| 1154 |
7.1.7.C.02. |
All Classifications |
Should |
Agencies SHOULD develop, implement and maintain tools and procedures covering the detection of potential information security incidents, incorporating:
user awareness and training;
counter-measures against malicious code, known attack methods and types;
intrusion detection strategies;
data egress monitoring & control;
access control anomalies;
audit analysis;
system integrity checking; and
vulnerability assessments.
|
| 1155 |
7.1.7.C.03. |
All Classifications |
Should |
Agencies SHOULD use the results of the security risk assessment to determine the appropriate balance of resources allocated to prevention versus resources allocated to detection of information security incidents. |
| 1205 |
7.2.17.C.02. |
All Classifications |
Should |
Agencies SHOULD:
encourage personnel to note and report any observed or suspected security weaknesses in, or threats to, systems or services;
establish and follow procedures for reporting system, software or other malfunctions;
put mechanisms in place to enable the types, volumes and costs of information security incidents and malfunctions to be quantified and monitored; and
deal with the violation of agency information security policies and procedures by personnel through training and, where warranted, a formal disciplinary process.
|
| 1216 |
7.2.19.C.01. |
All Classifications |
Must |
The Agency ITSM, MUST report signiinficant information security incidents, or incidents related to m categorised as:
Critical;
Serious; or
incidents related to multi-agency or government systems, ;
to the NCSC (see also below) as soon as possible. |
| 1220 |
7.2.20.C.01. |
All Classifications |
Should |
Agencies SHOULD, through an ITSM, report non-significant information security incidents categorised as Low to the NCSC. |
| 1223 |
7.2.21.C.01. |
All Classifications |
Should |
Agencies SHOULD formally report information security incidents using the NCSC adon-line reporting fon of the TAXII, STIX and CyBox protocolsm. |
| 1226 |
7.2.22.C.01. |
All Classifications |
Must |
Agencies that outsource their information technology services and functions MUST ensure that the service provider advises and consults with the agency when an information security incident occurs. |
| 1233 |
7.2.23.C.01. |
All Classifications |
Must |
Agencies MUST notify all system users of any suspected or confirmed loss or compromise of keying material. |
| 1237 |
7.2.25.C.01. |
All Classifications |
Must |
Agencies MUST urgently notify GCSB of any suspected loss or compromise of keying material associated with HGACE. |
| 1285 |
7.3.8.C.03. |
All Classifications |
Should |
When a data spill involving classified information or contaminating classified systems occurs and systems cannot be segregated or isolated agencies SHOULD immediately contact the GNCSBC for further advice. |
| 1290 |
7.3.9.C.01. |
All Classifications |
Should |
Agencies SHOULD follow the steps described below when malicious code is detected:
isolate the infected system;
decide whether to request assistance from GNCSBC;
if such assistance is requested and agreed to, delay any further action until advised by GNCSBC;
scan all previously connected systems and any media used within a set period leading up to the information security incident, for malicious code;
isolate all infected systems and media to prevent reinfection;
change all passwords and key material stored or potentially accessed from compromised systems, including any websites with password controlled access;
advise system users of any relevant aspects of the compromise, including a recommendation to change all passwords on compromised systems;
use up-to-date anti-malware software to remove the malware from the systems or media;
monitor network traffic for malicious activity;
report the information security incident and perform any other activities specified in the IRP; and
in the worst case scenario, rebuild and reinitialise the system.
