This is a report of changes between nzism-data/NZISM-FullDoc-V.3.3-February 2020.xml and nzism-data/NZISM-FullDoc-V.3.6-September-2022.xml.

Controls Added

CID Title Classifications Compliances Text
7045 2.3.25.C.01. All Classifications Must Agencies intending to adopt public cloud technologies or services MUST develop a plan for how they intend to use these services.  This plan can be standalone or part of an overarching ICT strategy.
7046 2.3.25.C.02. All Classifications Should An agency’s cloud adoption plan SHOULD cover: Outcomes and benefits that the adoption of cloud technologies will bring; Risks introduced or mitigated through the use of cloud, and the agency’s risk tolerance; Financial and cost accounting models; Shared responsibility models; Cloud deployment models; Cloud security strategy; Resilience and recovery approaches; Data recovery on contract termination; Cloud exit strategy and other contractual arrangements; and A high level description of the foundation services that enable cloud adoption, including: User, device and system identity; Encryption and key management; Information management; Logging and alerting; Incident management; Managing privileged activities; and Cost management.
7049 2.3.26.C.01. All Classifications Should Agencies intending to adopt public cloud technologies or services SHOULD incorporate Zero Trust philosophies and concepts.
7050 2.3.26.C.02. All Classifications Should Agencies SHOULD leverage public cloud environment native security services as part of legacy system migrations, in preference to recreating application architectures that rely on legacy perimeter controls for security.
7206 2.4.13.C.01. All Classifications Should Agencies SHOULD ensure they are aware of the latest developments in post-quantum cryptography.  GCSB is tracking these developments and will continue to provide advice through the NZISM.
7207 2.4.13.C.02. All Classifications Should Agencies SHOULD maintain an inventory of sensitive and critical datasets that must be secured for an extended amount of time.  This will ensure datasets that may be at risk now and decrypted once a cryptographically relevant quantum computer is available are not secured solely through the use of quantum vulnerable cryptography.
7208 2.4.13.C.03. All Classifications Should Agencies SHOULD conduct an inventory of systems using cryptographic technologies to determine the potential size and scope of future transition work once post-quantum cryptographic systems become available.
7209 2.4.13.C.04. All Classifications Should Agencies SHOULD identify which systems in their inventory rely on public key cryptography and note them as quantum vulnerable in agency risk assessments.
7210 2.4.13.C.05. All Classifications Should Agencies SHOULD determine a priority order for quantum vulnerable systems to be transitioned from classical cryptography to post-quantum cryptography.
7211 2.4.13.C.06. All Classifications Should Agencies SHOULD consider the following factors when prioritising the quantum vulnerable systems: Is the system a high value asset based on agency requirements? Does the system protect sensitive information (e.g. key stores, passwords, root keys, signing keys, personally identifiable information, and classified information)? Do other systems (internal or external to the agency) depend on the cryptographic protections in place on the quantum vulnerable system? How long does the data need to be protected?
7212 2.4.13.C.07. All Classifications Should Using the inventory and prioritisation information, agencies SHOULD develop a plan for system transitions upon publication of the new post-quantum cryptographic standard.
7084 3.2.10.C.04. All Classifications Should The CISO SHOULD work with system owners, system certifiers and system accreditors to determine appropriate information security policies for their systems and ensure consistency with the Protective Security Requirements (PSR) and in particular the relevant NZISM components.
7130 5.9.23.C.01. All Classifications Must An agency MUST undertake a risk assessment to determine which systems and services to include in the agency’s VDP.
7133 5.9.24.C.01. All Classifications Must An agency MUST develop and publish a VDP.
7134 5.9.24.C.02. All Classifications Must An agency’s VDP MUST contain at least the following core content: A scoping statement listing the systems the policy applies to; Contact details; Secure communication options (including any public keys); Information the finder should include in the report; Acknowledgement of reports and a response time; Guidance on what forms of vulnerability testing are out of scope for reporters/finders (permitted activities); Reporters/finders agreeing to not share information about the vulnerability until the end of the disclosure period, in order to allow the agency to address any issues before they become public; Illegal activities are not permitted (specifying the relevant legislation, such as the Crimes Act); and Either that “Bug bounties” will not be paid for any discoveries, or it should provide information about the agency’s bug bounty programme.
7136 5.9.25.C.01. All Classifications Should An agency SHOULD publish a security.txt to permit secure communications and direct any reports to a specific agency resource, in accordance with the agency’s VDP.
7138 5.9.26.C.01. All Classifications Must An agency MUST commit to addressing disclosed vulnerabilities within the timeframe it sets in its policy.
7139 5.9.26.C.02. All Classifications Should An agency’s vulnerability disclosure timeframe SHOULD be set to no more than 90 days.
7141 5.9.27.C.01. All Classifications Must Agencies MUST ensure they integrate their VDP with other elements of their information security policies.
6997 12.6.10.C.01. All Classifications Must Because of the risks that data can be recovered from monitors, it is essential that any redeployment or disposal of monitors MUST follow the guidance in the NZISM.
