This is a report of changes between nzism-data/NZISM-FullDoc-V.3.3-February 2020.xml and nzism-data/NZISM-FullDoc-V.3.5-January-2022.xml.

Controls Added

CID Title Classifications Compliances Text
7045 2.3.25.C.01. All Classifications Must Agencies intending to adopt public cloud technologies or services MUST develop a plan for how they intend to use these services.  This plan can be standalone or part of an overarching ICT strategy.
7046 2.3.25.C.02. All Classifications Should An agency’s cloud adoption plan SHOULD cover: Outcomes and benefits that the adoption of cloud technologies will bring; Risks introduced or mitigated through the use of cloud, and the agency’s risk tolerance; Financial and cost accounting models; Shared responsibility models; Cloud deployment models; Cloud security strategy; Resilience and recovery approaches; Data recovery on contract termination; Cloud exit strategy and other contractual arrangements; and A high level description of the foundation services that enable cloud adoption, including: User, device and system identity; Encryption and key management; Information management; Logging and alerting; Incident management; Managing privileged activities; and Cost management.
7049 2.3.26.C.01. All Classifications Should Agencies intending to adopt public cloud technologies or services SHOULD incorporate Zero Trust philosophies and concepts.
7050 2.3.26.C.02. All Classifications Should Agencies SHOULD leverage public cloud environment native security services as part of legacy system migrations, in preference to recreating application architectures that rely on legacy perimeter controls for security.
7084 3.2.10.C.04. All Classifications Should The CISO SHOULD work with system owners, system certifiers and system accreditors to determine appropriate information security policies for their systems and ensure consistency with the Protective Security Requirements (PSR) and in particular the relevant NZISM components.
7130 5.9.23.C.01. All Classifications Must An agency MUST undertake a risk assessment to determine which systems and services to include in the agency’s VDP.
7133 5.9.24.C.01. All Classifications Must An agency MUST develop and publish a VDP.
7134 5.9.24.C.02. All Classifications Must An agency’s VDP MUST contain at least the following core content: A scoping statement listing the systems the policy applies to; Contact details; Secure communication options (including any public keys); Information the finder should include in the report; Acknowledgement of reports and a response time; Guidance on what forms of vulnerability testing are out of scope for reporters/finders (permitted activities); Reporters/finders agreeing to not share information about the vulnerability until the end of the disclosure period, in order to allow let the agency to address any issues before they become public; Illegal activities are not permitted (specifying the relevant legislation, such as the Crimes Act); and Either that “Bug bounties” will not be paid for any discoveries, or it should provide information about the agency’s bug bounty programme.
7136 5.9.25.C.01. All Classifications Should An agency SHOULD publish a security.txt to permit secure communications and direct any reports to a specific agency resource, in accordance with the agency’s VDP.
7138 5.9.26.C.01. All Classifications Must An agency MUST commit to addressing disclosed vulnerabilities within the timeframe it sets in its policy.
7139 5.9.26.C.02. All Classifications Should An agency’s vulnerability disclosure timeframe SHOULD be set to no more than 90 days.
7141 5.9.27.C.01. All Classifications Must Agencies MUST ensure they integrate their VDP with other elements of their information security policies.
6997 12.6.10.C.01. All Classifications Must Because of the risks that data can be recovered from monitors, it is essential that any redeployment or disposal of monitors MUST follow the guidance in the NZISM.
7165 13.5.24.C.03. All Classifications Must Where a facility is NOT an approved facility, agencies MUST ensure any incineration equipment is rated for the destruction of electronic waste (WEEE) and the operator is properly authorised or licensed.
7166 13.5.24.C.04. All Classifications Must Where a facility is NOT an approved facility, agencies MUST ensure processes are in place for the safe handling of electronic waste (WEEE), including any residual material from the destruction process.
6835 16.4.30.C.01. All Classifications Must Agencies MUST establish a Privileged Access Management (PAM) policy.
6836 16.4.30.C.02. All Classifications Must Within the context of agency operations, the agency’s PAM policy MUST define: a privileged account; and privileged access.
6837 16.4.30.C.03. All Classifications Must Agencies MUST manage Privileged Accounts in accordance with the Agency’s PAM Policy.
