| 127 |
1.1.64.C.01. |
All Classifications |
Must |
System owners seeking a dispensation for non-compliance with any essentialbaseline controls in this manual MUST be granted a dispensation by their Accreditation Authority. Where High GradAssurance Cryptographic Systems (HACS) are implemented, the Accreditation Authority will be the Director-General GCS) are implemented, the Accreditation Authority will be the Director-General GCSB or a formal delegate. |
| 131 |
1.1.65.C.01. |
All Classifications |
Must |
System owners seeking a dispensation for non-compliance with essentialbaseline controls MUST complete an agency risk assessment which documents:
the reason(s) for not being able to comply with this manual;
the effect on any of their own, multi-agency or All-of-Government system;
the alternative mitigation measure(s) to be implemented;
The strength and applicability of the alternative mitigations;
an assessment of the residual security risk(s); and
a date by which to review the decision.
|
| 143 |
1.1.67.C.01. |
All Classifications |
Must |
If a system processes, stores or communicates data and information with multiple agencies or forms part of an All-of-Government system, interested parties MUST be formally consulted before non-compliance with any essentialbaseline controls. |
| 151 |
1.1.69.C.01. |
All Classifications |
Must |
Agencies MUST retain a copy and maintain a record of the supporting risk assessment and decisions to be non-compliant with any esbaselintiale controls from this manual. |
| 255 |
2.3.27.C.01. |
All Classifications |
Must |
Agencies intending to adopt cloud technologies or services MUST conduct a comprehensive risk assessment, in accordance with the guidance provided by the Government CIhief Digital Officer (GCDO) before implementation or adoption. |
| 283 |
3.1.8.C.02. |
All Classifications |
Should |
When the agency head devolvegates their authority, the delegate SHOULD be a senior executive who understands the CISOconsequences and potential impact to the business of the acceptance of residual risk. |
| 284 |
3.1.8.C.03. |
All Classifications |
Should |
Where the head of a smaller agency is not able to satisfy all segregation of duty requirements because of scalability and small personnel numbers, all, potential conflicts of interest SHOULD be clearly identified, declared and actively managed. |
| 311 |
3.2.8.C.05. |
All Classifications |
Should |
Where multhiple roles ofare held by the CISO is outsourced,any potential conflicts of interest in availability, response times or working with vendors SHOULD be identified and carefully managed. |
| 322 |
3.2.11.C.01. |
All Classifications |
Should |
The CISO SHOULD be responsible for establishing mechanisms and programs to ensuringe compliance with the information security policies and standards within the agency. |
| 323 |
3.2.11.C.02. |
All Classifications |
Should |
The CISO SHOULD be responsible for ensuring agency compliance with the NZISM through facilitating a continuous program of certification and accreditation bof asedll on security risk managency systements. |
| 334 |
3.2.13.C.02. |
All Classifications |
Should |
The CISO SHOULD liaise with agency technology architecture teams to ensure alignment between security and agency architectures. |
| 391 |
3.3.8.C.01. |
All Classifications |
Must |
ITSMs MUST be responsible for ensuring the development, maintenance, updating and implementation of Security Risk Management Plans (SRMPs), Systems Security Plans (SecPlanSP) and any Standard Operating Procedures (SOPs) for all agency systems. |
| 569 |
4.3.18.C.01. |
All Classifications |
Must |
The SecPol, SRMP, SecSPlan, SOPs and IRP documentation MUST be reviewed by the auditor to ensure that it is comprehensive and appropriate for the environment the system is to operate within. |
| 570 |
4.3.18.C.02. |
All Classifications |
Must |
The Information Security Policy (SecPol) MUST be reviewed by the auditor to ensure that all reapplicablevant controls specified in this manual are addressed. |
| 634 |
4.4.12.C.03. |
All Classifications |
Must |
Agencies MUST notify the Government CIhief Digital Officer (GCDO) where All-of-Government systems are connected to agency systems operating with expired accreditations. |
| 675 |
4.5.18.C.03. |
All Classifications |
Must |
The Accreditation Authority MUST advise the GCIDO where the accreditation decision may affect any All-of-Government systems. |
| 702 |
5.1.10.C.01. |
All Classifications |
Must |
Agencies MUST ensure that every system is covered by a SecSPlan. |
| 718 |
5.1.15.C.01. |
All Classifications |
Should |
Agencies SHOULD ensure that their SRMP, Systems Architecture, SecSPlan, SOPs and IRP are logically connected and consistent for each system, other agency systems and with the agency’s SecPol. |
| 729 |
5.1.18.C.01. |
All Classifications |
Must |
Agencies MUST ensure that their SecPol, SRMP, SecSPlan, SOPs and IRP are appropriately classified. |
| 780 |
5.2.3.C.01. |
All Classifications |
Should |
The Information Security Policy (SecPol) SHOULD document the information security, guidelines, standards and responsibilities of an agency. |
| 781 |
5.2.3.C.02. |
All Classifications |
Should |
The Information Security Policy (SecPol) SHOULD include topics such as:
accreditation processes;
personnel responsibilities;
configuration control;
access control;
networking and connections with other systems;
physical security and media control;
emergency procedures and information security incident management;
vulnerability disclosure;
change management; and
information security awareness and training.