7165 13.5.24.C.03. All Classifications Must Where a facility is NOT an approved facility, agencies MUST ensure any incineration equipment is rated for the destruction of electronic waste (WEEE) and the operator is properly authorised or licensed.
7166 13.5.24.C.04. All Classifications Must Where a facility is NOT an approved facility, agencies MUST ensure processes are in place for the safe handling of electronic waste (WEEE), including any residual material from the destruction process.
6835 16.4.30.C.01. All Classifications Must Agencies MUST establish a Privileged Access Management (PAM) policy.
6836 16.4.30.C.02. All Classifications Must Within the context of agency operations, the agency’s PAM policy MUST define: a privileged account; and privileged access.
6837 16.4.30.C.03. All Classifications Must Agencies MUST manage Privileged Accounts in accordance with the Agency’s PAM Policy.
6842 16.4.31.C.01. All Classifications Must Agencies MUST apply the Principle of Least Privilege when developing and implementing a Privileged Access Management (PAM) policy.
6843 16.4.31.C.02. All Classifications Should Agencies SHOULD use two-factor or Multi-Factor Authentication to allow access to Privileged Accounts.
6846 16.4.32.C.01. All Classifications Must As part of a Privileged Access Management (PAM) policy, agencies MUST establish and implement a strong approval and authorisation process before any privileged access credentials are issued.
6847 16.4.32.C.02. All Classifications Must Not Privileged Access credentials MUST NOT be issued until approval has been formally granted.
6852 16.4.33.C.01. All Classifications Must Agencies MUST establish robust credential suspension and revocation procedures as part of the agency’s Privileged Access Management (PAM) policy.
6855 16.4.34.C.01. All Classifications Must Agencies MUST create and maintain a comprehensive inventory of privileged accounts and the associated access rights and credentials.
6859 16.4.35.C.01. All Classifications Must Agencies MUST create, implement and maintain a robust system of continuous discovery, monitoring and review of privileged accounts and the access rights and credentials associated with those accounts.
6860 16.4.35.C.02. All Classifications Must Privileged account monitoring systems MUST monitor and record: individual user activity, including exceptions such as out of hours access; activity from unauthorised sources; any unusual use patterns; and any creation of unauthorised privileges access credentials.
6861 16.4.35.C.03. All Classifications Must Agencies MUST protect and limit access to activity and audit logs and records.
6864 16.4.36.C.01. All Classifications Must Agencies MUST develop and implement a response and remediation policy and procedure as part of an agency’s Privileged Access Management (PAM) policy.
6868 16.4.37.C.01. All Classifications Must Agencies MUST implement a Privileged Access Management (PAM) policy training module as part of the agency’s overall user training and awareness requirement.
6948 16.7.33.C.01. All Classifications Must Agencies MUST undertake a risk analysis before designing and implementing MFA.
6952 16.7.34.C.01. All Classifications Should The design of an agency’s MFA SHOULD include consideration of: Risk Identification; Level of security and access control appropriate for each aspect of an agency’s information systems (data, devices, equipment, storage, cloud, etc.) A formal authorisation process for user system access and entitlements; Logging, monitoring and reporting of activity; Review of logs for orphaned accounts and inappropriate user access; Identification of error and anomalies which may indicate inappropriate or malicious activity; Incident response; Remediation of errors; Suspension and/or revocation of access rights where policy violations occur; Capacity planning.
6953 16.7.34.C.02. All Classifications Should Where an agency has implemented MFA they SHOULD: Require MFA for administrative or other high privileged users; and Implement a secure, multi-factor process to allow users to reset their normal usage user credentials.
6956 16.7.35.C.01. All Classifications Should The design of an agency’s MFA system SHOULD be integrated with the agency’s Information Security Policy and the agency’s Privileged Access Management (PAM) Policy.
6960 16.7.36.C.01. All Classifications Must When agencies implement MFA they MUST ensure users have an understanding of the risks, and include appropriate usage and safeguards for MFA in the agency’s user training and awareness programmes.
7189 17.2.21.C.01. All Classifications Must Agencies using DSA, for the approved use of digital signatures, MUST use a modulus of at least 1024 bits.
7181 17.2.24.C.03. All Classifications Should Agencies using RSA, for the approved use of digital signatures and passing encryption session keys or similar keys, SHOULD use a modulus of at least 4096 bits.
7186 17.2.25.C.01. All Classifications Must Agencies using RSA keys within internet X.509 Public Key Infrastructure certificates MUST use a modulus of at least 2048 bits.
7187 17.2.26.C.03. All Classifications Must In all other cases when information requires integrity protection using hashing algorithms, Agencies MUST use a minimum of SHA-256.
7250 18.7.14.C.01. All Classifications Must Agencies MUST undertake a threat and risk assessment on the use of inverse split tunnelling prior to enabling the functionality in remote access VPN systems.