|
| 1300 |
7.3.12.C.01. |
All Classifications |
Should |
Agencies SHOULD ensure that any requests for GNCSBC assistance are made as soon as possible after the information security incident is detected and that no actions which could affect the integrity of the evidence are carried out prior to GNCSBC’s involvement. |
| 1327 |
8.1.11.C.02. |
All Classifications |
Should |
Agencies SHOULD position desks, screens and keyboards so that they cannot be away from windows and doorways so that they cannot be overseen by unauthorised peoprsons. If required, bleinds or drapes SHOULD be fixed to the inside of windows, or fix band doors kept clinds or drapes to the inside of windows and away from doorwaysosed to avoid oversight. |
| 1449 |
9.1.4.C.01. |
All Classifications |
Must |
Agency management MUST ensure that all personnel who have access to a system have sufficient training and ongoing information security awareness and training. |
| 1452 |
9.1.5.C.01. |
All Classifications |
Must |
Agencies MUST provide ongoing information security awareness and traininga training programme for personnel on topics such as responsibilities, legislation and regulation, consequences of non-compliance with information security policies and procedures, and potential security risks and counter-measures. |
| 1457 |
9.1.6.C.01. |
All Classifications |
Should |
Agencies SHOULD align the detail, content and coverage of information security awareness and training programmes to system user responsibilities. |
| 1484 |
9.2.6.C.02. |
All Classifications |
Should |
Agencies MSHOUSTLD:
limit system access on a need-to-know/need-to-access basis;
provide system users with the least amount of privileges needed to undertake their duties; and
have any requests for access to a system authorised by the supervisor or manager of the system user.
|
| 5626 |
10.6.29.C.01. |
Confidential, Secret, Top Secret |
Must |
Cabinet rails MUST be installed to
§ provide adequate room for patch cables and wire managers
§ A;
provide adequate space for cable management at front, sides, and rear
§ A; and
arrange switches and patch panels to minimize patching between cabinets & racks
.
|
| 2662 |
11.3.12.C.02. |
Confidential, Secret, Top Secret |
Must |
Agencies MUSHOULDT use push-to-talk mechandisetms to meet the requirement for off-hook audio protection. PTT activation MUST be clearly labelled. |
| 2767 |
11.5.16.C.03. |
All Classifications |
Must |
Where the use of personal wearable devices is permitted on medical grounds and used within a corporate or agency environment, agencies MUST ensure any relevant legislation and regulation pertaining to the protection of Personally Identifiable Information (PII) is properly managed and protectfollowed. |
| 3460 |
12.4.6.C.01. |
All Classifications |
Must |
Agencies MUST ensure that any firmware updates are performed in a manner that verifies the integrity and authenticity of the source and of the updating process or updating utility. |
| 3465 |
12.4.7.C.01. |
All Classifications |
Should |
Agencies SHOULD assess the security risk of continued usinge of software or IT equipment when a cessation date for support is announced or when the product is no longer supported by the developer. |
| 3537 |
12.6.4.C.01. |
All Classifications |
Must |
Agencies MUST sanitise or destroy, then declassify, IT equipment containing any media before disposal. |
| 3566 |
12.6.8.C.01. |
All Classifications |
Must |
Agencies MUST visually inspect video screens by turning up the brightness to the maximum level to determine if any classified information has been burnt into or persists on the screen, before redeployment or disposal. |
| 3572 |
12.6.9.C.01. |
All Classifications |
Must |
Agencies MUST attempt to sanitise video screens with minor burn-in or image persistence by displaying a solid white image on the screen for an extended period of time. If burn-in cannot be corrected the screen MUST be processed through an approved destruction facility. |
| 3709 |
12.7.21.C.01. |
All Classifications |
Should |
For equipment that is expected to have an extended operational life in a critical system, and in the event that the supplier is no longer able to supply these, agencies SHOULD provide for the acquisition of :
necessary licences and ;
information to produce spare parts, components, assemblies, ;
testing equipment and ; and
technical assistance agreements in the event that the supplier is no longer able to supply the equipment, products and essential spares.
|
| 3832 |
13.1.10.C.01. |
All Classifications |
Should |
Agencies SHOULD undertake a risk assessment with consideration given to proportionality in respect of :
scale and impact of the processes, data, ;
data;
users and ;
licences system and ;
usage agreements; and
service to be migrated or decommissioned.
|
| 4302 |
13.5.24.C.01. |
All Classifications |
Must |
Agencies MUST employ approved equipment for the purpose of media and IT Eequipment destruction MUST be performed using approved destruction equipment, facilities and methods. |
| 4304 |
13.5.24.C.02. |
All Classifications |
Must |
Where agencyies do not own thedir approvedwn destruction equipment is not available, agencies MUST use an approved destruction facility for media and IT Eequipment destruction. |
| 4343 |
13.5.25.C.01. |
All Classifications |
Must |
Agencies MUST, at minimum, store and handle the resulting waste for all methods, as forin accordance with the classification given in the table below.