|
| 828 |
5.4.5.C.01. |
All Classifications |
Must |
Agencies MUST select controls from this manual to be included in the SecSPlan based on the scope of the system with additional system specific controls being included as a result of the associated SRMP. Encryption Key Management requires specific consideration; refer to Chapter 17 – Cryptography. |
| 829 |
5.4.5.C.02. |
All Classifications |
Should |
Agencies SHOULD use the latest baseline of this manual when developing, and updating, their SecSPlans as part of the certification, accreditation and reaccreditation of their systems. |
| 831 |
5.4.5.C.03. |
All Classifications |
Should |
Agencies SHOULD include a Key Management Plan in the SecSPlan. |
| 1048 |
6.1.9.C.01. |
All Classifications |
Should |
Agencies SHOULD review the components detailed in the table below. Agencies SHOULD also ensure that any adjustments and changes as a result of any vulnerability analysis are consistent with the vulnerability disclosure policy.
Component
Review
Information security documentation
The SecPol, Systems Architecture, SRMPs, SecSPlans, SitePlan, SOPs, the VDP, the IRP, and any third party assurance reports.
Dispensations
Prior to the identified expiry date.
Operating environment
When an identified threat emerges or changes, an agency gains or loses a function or the operation of functions are moved to a new physical environment.
Procedures
After an information security incident or test exercise.
System security
Items that could affect the security of the system on a regular basis.
Threats
Changes in threat environment and risk profile.
NZISM
Changes to baseline or other controls, any new controls and guidance.
|
| 1066 |
6.2.5.C.01. |
All Classifications |
Should |
Agencies SHOULD conduct vulnerability assessments in order to establish a baseline. This SHOULD be done:
before a system is first used;
after any significant incident;
after a significant change to the system;
after changes to standards, policies and guidelines; and/or
as
when specified by an ITSM or the system owner.
|
| 1095 |
6.3.7.C.03. |
All Classifications |
Should |
Agencies SHOULD follow this change management process outline:
produce a written change request;
submit the change request to all stakeholders for approval;
document the changes to be implemented;
test the approved changes;
notification to user of the change schedule and likely effect or outage;
implement the approved changes after successful testing;
update the relevant information security documentation including the SRMP, SecSPlan and SOPs
notify and educate system users of the changes that have been implemented as close as possible to the time the change is applied; and
continually educate system users in regards to changes.
|
| 1120 |
6.4.5.C.01. |
All Classifications |
Must |
Agencies MUST determine availability and recovery requirements for their systems and implement appropriate measures consistent with the agency's SRMP to support them. |
| 1153 |
7.1.7.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies MUST develop, implement and maintain tools and procedures covering the detection of potential information security incidents, incorporating:
user awareness and training;
counter-measures against malicious code, known attack methods and types;
intrusion detection strategies;
data egress monitoring & control;
access control anomalies;
audit analysis;
system integrity checking; and
vulnerability assessments.
|
| 1154 |
7.1.7.C.02. |
All Classifications |
Should |
Agencies SHOULD develop, implement and maintain tools and procedures covering the detection of potential information security incidents, incorporating:
user awareness and training;
counter-measures against malicious code, known attack methods and types;
intrusion detection strategies;
data egress monitoring & control;
access control anomalies;
audit analysis;
system integrity checking; and
vulnerability assessments.
|
| 1155 |
7.1.7.C.03. |
All Classifications |
Should |
Agencies SHOULD use the results of the security risk assessment to determine the appropriate balance of resources allocated to prevention versus resources allocated to detection of information security incidents. |
| 1205 |
7.2.17.C.02. |
All Classifications |
Should |
Agencies SHOULD:
encourage personnel to note and report any observed or suspected security weaknesses in, or threats to, systems or services;
establish and follow procedures for reporting system, software or other malfunctions;
put mechanisms in place to enable the types, volumes and costs of information security incidents and malfunctions to be quantified and monitored; and
deal with the violation of agency information security policies and procedures by personnel through training and, where warranted, a formal disciplinary process.
|
| 1216 |
7.2.19.C.01. |
All Classifications |
Must |
The Agency ITSM, MUST report signiinficant information security incidents, or incidents related to m categorised as:
Critical;
Serious; or
incidents related to multi-agency or government systems, ;
to the NCSC (see also below) as soon as possible. |
| 1220 |
7.2.20.C.01. |
All Classifications |
Should |
Agencies SHOULD, through an ITSM, report non-significant information security incidents categorised as Low to the NCSC. |
| 1223 |
7.2.21.C.01. |
All Classifications |
Should |
Agencies SHOULD formally report information security incidents using the NCSC adon-line reporting fon of the TAXII, STIX and CyBox protocolsm. |
| 1226 |
7.2.22.C.01. |
All Classifications |
Must |
Agencies that outsource their information technology services and functions MUST ensure that the service provider advises and consults with the agency when an information security incident occurs. |
| 1233 |
7.2.23.C.01. |
All Classifications |
Must |
Agencies MUST notify all system users of any suspected or confirmed loss or compromise of keying material. |
| 1237 |
7.2.25.C.01. |
All Classifications |
Must |
Agencies MUST urgently notify GCSB of any suspected loss or compromise of keying material associated with HGACE. |
| 1285 |
7.3.8.C.03. |
All Classifications |
Should |
When a data spill involving classified information or contaminating classified systems occurs and systems cannot be segregated or isolated agencies SHOULD immediately contact the GNCSBC for further advice. |
| 1290 |
7.3.9.C.01. |
All Classifications |
Should |
Agencies SHOULD follow the steps described below when malicious code is detected:
isolate the infected system;
decide whether to request assistance from GNCSBC;
if such assistance is requested and agreed to, delay any further action until advised by GNCSBC;
scan all previously connected systems and any media used within a set period leading up to the information security incident, for malicious code;
isolate all infected systems and media to prevent reinfection;
change all passwords and key material stored or potentially accessed from compromised systems, including any websites with password controlled access;
advise system users of any relevant aspects of the compromise, including a recommendation to change all passwords on compromised systems;
use up-to-date anti-malware software to remove the malware from the systems or media;
monitor network traffic for malicious activity;
report the information security incident and perform any other activities specified in the IRP; and
in the worst case scenario, rebuild and reinitialise the system.