7251 18.7.14.C.02. All Classifications Should When providing inverse split-tunnelled access to internet based services (“directly accessed services”), the following aspects SHOULD be considered as part of the threat and risk assessment: How do directly accessed services authenticate agency device identities prior to granting access to the service? How do agency devices securely resolve internet addresses for directly accessed services? How are the communications between the devices and directly accessed services secured? How does an agency monitor and account for access made to directly accessed services? How does an agency protect devices from compromise if they are able to directly access internet based resources, or be directly accessed from the internet? How do directly accessed services authenticate the user of the agency device prior to granting access to the service (this is separate to authenticating the agency device itself)? How does an agency enforce the use of multi-factor authentication with directly accessed services? How does an agency authorise access to directly accessed services, and does this include from devices that are not authorised to connect to agency remote access services (authorisation and authentication are separate activities)? How is access to directly accessed cloud services removed when staff no longer require access or leave the agency?
7349 23.1.53.C.01. All Classifications Must Agencies MUST clearly identify and understand where classification, security domain, and trust zone boundaries exist prior to implementation or adoption of public cloud services.
7350 23.1.53.C.02. All Classifications Must Where multiple identity systems under different security policies are used to control access to an agency’s instance of a public cloud service, the instance MUST be considered to be in a separate security domain from services where access control is managed solely by the agency’s identity system.
7353 23.1.54.C.01. All Classifications Must Agencies MUST clearly identify and understand their cloud service provider’s security responsibilities for each service consumed, and the aspects of security that the agency is responsible for, prior to implementation or adoption of the service.
7354 23.1.54.C.02. Should Agencies SHOULD clearly document the aspects of security they and their provider are responsible for.
7355 23.1.54.C.03. All Classifications Should Agencies SHOULD review existing security processes to ensure compatibility with their cloud service provider’s responsibilities.
7359 23.1.55.C.01. All Classifications Should Agencies SHOULD deploy and manage their cloud infrastructure using automation, version control, and infrastructure as code techniques where these are available.
7386 23.2.16.C.01. All Classifications Must Agencies MUST update their risk assessment process to account for public cloud specific risks, prior to implementation or adoption of public cloud services.
7387 23.2.16.C.02. All Classifications Must Agencies MUST undertake a cloud specific risk assessment in line with the process outlined by the GCDO for each public cloud service, prior to implementation or adoption of public cloud services.
7388 23.2.16.C.03. Confidential, Secret, Top Secret Must Not Agencies MUST NOT accredit public cloud services for use with data classified CONFIDENTIAL, SECRET, or TOP SECRET.
7389 23.2.16.C.04. All Classifications Must Not Agencies MUST NOT accredit public cloud services to host, process, store, or transmit NZEO endorsed information.
7394 23.2.17.C.01. All Classifications Must Agencies MUST consider risks to the availability of systems and information in their design of cloud systems architectures, supporting controls, and governance processes prior to implementation or adoption of public cloud services.
7397 23.2.18.C.01. All Classifications Should Agencies SHOULD obtain regular assurance checks on cloud service providers, ensuring that they are undertaken by a suitably qualified assessor.
7400 23.2.19.C.01. All Classifications Must Agencies MUST obtain assurance that cloud service providers undertake appropriate software and operating system patching and maintenance.
7404 23.2.20.C.01. All Classifications Must Agencies MUST obtain assurance that technical protections exist to adequately isolate tenants.
7407 23.2.21.C.01. All Classifications Should Agencies SHOULD make use of the GCSB endorsed baseline security templates where applicable.  
7433 23.3.18.C.01. All Classifications Should Accounts used to perform privileged actions SHOULD NOT be synchronised between environments.
7436 23.3.19.C.01. All Classifications Must Where administration interfaces or portals are accessible from the internet, privileged accounts MUST be configured to use multiple factors of authentication.
7437 23.3.19.C.02. All Classifications Should Where cloud service interfaces or portals are accessible from the internet, user accounts SHOULD be configured to use multiple factors of authentication.
7440 23.3.20.C.01. All Classifications Must Staff offboarding processes MUST be updated to include removing all access to public cloud based services, prior to implementation or adoption of public cloud services.
7443 23.3.21.C.01. All Classifications Must Agencies MUST ensure that relying parties continually verify the authenticity of their identity provider’s responses, through for example, cryptographic signing of authentication requests and responses.
7446 23.3.22.C.01. All Classifications Should Agencies SHOULD ensure that relying parties use all available information from the identity provider to inform access control decisions.
7461 23.4.9.C.01. All Classifications Must For each cloud service, agencies MUST ensure that the mechanisms used to protect data meet agency requirements.
7462 23.4.9.C.02. All Classifications Must Agencies MUST update key management plans to account for differences in public cloud before storing organisational data in a public cloud environment.
7463 23.4.9.C.03. All Classifications Must Agencies MUST ensure their key management plan includes provision for migrating data from the cloud environment where it was created.
7466 23.4.10.C.01. All Classifications Must Agencies MUST apply the principle of least privilege and configure service endpoints to restrict access to authorised parties.
7469 23.4.11.C.01. All Classifications Must Agencies MUST identify where data used in conjunction with a public cloud service is stored or processed, including any replicas or backups that may be created.
7470 23.4.11.C.02. All Classifications Must Agency risk assessments of public cloud services MUST include any risks arising from data location. Any actions required to mitigate these risks must be identified and documented prior to implementation or adoption of public cloud services.
