This is a report of changes between nzism-data/NZISM-FullDoc-V.3.3-February 2020.xml and nzism-data/NZISM-FullDoc-V.3.4-September 2020.xml.

Controls Added

CID Title Classifications Compliances Text
6835 16.4.30.C.01. All Classifications Must Agencies MUST establish a Privileged Access Management (PAM) policy.
6836 16.4.30.C.02. All Classifications Must Within the context of agency operations, the agency’s PAM policy MUST define: a privileged account; and privileged access.
6837 16.4.30.C.03. All Classifications Must Agencies MUST manage Privileged Accounts in accordance with the Agency’s PAM Policy.
6842 16.4.31.C.01. All Classifications Must Agencies MUST apply the Principle of Least Privilege when developing and implementing a Privileged Access Management (PAM) policy.
6843 16.4.31.C.02. All Classifications Should Agencies SHOULD use two-factor or Multi-Factor Authentication to allow access to Privileged Accounts.
6846 16.4.32.C.01. All Classifications Must As part of a Privileged Access Management (PAM) policy, agencies MUST establish and implement a strong approval and authorisation process before any privileged access credentials are issued.
6847 16.4.32.C.02. All Classifications Must Not Privileged Access credentials MUST NOT be issued until approval has been formally granted.
6852 16.4.33.C.01. All Classifications Must Agencies MUST establish robust credential suspension and revocation procedures as part of the agency’s Privileged Access Management (PAM) policy.
6855 16.4.34.C.01. All Classifications Must Agencies MUST create and maintain a comprehensive inventory of privileged accounts and the associated access rights and credentials.
6859 16.4.35.C.01. All Classifications Must Agencies MUST create, implement and maintain a robust system of continuous discovery, monitoring and review of privileged accounts and the access rights and credentials associated with those accounts.
6860 16.4.35.C.02. All Classifications Must Privileged account monitoring systems MUST monitor and record: individual user activity, including exceptions such as out of hours access; activity from unauthorised sources; any unusual use patterns; and any creation of unauthorised privileges access credentials.
6861 16.4.35.C.03. All Classifications Must Agencies MUST protect and limit access to activity and audit logs and records.
6864 16.4.36.C.01. All Classifications Must Agencies MUST develop and implement a response and remediation policy and procedure as part of an agency’s Privileged Access Management (PAM) policy.
6868 16.4.37.C.01. All Classifications Must Agencies MUST implement a Privileged Access Management (PAM) policy training module as part of the agency’s overall user training and awareness requirement.
6948 16.7.33.C.01. All Classifications Must Agencies MUST undertake a risk analysis before designing and implementing MFA.
6952 16.7.34.C.01. All Classifications Should The design of an agency’s MFA SHOULD include consideration of: Risk Identification; Level of security and access control appropriate for each aspect of an agency’s information systems (data, devices, equipment, storage, cloud, etc.) A formal authorisation process for user system access and entitlements; Logging, monitoring and reporting of activity; Review of logs for orphaned accounts and inappropriate user access; Identification of error and anomalies which may indicate inappropriate or malicious activity; Incident response; Remediation of errors; Suspension and/or revocation of access rights where policy violations occur; Capacity planning.
6953 16.7.34.C.02. All Classifications Should Where an agency has implemented MFA they SHOULD: Require MFA for administrative or other high privileged users; and Implement a secure, multi-factor process to allow users to reset their normal usage user credentials.
6956 16.7.35.C.01. All Classifications Should The design of an agency’s MFA system SHOULD be integrated with the agency’s Information Security Policy and the agency’s Privileged Access Management (PAM) Policy.
6960 16.7.36.C.01. All Classifications Must When agencies implement MFA they MUST ensure users have an understanding of the risks, and include appropriate usage and safeguards for MFA in the agency’s user training and awareness programmes.

Controls Removed

CID Title Classifications Compliances Text

Controls Changed

CID Title Classifications Compliances Text
6019 15.2.22.C.01. All Classifications Should Before implementing DMARC agencies SHOULD: Create a DMARC policy; List all domains , in particused for the sendinglar those used for the sending and/or receiving of email; Review the configuration of SPF and DKIM for all active domains and all published domains; and Establish one or more monitored inboxes to receive DMARC reports.
6020 15.2.22.C.02. All Classifications Should Agencies SHOULD enable DMARC for all email originating from or received by their domain(s), including: sending domain owners SHOULD publish a DMARC record with a related DNS entry advising mail receivers of the characteristics of messages purporting to originate from the sender’s domain; received DMARC messages SHOULD be managed in accordance with the agency’s published DMARC policy; and agencies SHOULD produce failure reports and aggregate reports according to the agency’s DMARC policies.
1827 16.1.31.C.01. All Classifications Must Agencies MUST: develop, implement and maintain a set of policies and procedures covering all system users’: identification; authentication;  authorisation; privileged access identification and management; and make their system users aware of the agency’s policies and procedures.
2598 17.4.16.C.01. All Classifications Should Agencies SHOULD use the current version of TLS (version 1.23).
4675 21.4.11.C.20. All Classifications Should BYOD devices and systems SHOULD use Multi-factor (at least two-factor) authentication to connect to agency systems and prior to being permitted access to agency data.