|
| 1300 |
7.3.12.C.01. |
All Classifications |
Should |
Agencies SHOULD ensure that any requests for GNCSBC assistance are made as soon as possible after the information security incident is detected and that no actions which could affect the integrity of the evidence are carried out prior to GNCSBC’s involvement. |
| 1327 |
8.1.11.C.02. |
All Classifications |
Should |
Agencies SHOULD position desks, screens and keyboards so that they cannot be away from windows and doorways so that they cannot be overseen by unauthorised peoprsons. If required, bleinds or drapes SHOULD be fixed to the inside of windows, or fix band doors kept clinds or drapes to the inside of windows and away from doorwaysosed to avoid oversight. |
| 1409 |
8.4.11.C.01. |
All Classifications |
Should |
Agencies choosing to prevent the storage of classified information on non-volatile media and enforcing scrubbing of temporary data at logoff or shutdown SHOULD:
assess the security risks associated with such a decision; and
specify the processes and conditions for their application within the system’s SecSPlan.
|
| 1412 |
8.4.12.C.01. |
All Classifications |
Should |
Agencies securing volatile media for IT equipment during non-operational hours SHOULD:
disconnect power from the equipment the media resides within;
assess the security risks if not sanitising the media; and
specify any additional processes and controls that will be applied within the system’s SecSPlan.
|
| 1449 |
9.1.4.C.01. |
All Classifications |
Must |
Agency management MUST ensure that all personnel who have access to a system have sufficient training and ongoing information security awareness and training. |
| 1452 |
9.1.5.C.01. |
All Classifications |
Must |
Agencies MUST provide ongoing information security awareness and traininga training programme for personnel on topics such as responsibilities, legislation and regulation, consequences of non-compliance with information security policies and procedures, and potential security risks and counter-measures. |
| 1457 |
9.1.6.C.01. |
All Classifications |
Should |
Agencies SHOULD align the detail, content and coverage of information security awareness and training programmes to system user responsibilities. |
| 1480 |
9.2.10.C.01. |
All Classifications |
Must |
Agencies MUST specify in the System Security Plan (SecSPlan) any authorisations, security clearances and briefings necessary for system access. |
| 1484 |
9.2.11.C.02. |
All Classifications |
Should |
Agencies MSHOUSTLD:
limit system access on a need-to-know/need-to-access basis;
provide system users with the least amount of privileges needed to undertake their duties; and
have any requests for access to a system authorised by the supervisor or manager of the system user; and
ensure a formal acknowledgement of the security briefing is obtained and recorded.
|
| 1487 |
9.2.12.C.01. |
All Classifications |
Should |
Agencies SHOULD:
maintain a secure record of:
all authorised system users;
their user identification;
why access is required;
role and privilege level,
who provided the authorisation to access the system;
when the authorisation was granted; and
keep a copy of the acknowledgement signed by the individual granted a clearance; and
maintain the record, for the life of the system or information to which access is granted, or the length of employment, whichever is the longer, to which access is granted.
|
| 1508 |
9.2.18.C.01. |
All Classifications |
Must |
Agencies granting limited higher access to a system MUST ensure that:
effectithe approve controls are in place to restrict access to onlyal for access is formally acknowledged and recorded; and either
effective controls are in place to restrict access only to classified information that is necessary to undertake the system user’s duties; or
the system user is continually supervised by another system user who has the appropriate security clearances to access the system.
|
| 2412 |
10.5.11.C.01. |
All Classifications |
Should |
Agencies SHOULD inspect cables for inconsistencies with the cable register in accordance with the frequency defined in the SecSPlan. |
| 5626 |
10.6.29.C.01. |
Confidential, Secret, Top Secret |
Must |
Cabinet rails MUST be installed to
§ :
provide adequate room for patch cables and wire managers
§ A;
provide adequate space for cable management at front, sides, and rear
§ A; and
arrange switches and patch panels to minimize patching between cabinets & racks
.