7474 23.4.12.C.01. All Classifications Must Agencies MUST update their disaster recovery plans prior to storing or replicating data in public cloud services, to ensure these plans address any cloud-specific aspects of backup and recovery.
7475 23.4.12.C.02. All Classifications Must When planning tests of disaster recovery processes in accordance with 6.4.6 Backup strategy, agencies MUST include tests of any cloud-specific data recovery processes.
7494 23.5.10.C.01. All Classifications Must Agencies MUST understand the range of logging capabilities provided by their cloud service providers and determine whether they are sufficient for agency needs.
7496 23.5.11.C.01. All Classifications Must Agencies MUST ensure that logs associated with public cloud services are collected, protected, and that their integrity can be confirmed in accordance with the agency’s documented logging requirements.
7498 23.5.12.C.01. All Classifications Must Agencies MUST ensure that cloud service provider logs are incorporated into overall enterprise logging and alerting systems or procedures in a timely manner to detect information security incidents.
7499 23.5.12.C.02. All Classifications Should Agencies SHOULD ensure that tools and procedures used to detect potential information security incidents account for the public cloud services being consumed by the agency.

Controls Removed

CID Title Classifications Compliances Text
383 3.3.6.C.05. All Classifications Should ITSMs SHOULD work with system owners, systems certifiers and systems accreditors to determine appropriate information security policies for their systems and ensure consistency with the Protective Security Requirements (PSR) and in particular the relevant NZISM components.
2141 17.2.20.C.01. All Classifications Must Agencies using DSA, for the approved use of digital signatures, MUST use a modulus of at least 1024 bits.
2161 17.2.27.C.01. All Classifications Must 3DES MUST use either two distinct keys in the order key 1, key 2, key 1 or three distinct keys.
2170 17.2.28.C.01. All Classifications Should AES implementations for symmetric encryption of data SHOULD use the Galois/Counter Mode (GCM).

Controls Changed

CID Title Classifications Compliances Text
127 1.1.64.C.01. All Classifications Must System owners seeking a dispensation for non-compliance with any baseline controls in this manual MUST be granted a dispensation by their Accreditation Authority. Where High GradAssurance Cryptographic Systems (HACS) are implemented, the Accreditation Authority will be the Director-General GCS) are implemented, the Accreditation Authority will be the Director-General GCSB or a formal delegate.
255 2.3.27.C.01. All Classifications Must Agencies intending to adopt cloud technologies or services MUST conduct a comprehensive risk assessment, in accordance with the guidance provided by the Government CIhief Digital Officer (GCDO) before implementation or adoption.
283 3.1.8.C.02. All Classifications Should When the agency head devolvegates their authority, the delegate SHOULD be a senior executive who understands the CISOconsequences and potential impact to the business of the acceptance of residual risk.
311 3.2.8.C.05. All Classifications Should Where multhiple roles ofare held by the CISO is outsourced,any potential conflicts of interest in availability, response times or working with vendors SHOULD be identified and carefully managed.
322 3.2.11.C.01. All Classifications Should The CISO SHOULD be responsible for establishing mechanisms and programs to ensuringe compliance with the information security policies and standards within the agency.
323 3.2.11.C.02. All Classifications Should The CISO SHOULD be responsible for ensuring agency compliance with the NZISM through facilitating a continuous program of certification and accreditation bof asedll on security risk managency systements.
334 3.2.13.C.02. All Classifications Should The CISO SHOULD liaise with agency technology architecture teams to ensure alignment between security and agency architectures.
391 3.3.8.C.01. All Classifications Must ITSMs MUST be responsible for ensuring the development, maintenance, updating and implementation of Security Risk Management Plans (SRMPs), Systems Security Plans (SecPlanSP) and any Standard Operating Procedures (SOPs) for all agency systems.
569 4.3.18.C.01. All Classifications Must The SecPol, SRMP, SecSPlan, SOPs and IRP documentation MUST be reviewed by the auditor to ensure that it is comprehensive and appropriate for the environment the system is to operate within.
634 4.4.12.C.03. All Classifications Must Agencies MUST notify the Government CIhief Digital Officer (GCDO) where All-of-Government systems are connected to agency systems operating with expired accreditations.
675 4.5.18.C.03. All Classifications Must The Accreditation Authority MUST advise the GCIDO where the accreditation decision may affect any All-of-Government systems.
702 5.1.10.C.01. All Classifications Must Agencies MUST ensure that every system is covered by a SecSPlan.
718 5.1.15.C.01. All Classifications Should Agencies SHOULD ensure that their SRMP, Systems Architecture, SecSPlan, SOPs and IRP are logically connected and consistent for each system, other agency systems and with the agency’s SecPol.
729 5.1.18.C.01. All Classifications Must Agencies MUST ensure that their SecPol, SRMP, SecSPlan, SOPs and IRP are appropriately classified.
781 5.2.3.C.02. All Classifications Should The Information Security Policy (SecPol) SHOULD include topics such as: accreditation processes; personnel responsibilities; configuration control; access control; networking and connections with other systems; physical security and media control; emergency procedures and information security incident management; vulnerability disclosure; change management; and information security awareness and training.