6842 16.4.31.C.01. All Classifications Must Agencies MUST apply the Principle of Least Privilege when developing and implementing a Privileged Access Management (PAM) policy.
6843 16.4.31.C.02. All Classifications Should Agencies SHOULD use two-factor or Multi-Factor Authentication to allow access to Privileged Accounts.
6846 16.4.32.C.01. All Classifications Must As part of a Privileged Access Management (PAM) policy, agencies MUST establish and implement a strong approval and authorisation process before any privileged access credentials are issued.
6847 16.4.32.C.02. All Classifications Must Not Privileged Access credentials MUST NOT be issued until approval has been formally granted.
6852 16.4.33.C.01. All Classifications Must Agencies MUST establish robust credential suspension and revocation procedures as part of the agency’s Privileged Access Management (PAM) policy.
6855 16.4.34.C.01. All Classifications Must Agencies MUST create and maintain a comprehensive inventory of privileged accounts and the associated access rights and credentials.
6859 16.4.35.C.01. All Classifications Must Agencies MUST create, implement and maintain a robust system of continuous discovery, monitoring and review of privileged accounts and the access rights and credentials associated with those accounts.
6860 16.4.35.C.02. All Classifications Must Privileged account monitoring systems MUST monitor and record: individual user activity, including exceptions such as out of hours access; activity from unauthorised sources; any unusual use patterns; and any creation of unauthorised privileges access credentials.
6861 16.4.35.C.03. All Classifications Must Agencies MUST protect and limit access to activity and audit logs and records.
6864 16.4.36.C.01. All Classifications Must Agencies MUST develop and implement a response and remediation policy and procedure as part of an agency’s Privileged Access Management (PAM) policy.
6868 16.4.37.C.01. All Classifications Must Agencies MUST implement a Privileged Access Management (PAM) policy training module as part of the agency’s overall user training and awareness requirement.
6948 16.7.33.C.01. All Classifications Must Agencies MUST undertake a risk analysis before designing and implementing MFA.
6952 16.7.34.C.01. All Classifications Should The design of an agency’s MFA SHOULD include consideration of: Risk Identification; Level of security and access control appropriate for each aspect of an agency’s information systems (data, devices, equipment, storage, cloud, etc.) A formal authorisation process for user system access and entitlements; Logging, monitoring and reporting of activity; Review of logs for orphaned accounts and inappropriate user access; Identification of error and anomalies which may indicate inappropriate or malicious activity; Incident response; Remediation of errors; Suspension and/or revocation of access rights where policy violations occur; Capacity planning.
6953 16.7.34.C.02. All Classifications Should Where an agency has implemented MFA they SHOULD: Require MFA for administrative or other high privileged users; and Implement a secure, multi-factor process to allow users to reset their normal usage user credentials.
6956 16.7.35.C.01. All Classifications Should The design of an agency’s MFA system SHOULD be integrated with the agency’s Information Security Policy and the agency’s Privileged Access Management (PAM) Policy.
6960 16.7.36.C.01. All Classifications Must When agencies implement MFA they MUST ensure users have an understanding of the risks, and include appropriate usage and safeguards for MFA in the agency’s user training and awareness programmes.
7189 17.2.21.C.01. All Classifications Must Agencies using DSA, for the approved use of digital signatures, MUST use a modulus of at least 1024 bits.
7181 17.2.24.C.03. All Classifications Should Agencies using RSA, for the approved use of digital signatures and passing encryption session keys or similar keys, SHOULD use a modulus of at least 4096 bits.
7186 17.2.25.C.01. All Classifications Must Agencies using RSA keys within internet X.509 Public Key Infrastructure certificates MUST use a modulus of at least 2048 bits.
7187 17.2.26.C.03. All Classifications Must In all other cases when information requires integrity protection using hashing algorithms, Agencies MUST use a minimum of SHA-256.

Controls Removed

CID Title Classifications Compliances Text
383 3.3.6.C.05. All Classifications Should ITSMs SHOULD work with system owners, systems certifiers and systems accreditors to determine appropriate information security policies for their systems and ensure consistency with the Protective Security Requirements (PSR) and in particular the relevant NZISM components.