|
| 2662 |
11.3.12.C.02. |
Confidential, Secret, Top Secret |
Must |
Agencies MUSHOULDT use push-to-talk mechandisetms to meet the requirement for off-hook audio protection. PTT activation MUST be clearly labelled. |
| 2767 |
11.5.16.C.03. |
All Classifications |
Must |
Where the use of personal wearable devices is permitted on medical grounds and used within a corporate or agency environment, agencies MUST ensure any relevant legislation and regulation pertaining to the protection of Personally Identifiable Information (PII) is properly managed and protectfollowed. |
| 3455 |
12.4.5.C.01. |
All Classifications |
Should |
Where known vulnerabilities cannot be patched, or security patches are not available, agencies SHOULD implement:
controls to resolve the vulnerability such as:
disable the functionality associated with the vulnerability though product configuration;
ask the vendor for an alternative method of managing the vulnerability;
install a version of the product that does not have the identified vulnerability;
install a different product with a more responsive vendor; or
engage a software developer to correct the software.
controls to prevent exploitation of the vulnerability including:
apply external input sanitisation (if an input triggers the exploit);
apply filtering or verification on the software output (if the exploit relates to an information disclosure);
apply additional access controls that prevent access to the vulnerability; or
configure firewall rules to limit access to the vulnerable software.
controls to contain the exploit including:
apply firewall rules limiting outward traffic that is likely in the event of an exploitation;
apply mandatory access control preventing the execution of exploitation code; or
set file system permissions preventing exploitation code from being written to disk;
allowhite and black and deny listing to prevent code execution; and
controls to detect attacks including:
deploy an IDS;
monitor logging alerts; or
use other mechanisms as appropriate for the detection of exploits using the known vulnerability.
controls to prevent attacks including:
deploy an IPS or HIPS; or
use other mechanisms as appropriate for the diversion of exploits using the known vulnerability, such as honey pots and Null routers.
|
| 3460 |
12.4.6.C.01. |
All Classifications |
Must |
Agencies MUST ensure that any firmware updates are performed in a manner that verifies the integrity and authenticity of the source and of the updating process or updating utility. |
| 3465 |
12.4.7.C.01. |
All Classifications |
Should |
Agencies SHOULD assess the security risk of continued usinge of software or IT equipment when a cessation date for support is announced or when the product is no longer supported by the developer. |
| 3537 |
12.6.4.C.01. |
All Classifications |
Must |
Agencies MUST sanitise or destroy, then declassify, IT equipment containing any media before disposal. |
| 3566 |
12.6.8.C.01. |
All Classifications |
Must |
Agencies MUST visually inspect video screens by turning up the brightness to the maximum level to determine if any classified information has been burnt into or persists on the screen, before redeployment or disposal. |
| 3572 |
12.6.9.C.01. |
All Classifications |
Must |
Agencies MUST attempt to sanitise video screens with minor burn-in or image persistence by displaying a solid white image on the screen for an extended period of time. If burn-in cannot be corrected the screen MUST be processed through an approved destruction facility. |
| 3709 |
12.7.21.C.01. |
All Classifications |
Should |
For equipment that is expected to have an extended operational life in a critical system, and in the event that the supplier is no longer able to supply these, agencies SHOULD provide for the acquisition of :
necessary licences and ;
information to produce spare parts, components, assemblies, ;
testing equipment and ; and
technical assistance agreements in the event that the supplier is no longer able to supply the equipment, products and essential spares.
|
| 3832 |
13.1.10.C.01. |
All Classifications |
Should |
Agencies SHOULD undertake a risk assessment with consideration given to proportionality in respect of :
scale and impact of the processes, data, ;
data;
users and ;
licences system and ;
usage agreements; and
service to be migrated or decommissioned.
|
| 4302 |
13.5.24.C.01. |
All Classifications |
Must |
Agencies MUST employ approved equipment for the purpose of media and IT Eequipment destruction MUST be performed using approved destruction equipment, facilities and methods. |
| 4304 |
13.5.24.C.02. |
All Classifications |
Must |
Where agencyies do not own thedir approvedwn destruction equipment is not available, agencies MUST use an approved destruction facility for media and IT Eequipment destruction. |
| 4343 |
13.5.25.C.01. |
All Classifications |
Must |
Agencies MUST, at minimum, store and handle the resulting waste for all methods, as forin accordance with the classification given in the table below.
Initial media or IT Equipment classification
Screen aperture size particles can pass through
Less than or equal to 3mm
Treat as
Less than or equal to 6mm
Treat as
TOP SECRET
UNCLASSIFIED
RESTRICTED
SECRET
UNCLASSIFIED
RESTRICTED
CONFIDENTIAL
UNCLASSIFIED
RESTRICTED
RESTRICTED
UNCLASSIFIED
UNCLASSIFIED
Particle size: measured in any direction, should not exceed stated measurement. |
| 4359 |
13.5.27.C.03. |
All Classifications |
Should |
The Destruction Register SHOULD record:
Date oestruction facility used;
Destruction method used;
Date of destruction;
Operator and witnesses;
Media or and IT Eequipment classification; and
Media or and IT Eequipment type, characteristics and serial number.