Initial media or IT Equipment classification
Screen aperture size particles can pass through
Less than or equal to 3mm
Treat as
Less than or equal to 6mm
Treat as
TOP SECRET
UNCLASSIFIED
RESTRICTED
SECRET
UNCLASSIFIED
RESTRICTED
CONFIDENTIAL
UNCLASSIFIED
RESTRICTED
RESTRICTED
UNCLASSIFIED
UNCLASSIFIED
Particle size: measured in any direction, should not exceed stated measurement. |
| 4359 |
13.5.27.C.03. |
All Classifications |
Should |
The Destruction Register SHOULD record:
Date oestruction facility used;
Destruction method used;
Date of destruction;
Operator and witnesses;
Media or and IT Eequipment classification; and
Media or and IT Eequipment type, characteristics and serial number.
|
| 4367 |
13.5.29.C.01. |
Top Secret |
Must Not |
Agencies MUST NOT outsource the supervision and oversight of the destruction of TOP SECRET or NZEO media and IT Eequipment or other accountable material to a non-government entity or organisation. |
| 6019 |
15.2.22.C.01. |
All Classifications |
Should |
Before implementing DMARC agencies SHOULD:
Create a DMARC policy;
List all domains , in particused for the sendinglar those used for the sending and/or receiving of email;
Review the configuration of SPF and DKIM for all active domains and all published domains; and
Establish one or more monitored inboxes to receive DMARC reports.
|
| 6020 |
15.2.22.C.02. |
All Classifications |
Should |
Agencies SHOULD enable DMARC for all email originating from or received by their domain(s), including:
sending domain owners SHOULD publish a DMARC record with a related DNS entry advising mail receivers of the characteristics of messages purporting to originate from the sender’s domain;
received DMARC messages SHOULD be managed in accordance with the agency’s published DMARC policy; and
agencies SHOULD produce failure reports and aggregate reports according to the agency’s DMARC policies.
|
| 1827 |
16.1.31.C.01. |
All Classifications |
Must |
Agencies MUST:
develop, implement and maintain a set of policies and procedures covering all system users’:
identification;
authentication;
authorisation;
privileged access identification and management; and
make their system users aware of the agency’s policies and procedures.
|
| 2070 |
17.1.51.C.01. |
All Classifications |
Must |
Agencies using cryptographic functionality within a product for the protection of classifiedto protect the confidentiality, authentication, non-repudiation or integrity of information, MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB. |
| 2080 |
17.1.53.C.02. |
Confidential, Secret, Top Secret |
Must |
If an agency wishes to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they MUST encrypt the classified information using High GradAssurance Cryptographic Equipment (HGACE). It is important to note that the classification of the information itself remains unchanged. |
| 2081 |
17.1.53.C.03. |
Confidential, Secret, Top Secret |
Must |
If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use:
full disk encryption; or
partial disk encryption where the access control will allow writing onlyONLY to the encrypted partition holding the classified information.
|
| 2082 |
17.1.53.C.04. |
All Classifications |
Should |
If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use:
full disk encryption; or
partial disk encryption where the access control will only allow writing ONLY to the encrypted partition holding the classified information.