828 5.4.5.C.01. All Classifications Must Agencies MUST select controls from this manual to be included in the SecSPlan based on the scope of the system with additional system specific controls being included as a result of the associated SRMP. Encryption Key Management requires specific consideration; refer to Chapter 17 – Cryptography.
829 5.4.5.C.02. All Classifications Should Agencies SHOULD use the latest baseline of this manual when developing, and updating, their SecSPlans as part of the certification, accreditation and reaccreditation of their systems.
831 5.4.5.C.03. All Classifications Should Agencies SHOULD include a Key Management Plan in the SecSPlan.
1048 6.1.9.C.01. All Classifications Should Agencies SHOULD review the components detailed in the table below. Agencies SHOULD also ensure that any adjustments and changes as a result of any vulnerability analysis are consistent with the vulnerability disclosure policy. Component Review Information security documentation The SecPol, Systems Architecture, SRMPs, SecSPlans, SitePlan, SOPs, the VDP, the IRP, and any third party assurance reports. Dispensations Prior to the identified expiry date. Operating environment When an identified threat emerges or changes, an agency gains or loses a function or the operation of functions are moved to a new physical environment. Procedures After an information security incident or test exercise. System security Items that could affect the security of the system on a regular basis. Threats Changes in threat environment and risk profile. NZISM Changes to baseline or other controls, any new controls and guidance.
1095 6.3.7.C.03. All Classifications Should Agencies SHOULD follow this change management process outline: produce a written change request; submit the change request to all stakeholders for approval; document the changes to be implemented; test the approved changes; notification to user of the change schedule and likely effect or outage; implement the approved changes after successful testing; update the relevant information security documentation including the SRMP, SecSPlan and SOPs notify and educate system users of the changes that have been implemented as close as possible to the time the change is applied; and continually educate system users in regards to changes.
1237 7.2.25.C.01. All Classifications Must Agencies MUST urgently notify GCSB of any suspected loss or compromise of keying material associated with HGACE.
1409 8.4.11.C.01. All Classifications Should Agencies choosing to prevent the storage of classified information on non-volatile media and enforcing scrubbing of temporary data at logoff or shutdown SHOULD: assess the security risks associated with such a decision; and specify the processes and conditions for their application within the system’s SecSPlan.  
1412 8.4.12.C.01. All Classifications Should Agencies securing volatile media for IT equipment during non-operational hours SHOULD: disconnect power from the equipment the media resides within; assess the security risks if not sanitising the media; and specify any additional processes and controls that will be applied within the system’s SecSPlan.
1480 9.2.10.C.01. All Classifications Must Agencies MUST specify in the System Security Plan (SecSPlan) any authorisations, security clearances and briefings necessary for system access.
1484 9.2.11.C.02. All Classifications Should Agencies SHOULD: limit system access on a need-to-know/need-to-access basis; provide system users with the least amount of privileges needed to undertake their duties; and have any requests for access to a system authorised by the supervisor or manager of the system user; and ensure a formal acknowledgement of the security briefing is obtained and recorded.
1487 9.2.12.C.01. All Classifications Should Agencies SHOULD: maintain a secure record of: all authorised system users; their user identification; why access is required; role and privilege level, who provided the authorisation to access the system; when the authorisation was granted; and keep a copy of the acknowledgement signed by the individual granted a clearance; and maintain the record, for the life of the system or information to which access is granted, or the length of employment, whichever is the longer, to which access is granted.
1508 9.2.18.C.01. All Classifications Must Agencies granting limited higher access to a system MUST ensure that: effectithe approve controls are in place to restrict access to onlyal for access is formally acknowledged and recorded; and either effective controls are in place to restrict access only to classified information that is necessary to undertake the system user’s duties; or the system user is continually supervised by another system user who has the appropriate security clearances to access the system.
2412 10.5.11.C.01. All Classifications Should Agencies SHOULD inspect cables for inconsistencies with the cable register in accordance with the frequency defined in the SecSPlan.
5626 10.6.29.C.01. Confidential, Secret, Top Secret Must Cabinet rails MUST be installed to: provide adequate room for patch cables and wire managers; provide adequate space for cable management at front, sides, and rear; and arrange switches and patch panels to minimize patching between cabinets & racks.
2662 11.3.12.C.02. Confidential, Secret, Top Secret Must Agencies MUSHOULDT use push-to-talk mechandisetms to meet the requirement for off-hook audio protection. PTT activation MUST be clearly labelled.