|
| 4367 |
13.5.29.C.01. |
Top Secret |
Must Not |
Agencies MUST NOT outsource the supervision and oversight of the destruction of TOP SECRET or NZEO media and IT Eequipment or other accountable material to a non-government entity or organisation. |
| 1234 |
14.2.4.C.01. |
All Classifications |
Should |
Agencies SHOULD implement application allowhite listing as part of the SOE for workstations, servers and any other network device. |
| 1242 |
14.2.5.C.01. |
All Classifications |
Must |
Agencies MUST ensure that a system user cannot disable the application allowhite listing mechanism. |
| 898 |
14.2.5.C.04. |
All Classifications |
Should |
Agencies SHOULD ensure that application allowhite listing does not replace the antivirus and anti-malware software within a system. |
| 907 |
14.2.6.C.01. |
All Classifications |
Should |
Agencies SHOULD ensure that system administrators are not automatically exempt from application allowhite listing policy. |
| 936 |
14.2.7.C.02. |
All Classifications |
Should |
Agencies SHOULD ensure that application allowhite listing is used in addition to a strong access control list model and the use of limited privilege accounts. |
| 940 |
14.2.7.C.03. |
All Classifications |
Should |
Agencies SHOULD plan and test application allowhite listing mechanisms and processes thoroughly prior to implementation. |
| 945 |
14.2.7.C.05. |
All Classifications |
Should |
Agencies SHOULD restrict the process creation permissions of any executables which are permitted to run by the application allowhite listing controls. |
| 947 |
14.2.7.C.07. |
All Classifications |
Should |
Logs from the application allowhite listing implementation SHOULD include all relevant information. |
| 1602 |
14.3.8.C.01. |
All Classifications |
Should |
Agencies permitting TLS through their gateways SHOULD implement:
a solution that decrypts and inspects the TLS traffic as per content filtering requirements; or
a n allowhite list specifying the addresses (uniform resource locators) to which encrypted connections are permitted, with all other addresses blocked.
|
| 1609 |
14.3.10.C.01. |
All Classifications |
Should |
Agencies SHOULD implement allowhite listing for all HTTP traffic being communicated through their gateways. |
| 1608 |
14.3.10.C.02. |
All Classifications |
Should |
Agencies using an allowhite list on their gateways to specify the external addresses, to which encrypted connections are permitted, SHOULD specify allowhite list addresses by domain name or IP address. |
| 1610 |
14.3.10.C.03. |
All Classifications |
Should |
If agencies do not allowhite list websites they SHOULD blackdeny list websites to prevent access to known malicious websites. |
| 1611 |
14.3.10.C.04. |
All Classifications |
Should |
Agencies blackdeny listing websites SHOULD update the blackdeny list on a frequent basis to ensure that it remains effective. |
| 1621 |
14.3.13.C.01. |
All Classifications |
Must Not |
Users MUST NOT use agency useridID and login passwords as credentials for external websites. |
| 6019 |
15.2.20.C.01. |
All Classifications |
Should |
Before implementing DMARC agencies SHOULD:
Create a DMARC policy;
List all domains , in particused for the sendinglar those used for the sending and/or receiving of email;
Review the configuration of SPF and DKIM for all active domains and all published domains; and
Establish one or more monitored inboxes to receive DMARC reports.
|
| 6020 |
15.2.20.C.02. |
All Classifications |
Should |
Agencies SHOULD enable DMARC for all email originating from or received by their domain(s), including:
sending domain owners SHOULD publish a DMARC record with a related DNS entry advising mail receivers of the characteristics of messages purporting to originate from the sender’s domain;
received DMARC messages SHOULD be managed in accordance with the agency’s published DMARC policy; and
agencies SHOULD produce failure reports and aggregate reports according to the agency’s DMARC policies.
|
| 1745 |
15.2.21.C.01. |
All Classifications |
Should |
Agencies SHOULD configure the following gateway filters:
inbound and outbound email, including any attachments, that contain:
malicious code;
content in conflict with the agency’s email policy;
content that cannot be identified;
deny listed or unauthorised filetypes; and
encrypted content, when that content cannot blacklisted or unauthorised filetye inspescted for malicious code or authenticated as originating from a trusted source; and
encrypted content,
emails addressed to internal email aliases when that content cannot be inspected for malicious code or authenticated as originating from a trusted sourceith source addresses located from outside the domain;
emails addressed to internal email aliases and
all emails arriving via an external connection with source addresses located from outside the domain; and
all emails arriving via an external connection where the source address uses an internal agency domain name.
|
| 1827 |
16.1.31.C.01. |
All Classifications |
Must |
Agencies MUST:
develop, implement and maintain a set of policies and procedures covering all system users’:
identification;
authentication;
authorisation;
privileged access identification and management; and
make their system users aware of the agency’s policies and procedures.
|
| 2070 |
17.1.51.C.01. |
All Classifications |
Must |
Agencies using cryptographic functionality within a product for the protection of classifiedto protect the confidentiality, authentication, non-repudiation or integrity of information, MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB. |
| 2080 |
17.1.53.C.02. |
Confidential, Secret, Top Secret |
Must |
If an agency wishes to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they MUST encrypt the classified information using High GradAssurance Cryptographic Equipment (HGACE). It is important to note that the classification of the information itself remains unchanged. |
| 2081 |
17.1.53.C.03. |
Confidential, Secret, Top Secret |
Must |
If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use:
full disk encryption; or
partial disk encryption where the access control will allow writing onlyONLY to the encrypted partition holding the classified information.