|
| 2089 |
17.1.55.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies MUST use HGACE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks. |
| 2090 |
17.1.55.C.02. |
Restricted/Sensitive |
Must |
Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an aApproved encryption alCryptogorithm and praphic Algorithm and Protocol if information is transmitted or systems are communicating over any insecure or unprotected network such as the Internets, such as the Internet, public infrastructurenetworks or non-agency controlled networks. |
| 2091 |
17.1.55.C.03. |
All Classifications |
Must |
Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol when data is transmitted over insecure or unprotected networks such as the Internet, pubetween data centres over insecure or unprotectlic infrastructure or non-agency controlled networks such as the Internet, public inwhen the compromise ofrastructure or non-agency controlled networks the aggregated data would present a significant impact to the agency. |
| 2092 |
17.1.55.C.04. |
All Classifications |
Should |
Agencies SHOULD useencrypt agency data using an approved encryption productalgorithm and protocol if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks. |
| 2097 |
17.1.56.C.02. |
All Classifications |
Must |
Agencyies MUST consult the GCSB for further advice on the powered off status and treatment of specific psoftwaroduce, systems and IT equsagipment. |
| 2105 |
17.1.58.C.03. |
All Classifications |
Must |
Agencies using HACE MUST consult with the GCSB for the key management requirements for HGCE. |
| 2128 |
17.2.17.C.01. |
All Classifications |
Must |
Agencies using an unevaluated product that implements an Approved Cryptographic Algorithm MUST ensure that only Approved Cryptographic Algorithms can be used when using an unevaluated product that implements a combination of approved and non-approved Cryptographic Algorithms. |
| 2134 |
17.2.19.C.01. |
All Classifications |
Must |
Agencies using DH, for the approved use of agreeing on encryption session keys, MUST use a modulus of at least 4309672 bits. |
| 2137 |
17.2.20.C.01. |
All Classifications |
Must |
Legacy dDevices which are NOT capable of implementing required key lengths MUST be reconfigured with the longest feasible key length as a matter of urgency. |
| 2138 |
17.2.20.C.02. |
All Classifications |
Must |
Legacy dDevices which are NOT capable of implementing required key lengths MUST be scheduled for replacement as a matter of urgency. |
| 2148 |
17.2.23.C.01. |
All Classifications |
Must |
Agencies using ECDSA, for the approved use of digital signatures, MUST implement the curves P-256 and P-384 (prime moduli). |
| 2151 |
17.2.24.C.01. |
All Classifications |
Must |
Agencies using RSA, for the approved use of digital signatures and passing encryption session keys or similar keys, MUST use a modulus of at least 3072048 bits. |
| 2155 |
17.2.26.C.01. |
All Classifications |
Must |
Agencies MUST use the SHA-2 family befor new systems. Use usingof SHA-1 is permitted ONLY for legacy systems. |
| 5905 |
17.2.26.C.02. |
All Classifications |
Must |
Agencies MUSHOULDT use a minimum of SHA-384 when using hashing algorithms to provide integrity protection for information classified as RESTRICTED/SENSITIVE or above. |
| 2158 |
17.2.28.C.01. |
All Classifications |
Should Not |
Agencies using approved symmetric encryption algorithms (e.g. AES or 3DES) SHOULD NOT use eElectronic cCodeb Book (ECB) mode. |
| 2598 |
17.4.16.C.01. |
All Classifications |
Should |
Agencies SHOULD use the current version of TLS (version 1.23). |
| 2737 |
17.5.9.C.01. |
All Classifications |
Should |
Agencies that use SSH-agent or other similar key caching programs SHOULD:
only use the software on workstation and servers with screenlocks;
ensure that the key cache expires within four hours of inactivity; and
ensure that agent credential forwarding is used when multiple SSH transversal is needed.
|
| 3043 |
17.9.31.C.01. |
All Classifications |
Must |
Agencies MUST comply with NZCSI when using HGCP or HGACE. |
| 3053 |
17.9.32.C.03. |
All Classifications |
Should Not |
Agencies SHOULD NOT transport commercial grade cryptographic equipment or products in a keyed state. |
| 3290 |
18.2.6.C.01. |
All Classifications |
Must |
Agencies deploying a wireless network for public access MUST segparegate it from any other agency networks; including BYOD networks. |
| 3617 |
18.2.33.C.01. |
All Classifications |
Should |
The effective range of wireless communications outside an agency’s area of control SHOULD be limited by:
Minimising the output power level of wireless devices; and/or.
Implementing RF shielding within buildings in which wireless networks are used.
|
| 3621 |
18.2.34.C.01. |
All Classifications |
Should |
Wireless networks SHOULD be sufficiently segregated through the use of channel separation. |
| 3777 |
18.3.17.C.01. |
All Classifications |
Should |
Agencies SHOULD use access control software to control USB ports on workstations using softphones and webcams by utilising the specific vendor and product identifier of the authorised phondevice. |
| 4015 |
19.4.4.C.01. |
All Classifications |
Must |
Agencies MUST use devices as shown in the following table for controlling the data flow of one-way gateways between networks of different classifications.