3455 12.4.5.C.01. All Classifications Should Where known vulnerabilities cannot be patched, or security patches are not available, agencies SHOULD implement: controls to resolve the vulnerability such as: disable the functionality associated with the vulnerability though product configuration; ask the vendor for an alternative method of managing the vulnerability; install a version of the product that does not have the identified vulnerability; install a different product with a more responsive vendor; or engage a software developer to correct the software. controls to prevent exploitation of the vulnerability including: apply external input sanitisation (if an input triggers the exploit); apply filtering or verification on the software output (if the exploit relates to an information disclosure); apply additional access controls that prevent access to the vulnerability; or configure firewall rules to limit access to the vulnerable software. controls to contain the exploit including: apply firewall rules limiting outward traffic that is likely in the event of an exploitation; apply mandatory access control preventing the execution of exploitation code; or set file system permissions preventing exploitation code from being written to disk;  allowhite and black and deny listing to prevent code execution; and controls to detect attacks including: deploy an IDS; monitor logging alerts; or use other mechanisms as appropriate for the detection of exploits using the known vulnerability. controls to prevent attacks including: deploy an IPS or HIPS; or use other mechanisms as appropriate for the diversion of exploits using the known vulnerability, such as honey pots and Null routers.
3537 12.6.4.C.01. All Classifications Must Agencies MUST sanitise or destroy, then declassify, IT equipment containing any media before disposal.
3566 12.6.8.C.01. All Classifications Must Agencies MUST visually inspect video screens by turning up the brightness to the maximum level to determine if any classified information has been burnt into or persists on the screen, before redeployment or disposal.
3572 12.6.9.C.01. All Classifications Must Agencies MUST attempt to sanitise video screens with minor burn-in or image persistence by displaying a solid white image on the screen for an extended period of time. If burn-in cannot be corrected the screen MUST be processed through an approved destruction facility.
4302 13.5.24.C.01. All Classifications Must Agencies MUST employ approved equipment for the purpose of media and IT Eequipment destruction MUST be performed using approved destruction equipment, facilities and methods.
4304 13.5.24.C.02. All Classifications Must Where agencyies do not own thedir approvedwn destruction equipment is not available, agencies MUST use an approved destruction facility for media and IT Eequipment destruction.
4343 13.5.25.C.01. All Classifications Must Agencies MUST, at minimum, store and handle the resulting waste for all methods, as forin accordance with the classification given in the table below. Initial media or IT Equipment classification Screen aperture size particles can pass through Less than or equal to 3mm Treat as Less than or equal to 6mm Treat as  TOP SECRET UNCLASSIFIED RESTRICTED SECRET UNCLASSIFIED RESTRICTED CONFIDENTIAL UNCLASSIFIED RESTRICTED RESTRICTED UNCLASSIFIED UNCLASSIFIED Particle size: measured in any direction, should not exceed stated measurement.
4359 13.5.27.C.03. All Classifications Should The Destruction Register SHOULD record: Date oestruction facility used; Destruction method used; Date of destruction; Operator and witnesses; Media or and IT Eequipment classification; and Media or and IT Eequipment type, characteristics and serial number.
4367 13.5.29.C.01. Top Secret Must Not Agencies MUST NOT outsource the supervision and oversight of the destruction of TOP SECRET or NZEO media and IT Eequipment or other accountable material to a non-government entity or organisation.
1234 14.2.4.C.01. All Classifications Should Agencies SHOULD implement application allowhite listing as part of the SOE for workstations, servers and any other network device.
1242 14.2.5.C.01. All Classifications Must Agencies MUST ensure that a system user cannot disable the application allowhite listing mechanism.
898 14.2.5.C.04. All Classifications Should Agencies SHOULD ensure that application allowhite listing does not replace the antivirus and anti-malware software within a system.
907 14.2.6.C.01. All Classifications Should Agencies SHOULD ensure that system administrators are not automatically exempt from application allowhite listing policy.
936 14.2.7.C.02. All Classifications Should Agencies SHOULD ensure that application allowhite listing is used in addition to a strong access control list model and the use of limited privilege accounts.
940 14.2.7.C.03. All Classifications Should Agencies SHOULD plan and test application allowhite listing mechanisms and processes thoroughly prior to implementation.
945 14.2.7.C.05. All Classifications Should Agencies SHOULD restrict the process creation permissions of any executables which are permitted to run by the application allowhite listing controls.
947 14.2.7.C.07. All Classifications Should Logs from the application allowhite listing implementation SHOULD include all relevant information.
1602 14.3.8.C.01. All Classifications Should Agencies permitting TLS through their gateways SHOULD implement: a solution that decrypts and inspects the TLS traffic as per content filtering requirements; or a n allowhite list specifying the addresses (uniform resource locators) to which encrypted connections are permitted, with all other addresses blocked.
1609 14.3.10.C.01. All Classifications Should Agencies SHOULD implement allowhite listing for all HTTP traffic being communicated through their gateways.
1608 14.3.10.C.02. All Classifications Should Agencies using an allowhite list on their gateways to specify the external addresses, to which encrypted connections are permitted, SHOULD specify allowhite list addresses by domain name or IP address.
1610 14.3.10.C.03. All Classifications Should If agencies do not allowhite list websites they SHOULD blackdeny list websites to prevent access to known malicious websites.
1611 14.3.10.C.04. All Classifications Should Agencies blackdeny listing websites SHOULD update the blackdeny list on a frequent basis to ensure that it remains effective.
1621 14.3.13.C.01. All Classifications Must Not Users MUST NOT use agency useridID and login passwords as credentials for external websites.