|
| 2082 |
17.1.53.C.04. |
All Classifications |
Should |
If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use:
full disk encryption; or
partial disk encryption where the access control will only allow writing ONLY to the encrypted partition holding the classified information.
|
| 2089 |
17.1.55.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies MUST use HGACE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks. |
| 2090 |
17.1.55.C.02. |
Restricted/Sensitive |
Must |
Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an aApproved encryption alCryptogorithm and praphic Algorithm and Protocol if information is transmitted or systems are communicating over any insecure or unprotected network such as the Internets, such as the Internet, public infrastructurenetworks or non-agency controlled networks. |
| 2091 |
17.1.55.C.03. |
All Classifications |
Must |
Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol when data is transmitted over insecure or unprotected networks such as the Internet, pubetween data centres over insecure or unprotectlic infrastructure or non-agency controlled networks such as the Internet, public inwhen the compromise ofrastructure or non-agency controlled networks the aggregated data would present a significant impact to the agency. |
| 2092 |
17.1.55.C.04. |
All Classifications |
Should |
Agencies SHOULD useencrypt agency data using an approved encryption productalgorithm and protocol if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks. |
| 2097 |
17.1.56.C.02. |
All Classifications |
Must |
Agencyies MUST consult the GCSB for further advice on the powered off status and treatment of specific psoftwaroduce, systems and IT equsagipment. |
| 2105 |
17.1.58.C.03. |
All Classifications |
Must |
Agencies using HACE MUST consult with the GCSB for the key management requirements for HGCE. |
| 2128 |
17.2.17.C.01. |
All Classifications |
Must |
Agencies using an unevaluated product that implements an Approved Cryptographic Algorithm MUST ensure that only Approved Cryptographic Algorithms can be used when using an unevaluated product that implements a combination of approved and non-approved Cryptographic Algorithms. |
| 2134 |
17.2.19.C.01. |
All Classifications |
Must |
Agencies using DH, for the approved use of agreeing on encryption session keys, MUST use a modulus of at least 4309672 bits. |
| 2137 |
17.2.20.C.01. |
All Classifications |
Must |
Legacy dDevices which are NOT capable of implementing required key lengths MUST be reconfigured with the longest feasible key length as a matter of urgency. |
| 2138 |
17.2.20.C.02. |
All Classifications |
Must |
Legacy dDevices which are NOT capable of implementing required key lengths MUST be scheduled for replacement as a matter of urgency. |
| 2148 |
17.2.23.C.01. |
All Classifications |
Must |
Agencies using ECDSA, for the approved use of digital signatures, MUST implement the curves P-256 and P-384 (prime moduli). |
| 2151 |
17.2.24.C.01. |
All Classifications |
Must |
Agencies using RSA, for the approved use of digital signatures and passing encryption session keys or similar keys, MUST use a modulus of at least 3072048 bits. |
| 2155 |
17.2.26.C.01. |
All Classifications |
Must |
Agencies MUST use the SHA-2 family befor new systems. Use usingof SHA-1 is permitted ONLY for legacy systems. |
| 5905 |
17.2.26.C.02. |
All Classifications |
Must |
Agencies MUSHOULDT use a minimum of SHA-384 when using hashing algorithms to provide integrity protection for information classified as RESTRICTED/SENSITIVE or above. |
| 2158 |
17.2.28.C.01. |
All Classifications |
Should Not |
Agencies using approved symmetric encryption algorithms (e.g. AES or 3DES) SHOULD NOT use eElectronic cCodeb Book (ECB) mode. |
| 2598 |
17.4.16.C.01. |
All Classifications |
Should |
Agencies SHOULD use the current version of TLS (version 1.23). |
| 2737 |
17.5.9.C.01. |
All Classifications |
Should |
Agencies that use SSH-agent or other similar key caching programs SHOULD:
only use the software on workstation and servers with screenlocks;
ensure that the key cache expires within four hours of inactivity; and
ensure that agent credential forwarding is used when multiple SSH transversal is needed.
|
| 3021 |
17.9.25.C.01. |
All Classifications |
Should |
The table below describes the minimum contents which SHOULD be documented in the KMP.
Topic
Content
Objectives
Objectives of the cryptographic system and KMP, including organisational aims.
Refer to relevant NZCSIs.
System description
The environment.
Maximum classification of information protected.
Topology Diagram(s) and description of the cryptographic system topology including data flows.
The use of keys.
Key algorithm.
Key length.
Key lifetime.
Roles and administrative responsibilities.
Documents roles and responsibilities, including the:
COMSEC Custodian;
Cryptographic systems administrator;
Record keeper; and
Auditor.
Accounting
How accounting will be undertaken for the cryptographic system.
What records will be maintained.
How records will be audited.
Classification
Classification of the cryptographic system hardware.
Classification of cryptographic system software.
Classification of the cryptographic system documentation.
Information security incidents
A description of the conditions under which compromise of key material should be declared.
References to procedures to be followed when reporting and dealing with information security incidents.
Key management
Who generates keys.
How keys are delivered.
How keys are received.
Key distribution, including local, remote and central.
How keys are installed.
How keys are transferred.
How keys are stored.
How keys are recovered.
How keys are revoked.
How keys are destroyed.