High networrk
Low network
You require
RESTRICTED
UNCLASSIFIED
EAL2 or PP diode
RESTRICTED
EAL2 or PP diode
CONFIDENTIAL
UNCLASSIFIED
high assurance diode
RESTRICTED
high assurance diode
CONFIDENTIAL
high assurance diode
SECRET
UNCLASSIFIED
high assurance diode
RESTRICTED
high assurance diode
CONFIDENTIAL
high assurance diode
SECRET
high assurance diode
TOP SECRET
UNCLASSIFIED
high assurance diode
RESTRICTED
high assurance diode
CONFIDENTIAL
high assurance diode
SECRET
high assurance diode
TOP SECRET
high assurance diode
|
| 4710 |
19.5.24.C.07. |
All Classifications |
Must |
Agencies procuring or using VoIP or UC services to be used by multiple agencies MUST ensure all interested parties formally agree to the risks, essential controls and any residual risks of such VoIP and UC services. The lead agency normally has this responsibility (see Chapter 2 - Information Security within Government and Chapter 4 - System Certification and Accreditation). |
| 4715 |
19.5.25.C.01. |
All Classifications |
Must |
Agencies MUST follow the gateway requirements described in this Chapter 19 - Gateway Security. |
| 4742 |
19.5.27.C.06. |
All Classifications |
Should |
Event logs covering all VoIP and UC services SHOULD be maintained in accordance with the requirements of the NZISM. See section 16.5 - Event logging and Auditing and 13.1.12 - Archiving. |
| 4301 |
20.2.10.C.01. |
All Classifications |
Must |
To prevent the export of NZEO data to foreign systems, agencies MUST implement NZEO data filtering performed by a product specifically designed or configured for that purpose. |
| 4336 |
20.3.8.C.01. |
All Classifications |
Should |
Agencies SHOULD perform content/ conversion, file conversion or both for all ingress or egress data transiting a security domain boundary. |
| 4339 |
20.3.9.C.01. |
All Classifications |
Should |
Agencies SHOULD perform content/ and file sanitisation on suitable file types if content/ conversion or file conversion is not appropriate for data transiting a security domain boundary. |
| 4401 |
20.3.11.C.01. |
All Classifications |
Should |
Agencies SHOULD extract the contents from archive/ and container files and subject the extracted files to content filter tests. |
| 4402 |
20.3.11.C.02. |
All Classifications |
Should |
Agencies SHOULD perform controlled inspection of archive/ and container files to ensure that content filter performance orand availability is not adversely affected. |
| 4406 |
20.3.12.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies MUST identify, create and enforce a whitelist of permitted content types based on business requirements and the results of a security risk assessment. |
| 4407 |
20.3.12.C.02. |
All Classifications |
Should |
Agencies SHOULD identify, create and enforce a whitelist of permitted content types based on business requirements and the results of a security risk assessment. |
| 4483 |
21.1.13.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies unable to lower the storage and physical transfer requirements of a mobile device to an unclassified level through the use of encryption MUST physically store or transfer the device as a classified asset in accordance with the relevant handling instructions (refer to the PSR). |
| 4485 |
21.1.13.C.03. |
All Classifications |
Should |
Agencies unable to lower the storage and physical transfer requirements of a mobile device to an unclassified level through the use of encryption SHOULD physically store or transfer the device as a classified asset in accordance with the relevant handling instructions (refer to the PSR). |
| 4541 |
21.2.4.C.01. |
All Classifications |
Must Not |
Agencies MUST NOT allow personnel to access or communicate classified information on mobile devices outside of secure areas unless there is a reduced chance of being overheard orand having the screen of the device observed. |
| 4555 |
21.2.7.C.02. |
All Classifications |
Must |
Travelling personnel requested to decrypt mobile devices for inspection or from whom mobile devices are taken out of sight by customs personnel or from whom mobile devices are taken out of sight by customs personneborder control MUST report the potential compromise of classified information or the device to an ITSM as soon as possible. |
| 4650 |
21.4.10.C.16. |