6019 15.2.20.C.01. All Classifications Should Before implementing DMARC agencies SHOULD: Create a DMARC policy; List all domains , in particused for the sendinglar those used for the sending and/or receiving of email; Review the configuration of SPF and DKIM for all active domains and all published domains; and Establish one or more monitored inboxes to receive DMARC reports.
6020 15.2.20.C.02. All Classifications Should Agencies SHOULD enable DMARC for all email originating from or received by their domain(s), including: sending domain owners SHOULD publish a DMARC record with a related DNS entry advising mail receivers of the characteristics of messages purporting to originate from the sender’s domain; received DMARC messages SHOULD be managed in accordance with the agency’s published DMARC policy; and agencies SHOULD produce failure reports and aggregate reports according to the agency’s DMARC policies.
1745 15.2.21.C.01. All Classifications Should Agencies SHOULD configure the following gateway filters: inbound and outbound email, including any attachments, that contain: malicious code; content in conflict with the agency’s email policy; content that cannot be identified; deny listed or unauthorised filetypes; and encrypted content, when that content cannot blacklisted or unauthorised filetye inspescted for malicious code or authenticated as originating from a trusted source; and encrypted content, emails addressed to internal email aliases when that content cannot be inspected for malicious code or authenticated as originating from a trusted sourceith source addresses located from outside the domain; emails addressed to internal email aliases and all emails arriving via an external connection with source addresses located from outside the domain; and all emails arriving via an external connection where the source address uses an internal agency domain name.
1827 16.1.31.C.01. All Classifications Must Agencies MUST: develop, implement and maintain a set of policies and procedures covering all system users’: identification; authentication;  authorisation; privileged access identification and management; and make their system users aware of the agency’s policies and procedures.
2070 17.1.51.C.01. All Classifications Must Agencies using cryptographic functionality within a product for the protection of classifiedto protect the confidentiality, authentication, non-repudiation or integrity of information, MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB.
2080 17.1.53.C.02. Confidential, Secret, Top Secret Must If an agency wishes to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they MUST encrypt the classified information using High GradAssurance Cryptographic Equipment (HGACE).   It is important to note that the classification of the information itself remains unchanged.
2081 17.1.53.C.03. Confidential, Secret, Top Secret Must If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use: full disk encryption; or partial  disk encryption where the access control will allow writing onlyONLY to the encrypted partition holding the classified information.
2082 17.1.53.C.04. All Classifications Should If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use: full disk encryption; or partial  disk encryption where the access control will only allow writing ONLY to the encrypted partition holding the classified information.
2089 17.1.55.C.01. Confidential, Secret, Top Secret Must Agencies MUST use HGACE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks.
2090 17.1.55.C.02. Restricted/Sensitive Must Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an aApproved encryption alCryptogorithm and praphic Algorithm and Protocol if information is transmitted or systems are communicating over any insecure or unprotected network such as the Internets, such as the Internet, public infrastructurenetworks or non-agency controlled networks.
2091 17.1.55.C.03. All Classifications Must Agencies MUST encrypt aggregated agency data using an approved algorithm and protocol when data is transmitted over insecure or unprotected networks such as the Internet, pubetween data centres over insecure or unprotectlic infrastructure or non-agency controlled networks such as the Internet, public inwhen the compromise ofrastructure or non-agency controlled networks the aggregated data would present a significant impact to the agency.  
2092 17.1.55.C.04. All Classifications Should Agencies SHOULD useencrypt agency data using an approved encryption productalgorithm and protocol if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks.
2105 17.1.58.C.03. All Classifications Must Agencies using HACE MUST consult with the GCSB for the key management requirements for HGCE.
2128 17.2.17.C.01. All Classifications Must Agencies using an unevaluated product that implements an Approved Cryptographic Algorithm MUST ensure that only Approved Cryptographic Algorithms can be used when using an unevaluated product that implements a combination of approved and non-approved Cryptographic Algorithms.
2134 17.2.19.C.01. All Classifications Must Agencies using DH, for the approved use of agreeing on encryption session keys, MUST use a modulus of at least 4309672 bits.
2137 17.2.20.C.01. All Classifications Must Legacy dDevices which are NOT capable of implementing required key lengths MUST be reconfigured with the longest feasible key length as a matter of urgency.
2138 17.2.20.C.02. All Classifications Must Legacy dDevices which are NOT capable of implementing required key lengths MUST be scheduled for replacement as a matter of urgency.
2151 17.2.24.C.01. All Classifications Must Agencies using RSA, for the approved use of digital signatures and passing encryption session keys or similar keys, MUST use a modulus of at least 3072048 bits.
2155 17.2.26.C.01. All Classifications Must Agencies MUST use the SHA-2 family befor new systems. Use usingof SHA-1 is permitted ONLY for legacy systems.
5905 17.2.26.C.02. All Classifications Must Agencies MUSHOULDT use a minimum of SHA-384 when using hashing algorithms to provide integrity protection for information classified as RESTRICTED/SENSITIVE or above.