Maintenance
Maintaining the cryptographic system software and hardware.
Destroying equipment and media.
References
Vendor documentation.
Related policies.
|
| 3043 |
17.9.31.C.01. |
All Classifications |
Must |
Agencies MUST comply with NZCSI when using HGCP or HGACE. |
| 3053 |
17.9.32.C.03. |
All Classifications |
Should Not |
Agencies SHOULD NOT transport commercial grade cryptographic equipment or products in a keyed state. |
| 3290 |
18.2.6.C.01. |
All Classifications |
Must |
Agencies deploying a wireless network for public access MUST segparegate it from any other agency networks; including BYOD networks. |
| 3617 |
18.2.33.C.01. |
All Classifications |
Should |
The effective range of wireless communications outside an agency’s area of control SHOULD be limited by:
Minimising the output power level of wireless devices; and/or.
Implementing RF shielding within buildings in which wireless networks are used.
|
| 3621 |
18.2.34.C.01. |
All Classifications |
Should |
Wireless networks SHOULD be sufficiently segregated through the use of channel separation. |
| 3740 |
18.3.12.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies MUST:
configure VTC and VoIP devices to authenticate themselves to the call controller upon registration;
disable phone auto-registration and only allow a n allowhite list of authorised devices to access the network;
block unauthorised devices by default;
disable all unused and prohibited functionality; and
use individual logins for IP phones.
|
| 3741 |
18.3.12.C.02. |
All Classifications |
Should |
Agencies SHOULD:
configure VoIP phones to authenticate themselves to the call controller upon registration;
disable phone auto-registration and onlyuse an allow a whitelist of authorised devices to access the network;
block unauthorised devices by default;
disable all unused and prohibited functionality; and
use individual logins for IP phones.
|
| 3777 |
18.3.17.C.01. |
All Classifications |
Should |
Agencies SHOULD use access control software to control USB ports on workstations using softphones and webcams by utilising the specific vendor and product identifier of the authorised phondevice. |
| 4015 |
19.4.4.C.01. |
All Classifications |
Must |
Agencies MUST use devices as shown in the following table for controlling the data flow of one-way gateways between networks of different classifications.
High networrk
Low network
You require
RESTRICTED
UNCLASSIFIED
EAL2 or PP diode
RESTRICTED
EAL2 or PP diode
CONFIDENTIAL
UNCLASSIFIED
high assurance diode
RESTRICTED
high assurance diode
CONFIDENTIAL
high assurance diode
SECRET
UNCLASSIFIED
high assurance diode
RESTRICTED
high assurance diode
CONFIDENTIAL
high assurance diode
SECRET
high assurance diode
TOP SECRET
UNCLASSIFIED
high assurance diode
RESTRICTED
high assurance diode
CONFIDENTIAL
high assurance diode
SECRET
high assurance diode
TOP SECRET
high assurance diode
|
| 4710 |
19.5.24.C.07. |
All Classifications |
Must |
Agencies procuring or using VoIP or UC services to be used by multiple agencies MUST ensure all interested parties formally agree to the risks, essential controls and any residual risks of such VoIP and UC services. The lead agency normally has this responsibility (see Chapter 2 - Information Security within Government and Chapter 4 - System Certification and Accreditation). |
| 4715 |
19.5.25.C.01. |
All Classifications |
Must |
Agencies MUST follow the gateway requirements described in this Chapter 19 - Gateway Security. |
| 4742 |
19.5.27.C.06. |
All Classifications |
Should |
Event logs covering all VoIP and UC services SHOULD be maintained in accordance with the requirements of the NZISM. See sections 16.6 - Event Logging and Auditing and 13.1.12 - Archiving. |
| 4752 |
19.5.28.C.05. |
All Classifications |
Should |
Agencies SHOULD consider the use of balacklistingow and whitdeny listing to manage fraudulent calls to known fraudulent call destinations. |
| 4301 |
20.2.10.C.01. |
All Classifications |
Must |
To prevent the export of NZEO data to foreign systems, agencies MUST implement NZEO data filtering performed by a product specifically designed or configured for that purpose. |
| 4336 |
20.3.8.C.01. |
All Classifications |
Should |
Agencies SHOULD perform content/ conversion, file conversion or both for all ingress or egress data transiting a security domain boundary. |
| 4339 |
20.3.9.C.01. |
All Classifications |
Should |
Agencies SHOULD perform content/ and file sanitisation on suitable file types if content/ conversion or file conversion is not appropriate for data transiting a security domain boundary. |
| 4401 |
20.3.11.C.01. |
All Classifications |
Should |
Agencies SHOULD extract the contents from archive/ and container files and subject the extracted files to content filter tests. |
| 4402 |
20.3.11.C.02. |
All Classifications |
Should |
Agencies SHOULD perform controlled inspection of archive/ and container files to ensure that content filter performance orand availability is not adversely affected. |
| 4406 |
20.3.12.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies MUST identify, create and enforce an allowhite list of permitted content types based on business requirements and the results of a security risk assessment. |
| 4407 |
20.3.12.C.02. |
All Classifications |
Should |
Agencies SHOULD identify, create and enforce an allowhite list of permitted content types based on business requirements and the results of a security risk assessment. |
| 4483 |
21.1.13.C.01. |
Confidential, Secret, Top Secret |
Must |