2141 17.2.20.C.01. All Classifications Must Agencies using DSA, for the approved use of digital signatures, MUST use a modulus of at least 1024 bits.
2161 17.2.27.C.01. All Classifications Must 3DES MUST use either two distinct keys in the order key 1, key 2, key 1 or three distinct keys.
2170 17.2.28.C.01. All Classifications Should AES implementations for symmetric encryption of data SHOULD use the Galois/Counter Mode (GCM).

Controls Changed

CID Title Classifications Compliances Text
127 1.1.64.C.01. All Classifications Must System owners seeking a dispensation for non-compliance with any baseline controls in this manual MUST be granted a dispensation by their Accreditation Authority. Where High GradAssurance Cryptographic Systems (HACS) are implemented, the Accreditation Authority will be the Director-General GCS) are implemented, the Accreditation Authority will be the Director-General GCSB or a formal delegate.
255 2.3.27.C.01. All Classifications Must Agencies intending to adopt cloud technologies or services MUST conduct a comprehensive risk assessment, in accordance with the guidance provided by the Government CIhief Digital Officer (GCDO) before implementation or adoption.
283 3.1.8.C.02. All Classifications Should When the agency head devolvegates their authority, the delegate SHOULD be a senior executive who understands the CISOconsequences and potential impact to the business of the acceptance of residual risk.
311 3.2.8.C.05. All Classifications Should Where multhiple roles ofare held by the CISO is outsourced,any potential conflicts of interest in availability, response times or working with vendors SHOULD be identified and carefully managed.
322 3.2.11.C.01. All Classifications Should The CISO SHOULD be responsible for establishing mechanisms and programs to ensuringe compliance with the information security policies and standards within the agency.
323 3.2.11.C.02. All Classifications Should The CISO SHOULD be responsible for ensuring agency compliance with the NZISM through facilitating a continuous program of certification and accreditation bof asedll on security risk managency systements.
334 3.2.13.C.02. All Classifications Should The CISO SHOULD liaise with agency technology architecture teams to ensure alignment between security and agency architectures.
634 4.4.12.C.03. All Classifications Must Agencies MUST notify the Government CIhief Digital Officer (GCDO) where All-of-Government systems are connected to agency systems operating with expired accreditations.
675 4.5.18.C.03. All Classifications Must The Accreditation Authority MUST advise the GCIDO where the accreditation decision may affect any All-of-Government systems.
781 5.2.3.C.02. All Classifications Should The Information Security Policy (SecPol) SHOULD include topics such as: accreditation processes; personnel responsibilities; configuration control; access control; networking and connections with other systems; physical security and media control; emergency procedures and information security incident management; vulnerability disclosure; change management; and information security awareness and training.
1048 6.1.9.C.01. All Classifications Should Agencies SHOULD review the components detailed in the table below. Agencies SHOULD also ensure that any adjustments and changes as a result of any vulnerability analysis are consistent with the vulnerability disclosure policy. Component Review Information security documentation The SecPol, Systems Architecture, SRMPs, SecPlans, SitePlan, SOPs, the VDP, the IRP, and any third party assurance reports. Dispensations Prior to the identified expiry date. Operating environment When an identified threat emerges or changes, an agency gains or loses a function or the operation of functions are moved to a new physical environment. Procedures After an information security incident or test exercise. System security Items that could affect the security of the system on a regular basis. Threats Changes in threat environment and risk profile. NZISM Changes to baseline or other controls, any new controls and guidance.
1237 7.2.25.C.01. All Classifications Must Agencies MUST urgently notify GCSB of any suspected loss or compromise of keying material associated with HGACE.
2662 11.3.12.C.02. Confidential, Secret, Top Secret Must Agencies MUSHOULDT use push-to-talk mechandisetms to meet the requirement for off-hook audio protection. PTT activation MUST be clearly labelled.
3537 12.6.4.C.01. All Classifications Must Agencies MUST sanitise or destroy, then declassify, IT equipment containing any media before disposal.
3566 12.6.8.C.01. All Classifications Must Agencies MUST visually inspect video screens by turning up the brightness to the maximum level to determine if any classified information has been burnt into or persists on the screen, before redeployment or disposal.