2158 17.2.28.C.01. All Classifications Should Not Agencies using approved symmetric encryption algorithms (e.g. AES or 3DES) SHOULD NOT use Electronic Code Book Mode (ECB) mode.
2598 17.4.16.C.01. All Classifications Should Agencies SHOULD use the current version of TLS (version 1.23).
3021 17.9.25.C.01. All Classifications Should The table below describes the minimum contents which SHOULD be documented in the KMP. Topic   Content Objectives Objectives of the cryptographic system and KMP, including organisational aims. Refer to relevant NZCSIs. System description The environment. Maximum classification of information protected. Topology Diagram(s) and description of the cryptographic system topology including data flows. The use of keys. Key algorithm. Key length. Key lifetime. Roles and administrative responsibilities. Documents roles and responsibilities, including the: COMSEC Custodian; Cryptographic systems administrator; Record keeper; and Auditor. Accounting How accounting will be undertaken for the cryptographic system. What records will be maintained. How records will be audited. Classification Classification of the cryptographic system hardware. Classification of cryptographic system software. Classification of the cryptographic system documentation. Information security incidents A description of the conditions under which compromise of key material should be declared. References to procedures to be followed when reporting and dealing with information security incidents. Key management Who generates keys. How keys are delivered. How keys are received. Key distribution, including local, remote and central. How keys are installed. How keys are transferred. How keys are stored. How keys are recovered. How keys are revoked. How keys are destroyed. Maintenance Maintaining the cryptographic system software and hardware. Destroying equipment and media. References Vendor documentation. Related policies.
3043 17.9.31.C.01. All Classifications Must Agencies MUST comply with NZCSI when using HGCP or HGACE.
3053 17.9.32.C.03. All Classifications Should Not Agencies SHOULD NOT transport commercial grade cryptographic equipment or products in a keyed state.
3290 18.2.6.C.01. All Classifications Must Agencies deploying a wireless network for public access MUST segparegate it from any other agency networks; including BYOD networks.
3621 18.2.34.C.01. All Classifications Should Wireless networks SHOULD be sufficiently segregated through the use of channel separation.
3740 18.3.12.C.01. Confidential, Secret, Top Secret Must Agencies MUST: configure VTC and VoIP devices to authenticate themselves to the call controller upon registration; disable phone auto-registration and only allow a n allowhite list of authorised devices to access the network; block unauthorised devices by default;  disable all unused and prohibited functionality; and use individual logins for IP phones.
3741 18.3.12.C.02. All Classifications Should Agencies SHOULD: configure VoIP phones to authenticate themselves to the call controller upon registration; disable phone auto-registration and onlyuse an allow a whitelist of authorised devices to access the network; block unauthorised devices by default;  disable all unused and prohibited functionality; and use individual logins for IP phones.
4015 19.4.4.C.01. All Classifications Must Agencies MUST use devices as shown in the following table for controlling the data flow of one-way gateways between networks of different classifications. High networrk Low network You require RESTRICTED   UNCLASSIFIED EAL2 or PP diode RESTRICTED EAL2 or PP diode CONFIDENTIAL   UNCLASSIFIED high assurance diode RESTRICTED high assurance diode CONFIDENTIAL high assurance diode SECRET   UNCLASSIFIED high assurance diode RESTRICTED high assurance diode CONFIDENTIAL high assurance diode SECRET high assurance diode TOP SECRET   UNCLASSIFIED high assurance diode RESTRICTED high assurance diode CONFIDENTIAL high assurance diode SECRET high assurance diode TOP SECRET high assurance diode
4742 19.5.27.C.06. All Classifications Should Event logs covering all VoIP and UC services SHOULD be maintained in accordance with the requirements of the NZISM. See sections 16.56 - Event lLogging and Auditing and 13.1.12 - Archiving.
4752 19.5.28.C.05. All Classifications Should Agencies SHOULD consider the use of balacklistingow and whitdeny listing to manage fraudulent calls to known fraudulent call destinations.
4406 20.3.12.C.01. Confidential, Secret, Top Secret Must Agencies MUST create and enforce an allowhite list of permitted content types based on business requirements and the results of a security risk assessment.
4407 20.3.12.C.02. All Classifications Should Agencies SHOULD create and enforce an allowhite list of permitted content types based on business requirements and the results of a security risk assessment.
4660 21.4.11.C.06. All Classifications Must Wireless accesses points used for access to agency networks MUST be implemented and secured in accordance with the directions in this manual (See Section 18.2 – Wireless Local Area Networks).
4675 21.4.11.C.20. All Classifications Should BYOD devices and systems SHOULD use Multi-factor (at least two-factor) authentication to connect to agency systems and prior to being permitted access to agency data.
4812 22.1.21.C.05. All Classifications Must Agencies MUST consult with the GCIDO to ensure the strategic and other cloud risks are comprehensively assessed.
4814 22.1.21.C.07. All Classifications Must Agencies using cloud services MUST ensure they have conducted a documented risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GCIDO.
4822 22.1.22.C.03. All Classifications Must Agencies using cloud services hosted offshore and connected to All-of-Government systems MUST ensure they have conducted a risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GCIDO.