All Classifications |
Must |
The responsibility for payment of voice and data plans and roaming charges MUST be specified and agreed. |
| 4658 |
21.4.11.C.04. |
All Classifications |
Must |
Network configuration policies and authentication mechanisms MUST be configured to allow access to agency resources ONLY through the BYOD network segment. |
| 4660 |
21.4.11.C.06. |
All Classifications |
Must |
Wireless accesses points used for access to agency networks MUST be implemented and secured in accordance with the directions in this manual (See Section 18.2 – Wireless Local Area Networks). |
| 4666 |
21.4.11.C.12. |
All Classifications |
Must |
BYOD MUST have a Mobile Device Management (MDM) solution implemented with a minimum of the following enabled:
The MDM is enabled to “wipe” devices of any agency data if lost or stolen;
If the MDM cannot discriminate between agency and personal data, all data, including personal data, is deleted if the device is lost or stolen;
The MDM is capable of remotely applying agency security configurations for BYOD devices;
Mobile device security configurations are validated (health check) by the MDM before a device is permitted to connect to the agency’s systems;
“Jail-broken”, “rooted” or settings violations MUST be detected and isolated;
“Jail-broken” devices are NOT permitted to access agency resources;
Access to agency resources is limited until the device and/orboth the device and user is fully compliant with policy and SOPs;
Auditing and logging is enabled; and
Changes of Subscriber Identity Module (SIM) card are monitored to allow remote blocking and wiping in the event of theft or compromise.
|
| 4667 |
21.4.11.C.13. |
All Classifications |
Must |
Appropriate iIntrusion detection systems MUST be implemented. |
| 4675 |
21.4.11.C.20. |
All Classifications |
Should |
BYOD devices and systems SHOULD use Multi-factor (at least two-factor) authentication to connect to agency systems and prior to being permitted access to agency data. |
| 4680 |
21.4.12.C.02. |
All Classifications |
Must |
Agencies MUST implement rogue AP and wireless “hot spot” detection and implement appropriate response procedures where detection occurs. |
| 4681 |
21.4.12.C.03. |
All Classifications |
Should |
Agencies SHOULD conduct a baseline survey to identify:
Known andAll authorised devices and AP’s; and
KAnown andy unauthorised devices and AP’s.
|
| 4686 |
21.4.13.C.03. |
All Classifications |
Must |
The use of virtual containers, sandboxes, wraps or similar mechanisms on the mobile device MUST be established for each authorised session for any organisational data. These virtual containermechanisms MUST be non-persistent and be removed at the end of each session. |
| 4687 |
21.4.13.C.04. |
All Classifications |
Must |
Any sensitive agency data MUST be removed/ and securely deleted, or encrypted at the end of a session. |
| 4690 |
21.4.13.C.07. |
All Classifications |
Must |
Agencies MUST disable split-tunnelling when using a BYOD device to connect to an agency network (See Section 21.1 – Agency Owned Mobile Devices). |
| 4692 |
21.4.13.C.09. |
All Classifications |
Must |
The use of passwords or PINs to unlock the BYOD device MUST be enforced in addition to all other agency authentication mechanisms agency access. |
| 4693 |
21.4.13.C.10. |
All Classifications |
Must |
BYOD device passwords MUST be distinct from any agency access and authentication passwords. |
| 4812 |
22.1.21.C.05. |
All Classifications |
Must |
Agencies MUST consult with the GCIDO to ensure the strategic and other cloud risks are comprehensively assessed. |
| 4813 |
22.1.21.C.06. |
All Classifications |
Must |
Agencies procuring or using cloud services to be used by multiple agencies MUST ensure all interested parties formally agree the risks, essential controls and any residual risks of such cloud services. |
| 4814 |
22.1.21.C.07. |
All Classifications |
Must |
Agencies using cloud services MUST ensure they have conducted a documented risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GCIDO. |
| 4822 |
22.1.22.C.03. |
All Classifications |
Must |
Agencies using cloud services hosted offshore and connected to All-of-Government systems MUST ensure they have conducted a risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GCIDO. |