3572 12.6.9.C.01. All Classifications Must Agencies MUST attempt to sanitise video screens with minor burn-in or image persistence by displaying a solid white image on the screen for an extended period of time. If burn-in cannot be corrected the screen MUST be processed through an approved destruction facility.
4302 13.5.24.C.01. All Classifications Must Agencies MUST employ approved equipment for the purpose of media and IT Eequipment destruction MUST be performed using approved destruction equipment, facilities and methods.
4304 13.5.24.C.02. All Classifications Must Where agencyies do not own thedir approvedwn destruction equipment is not available, agencies MUST use an approved destruction facility for media and IT Eequipment destruction.
4343 13.5.25.C.01. All Classifications Must Agencies MUST, at minimum, store and handle the resulting waste for all methods, as forin accordance with the classification given in the table below. Initial media or IT Equipment classification Screen aperture size particles can pass through Less than or equal to 3mm Treat as Less than or equal to 6mm Treat as  TOP SECRET UNCLASSIFIED RESTRICTED SECRET UNCLASSIFIED RESTRICTED CONFIDENTIAL UNCLASSIFIED RESTRICTED RESTRICTED UNCLASSIFIED UNCLASSIFIED Particle size: measured in any direction, should not exceed stated measurement.
4359 13.5.27.C.03. All Classifications Should The Destruction Register SHOULD record: Date oestruction facility used; Destruction method used; Date of destruction; Operator and witnesses; Media or and IT Eequipment classification; and Media or and IT Eequipment type, characteristics and serial number.
4367 13.5.29.C.01. Top Secret Must Not Agencies MUST NOT outsource the supervision and oversight of the destruction of TOP SECRET or NZEO media and IT Eequipment or other accountable material to a non-government entity or organisation.
6019 15.2.22.C.01. All Classifications Should Before implementing DMARC agencies SHOULD: Create a DMARC policy; List all domains , in particused for the sendinglar those used for the sending and/or receiving of email; Review the configuration of SPF and DKIM for all active domains and all published domains; and Establish one or more monitored inboxes to receive DMARC reports.
6020 15.2.22.C.02. All Classifications Should Agencies SHOULD enable DMARC for all email originating from or received by their domain(s), including: sending domain owners SHOULD publish a DMARC record with a related DNS entry advising mail receivers of the characteristics of messages purporting to originate from the sender’s domain; received DMARC messages SHOULD be managed in accordance with the agency’s published DMARC policy; and agencies SHOULD produce failure reports and aggregate reports according to the agency’s DMARC policies.
1827 16.1.31.C.01. All Classifications Must Agencies MUST: develop, implement and maintain a set of policies and procedures covering all system users’: identification; authentication;  authorisation; privileged access identification and management; and make their system users aware of the agency’s policies and procedures.
2070 17.1.51.C.01. All Classifications Must Agencies using cryptographic functionality within a product for the protection of classifiedto protect the confidentiality, authentication, non-repudiation or integrity of information, MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB.
2080 17.1.53.C.02. Confidential, Secret, Top Secret Must If an agency wishes to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they MUST encrypt the classified information using High GradAssurance Cryptographic Equipment (HGACE).   It is important to note that the classification of the information itself remains unchanged.
2081 17.1.53.C.03. Confidential, Secret, Top Secret Must If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use: full disk encryption; or partial  disk encryption where the access control will allow writing onlyONLY to the encrypted partition holding the classified information.
2082 17.1.53.C.04. All Classifications Should If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use: full disk encryption; or partial  disk encryption where the access control will only allow writing ONLY to the encrypted partition holding the classified information.
2089 17.1.55.C.01. Confidential, Secret, Top Secret Must Agencies MUST use HGACE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks.
2090 17.1.55.C.02. Restricted/Sensitive Must Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an aApproved encryption alCryptogorithm and praphic Algorithm and Protocol if information is transmitted or systems are communicating over any insecure or unprotected network such as the Internets, such as the Internet, public infrastructurenetworks or non-agency controlled networks.
2091 17.1.55.C.03. All Classifications Must Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol when data is transmitted over insecure or unprotected networks such as the Internet, pubetween data centres over insecure or unprotectlic infrastructure or non-agency controlled networks such as the Internet, public inwhen the compromise ofrastructure or non-agency controlled networks the aggregated data would present a significant impact to the agency.  