Agencies unable to lower the storage and physical transfer requirements of a mobile device to an unclassified level through the use of encryption MUST physically store or transfer the device as a classified asset in accordance with the relevant handling instructions (refer to the PSR). |
| 4485 |
21.1.13.C.03. |
All Classifications |
Should |
Agencies unable to lower the storage and physical transfer requirements of a mobile device to an unclassified level through the use of encryption SHOULD physically store or transfer the device as a classified asset in accordance with the relevant handling instructions (refer to the PSR). |
| 4541 |
21.2.4.C.01. |
All Classifications |
Must Not |
Agencies MUST NOT allow personnel to access or communicate classified information on mobile devices outside of secure areas unless there is a reduced chance of being overheard orand having the screen of the device observed. |
| 4555 |
21.2.7.C.02. |
All Classifications |
Must |
Travelling personnel requested to decrypt mobile devices for inspection or from whom mobile devices are taken out of sight by customs personnel or from whom mobile devices are taken out of sight by customs personneborder control MUST report the potential compromise of classified information or the device to an ITSM as soon as possible. |
| 4650 |
21.4.10.C.16. |
All Classifications |
Must |
The responsibility for payment of voice and data plans and roaming charges MUST be specified and agreed. |
| 4658 |
21.4.11.C.04. |
All Classifications |
Must |
Network configuration policies and authentication mechanisms MUST be configured to allow access to agency resources ONLY through the BYOD network segment. |
| 4660 |
21.4.11.C.06. |
All Classifications |
Must |
Wireless accesses points used for access to agency networks MUST be implemented and secured in accordance with the directions in this manual (See Section 18.2 – Wireless Local Area Networks). |
| 4666 |
21.4.11.C.12. |
All Classifications |
Must |
BYOD MUST have a Mobile Device Management (MDM) solution implemented with a minimum of the following enabled:
The MDM is enabled to “wipe” devices of any agency data if lost or stolen;
If the MDM cannot discriminate between agency and personal data, all data, including personal data, is deleted if the device is lost or stolen;
The MDM is capable of remotely applying agency security configurations for BYOD devices;
Mobile device security configurations are validated (health check) by the MDM before a device is permitted to connect to the agency’s systems;
“Jail-broken”, “rooted” or settings violations MUST be detected and isolated;
“Jail-broken” devices are NOT permitted to access agency resources;
Access to agency resources is limited until the device and/orboth the device and user is fully compliant with policy and SOPs;
Auditing and logging is enabled; and
Changes of Subscriber Identity Module (SIM) card are monitored to allow remote blocking and wiping in the event of theft or compromise.
|
| 4667 |
21.4.11.C.13. |
All Classifications |
Must |
Appropriate iIntrusion detection systems MUST be implemented. |
| 4675 |
21.4.11.C.20. |
All Classifications |
Should |
BYOD devices and systems SHOULD use Multi-factor (at least two-factor) authentication to connect to agency systems and prior to being permitted access to agency data. |
| 4680 |
21.4.12.C.02. |
All Classifications |
Must |
Agencies MUST implement rogue AP and wireless “hot spot” detection and implement appropriate response procedures where detection occurs. |
| 4681 |
21.4.12.C.03. |
All Classifications |
Should |
Agencies SHOULD conduct a baseline survey to identify:
Known andAll authorised devices and AP’s; and
KAnown andy unauthorised devices and AP’s.
|
| 4686 |
21.4.13.C.03. |
All Classifications |
Must |
The use of virtual containers, sandboxes, wraps or similar mechanisms on the mobile device MUST be established for each authorised session for any organisational data. These virtual containermechanisms MUST be non-persistent and be removed at the end of each session. |
| 4687 |
21.4.13.C.04. |
All Classifications |
Must |
Any sensitive agency data MUST be removed/ and securely deleted, or encrypted at the end of a session. |
| 4690 |
21.4.13.C.07. |
All Classifications |
Must |
Agencies MUST disable split-tunnelling when using a BYOD device to connect to an agency network (See Section 21.1 – Agency Owned Mobile Devices). |
| 4692 |
21.4.13.C.09. |
All Classifications |
Must |
The use of passwords or PINs to unlock the BYOD device MUST be enforced in addition to all other agency authentication mechanisms agency access. |
| 4693 |
21.4.13.C.10. |
All Classifications |
Must |
BYOD device passwords MUST be distinct from any agency access and authentication passwords. |
| 4812 |
22.1.21.C.05. |
All Classifications |
Must |
Agencies MUST consult with the GCIDO to ensure the strategic and other cloud risks are comprehensively assessed. |
| 4813 |
22.1.21.C.06. |
All Classifications |
Must |
Agencies procuring or using cloud services to be used by multiple agencies MUST ensure all interested parties formally agree the risks, essential controls and any residual risks of such cloud services. |
| 4814 |
22.1.21.C.07. |
All Classifications |
Must |
Agencies using cloud services MUST ensure they have conducted a documented risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GCIDO. |
| 4822 |
22.1.22.C.03. |
All Classifications |
Must |
Agencies using cloud services hosted offshore and connected to All-of-Government systems MUST ensure they have conducted a risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GCIDO. |