2092 17.1.55.C.04. All Classifications Should Agencies SHOULD useencrypt agency data using an approved encryption productalgorithm and protocol if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks.
2105 17.1.58.C.03. All Classifications Must Agencies using HACE MUST consult with the GCSB for the key management requirements for HGCE.
2128 17.2.17.C.01. All Classifications Must Agencies using an unevaluated product that implements an Approved Cryptographic Algorithm MUST ensure that only Approved Cryptographic Algorithms can be used when using an unevaluated product that implements a combination of approved and non-approved Cryptographic Algorithms.
2134 17.2.19.C.01. All Classifications Must Agencies using DH, for the approved use of agreeing on encryption session keys, MUST use a modulus of at least 4309672 bits.
2137 17.2.20.C.01. All Classifications Must Legacy dDevices which are NOT capable of implementing required key lengths MUST be reconfigured with the longest feasible key length as a matter of urgency.
2138 17.2.20.C.02. All Classifications Must Legacy dDevices which are NOT capable of implementing required key lengths MUST be scheduled for replacement as a matter of urgency.
2151 17.2.24.C.01. All Classifications Must Agencies using RSA, for the approved use of digital signatures and passing encryption session keys or similar keys, MUST use a modulus of at least 3072048 bits.
2155 17.2.26.C.01. All Classifications Must Agencies MUST use the SHA-2 family befor new systems. Use usingof SHA-1 is permitted ONLY for legacy systems.
5905 17.2.26.C.02. All Classifications Must Agencies MUSHOULDT use a minimum of SHA-384 when using hashing algorithms to provide integrity protection for information classified as RESTRICTED/SENSITIVE or above.
2158 17.2.28.C.01. All Classifications Should Not Agencies using approved symmetric encryption algorithms (e.g. AES or 3DES) SHOULD NOT use Electronic Code Book Mode (ECB) mode.
2598 17.4.16.C.01. All Classifications Should Agencies SHOULD use the current version of TLS (version 1.23).
3043 17.9.31.C.01. All Classifications Must Agencies MUST comply with NZCSI when using HGCP or HGACE.
3053 17.9.32.C.03. All Classifications Should Not Agencies SHOULD NOT transport commercial grade cryptographic equipment or products in a keyed state.
3290 18.2.6.C.01. All Classifications Must Agencies deploying a wireless network for public access MUST segparegate it from any other agency networks; including BYOD networks.
3621 18.2.34.C.01. All Classifications Should Wireless networks SHOULD be sufficiently segregated through the use of channel separation.
4015 19.4.4.C.01. All Classifications Must Agencies MUST use devices as shown in the following table for controlling the data flow of one-way gateways between networks of different classifications. High networrk Low network You require RESTRICTED   UNCLASSIFIED EAL2 or PP diode RESTRICTED EAL2 or PP diode CONFIDENTIAL   UNCLASSIFIED high assurance diode RESTRICTED high assurance diode CONFIDENTIAL high assurance diode SECRET   UNCLASSIFIED high assurance diode RESTRICTED high assurance diode CONFIDENTIAL high assurance diode SECRET high assurance diode TOP SECRET   UNCLASSIFIED high assurance diode RESTRICTED high assurance diode CONFIDENTIAL high assurance diode SECRET high assurance diode TOP SECRET high assurance diode
4660 21.4.11.C.06. All Classifications Must Wireless accesses points used for access to agency networks MUST be implemented and secured in accordance with the directions in this manual (See Section 18.2 – Wireless Local Area Networks).
4675 21.4.11.C.20. All Classifications Should BYOD devices and systems SHOULD use Multi-factor (at least two-factor) authentication to connect to agency systems and prior to being permitted access to agency data.
4812 22.1.21.C.05. All Classifications Must Agencies MUST consult with the GCIDO to ensure the strategic and other cloud risks are comprehensively assessed.
4814 22.1.21.C.07. All Classifications Must Agencies using cloud services MUST ensure they have conducted a documented risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GCIDO.
4822 22.1.22.C.03. All Classifications Must Agencies using cloud services hosted offshore and connected to All-of-Government systems MUST ensure they have conducted a risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GCIDO.