This is a report of changes between nzism-data/NZISM-FullDoc-V.3.5-January-2022.xml and nzism-data/NZISM-FullDoc-V.3.6-September-2022.xml.

Controls Added

CID Title Classifications Compliances Text
7206 2.4.13.C.01. All Classifications Should Agencies SHOULD ensure they are aware of the latest developments in post-quantum cryptography.  GCSB is tracking these developments and will continue to provide advice through the NZISM.
7207 2.4.13.C.02. All Classifications Should Agencies SHOULD maintain an inventory of sensitive and critical datasets that must be secured for an extended amount of time.  This will ensure datasets that may be at risk now and decrypted once a cryptographically relevant quantum computer is available are not secured solely through the use of quantum vulnerable cryptography.
7208 2.4.13.C.03. All Classifications Should Agencies SHOULD conduct an inventory of systems using cryptographic technologies to determine the potential size and scope of future transition work once post-quantum cryptographic systems become available.
7209 2.4.13.C.04. All Classifications Should Agencies SHOULD identify which systems in their inventory rely on public key cryptography and note them as quantum vulnerable in agency risk assessments.
7210 2.4.13.C.05. All Classifications Should Agencies SHOULD determine a priority order for quantum vulnerable systems to be transitioned from classical cryptography to post-quantum cryptography.
7211 2.4.13.C.06. All Classifications Should Agencies SHOULD consider the following factors when prioritising the quantum vulnerable systems: Is the system a high value asset based on agency requirements? Does the system protect sensitive information (e.g. key stores, passwords, root keys, signing keys, personally identifiable information, and classified information)? Do other systems (internal or external to the agency) depend on the cryptographic protections in place on the quantum vulnerable system? How long does the data need to be protected?
7212 2.4.13.C.07. All Classifications Should Using the inventory and prioritisation information, agencies SHOULD develop a plan for system transitions upon publication of the new post-quantum cryptographic standard.
7250 18.7.14.C.01. All Classifications Must Agencies MUST undertake a threat and risk assessment on the use of inverse split tunnelling prior to enabling the functionality in remote access VPN systems.
7251 18.7.14.C.02. All Classifications Should When providing inverse split-tunnelled access to internet based services (“directly accessed services”), the following aspects SHOULD be considered as part of the threat and risk assessment: How do directly accessed services authenticate agency device identities prior to granting access to the service? How do agency devices securely resolve internet addresses for directly accessed services? How are the communications between the devices and directly accessed services secured? How does an agency monitor and account for access made to directly accessed services? How does an agency protect devices from compromise if they are able to directly access internet based resources, or be directly accessed from the internet? How do directly accessed services authenticate the user of the agency device prior to granting access to the service (this is separate to authenticating the agency device itself)? How does an agency enforce the use of multi-factor authentication with directly accessed services? How does an agency authorise access to directly accessed services, and does this include from devices that are not authorised to connect to agency remote access services (authorisation and authentication are separate activities)? How is access to directly accessed cloud services removed when staff no longer require access or leave the agency?
7349 23.1.53.C.01. All Classifications Must Agencies MUST clearly identify and understand where classification, security domain, and trust zone boundaries exist prior to implementation or adoption of public cloud services.
7350 23.1.53.C.02. All Classifications Must Where multiple identity systems under different security policies are used to control access to an agency’s instance of a public cloud service, the instance MUST be considered to be in a separate security domain from services where access control is managed solely by the agency’s identity system.
7353 23.1.54.C.01. All Classifications Must Agencies MUST clearly identify and understand their cloud service provider’s security responsibilities for each service consumed, and the aspects of security that the agency is responsible for, prior to implementation or adoption of the service.
7354 23.1.54.C.02. Should Agencies SHOULD clearly document the aspects of security they and their provider are responsible for.
7355 23.1.54.C.03. All Classifications Should Agencies SHOULD review existing security processes to ensure compatibility with their cloud service provider’s responsibilities.
7359 23.1.55.C.01. All Classifications Should Agencies SHOULD deploy and manage their cloud infrastructure using automation, version control, and infrastructure as code techniques where these are available.
7386 23.2.16.C.01. All Classifications Must Agencies MUST update their risk assessment process to account for public cloud specific risks, prior to implementation or adoption of public cloud services.
7387 23.2.16.C.02. All Classifications Must Agencies MUST undertake a cloud specific risk assessment in line with the process outlined by the GCDO for each public cloud service, prior to implementation or adoption of public cloud services.
7388 23.2.16.C.03. Confidential, Secret, Top Secret Must Not Agencies MUST NOT accredit public cloud services for use with data classified CONFIDENTIAL, SECRET, or TOP SECRET.
7389 23.2.16.C.04. All Classifications Must Not Agencies MUST NOT accredit public cloud services to host, process, store, or transmit NZEO endorsed information.
7394 23.2.17.C.01. All Classifications Must Agencies MUST consider risks to the availability of systems and information in their design of cloud systems architectures, supporting controls, and governance processes prior to implementation or adoption of public cloud services.
7397 23.2.18.C.01. All Classifications Should Agencies SHOULD obtain regular assurance checks on cloud service providers, ensuring that they are undertaken by a suitably qualified assessor.
7400 23.2.19.C.01. All Classifications Must Agencies MUST obtain assurance that cloud service providers undertake appropriate software and operating system patching and maintenance.
7404 23.2.20.C.01. All Classifications Must Agencies MUST obtain assurance that technical protections exist to adequately isolate tenants.
7407 23.2.21.C.01. All Classifications Should Agencies SHOULD make use of the GCSB endorsed baseline security templates where applicable.  
7433 23.3.18.C.01. All Classifications Should Accounts used to perform privileged actions SHOULD NOT be synchronised between environments.
7436 23.3.19.C.01. All Classifications Must Where administration interfaces or portals are accessible from the internet, privileged accounts MUST be configured to use multiple factors of authentication.
7437 23.3.19.C.02. All Classifications Should Where cloud service interfaces or portals are accessible from the internet, user accounts SHOULD be configured to use multiple factors of authentication.
7440 23.3.20.C.01. All Classifications Must Staff offboarding processes MUST be updated to include removing all access to public cloud based services, prior to implementation or adoption of public cloud services.
7443 23.3.21.C.01. All Classifications Must Agencies MUST ensure that relying parties continually verify the authenticity of their identity provider’s responses, through for example, cryptographic signing of authentication requests and responses.
7446 23.3.22.C.01. All Classifications Should Agencies SHOULD ensure that relying parties use all available information from the identity provider to inform access control decisions.
7461 23.4.9.C.01. All Classifications Must For each cloud service, agencies MUST ensure that the mechanisms used to protect data meet agency requirements.
7462 23.4.9.C.02. All Classifications Must Agencies MUST update key management plans to account for differences in public cloud before storing organisational data in a public cloud environment.
7463 23.4.9.C.03. All Classifications Must Agencies MUST ensure their key management plan includes provision for migrating data from the cloud environment where it was created.
7466 23.4.10.C.01. All Classifications Must Agencies MUST apply the principle of least privilege and configure service endpoints to restrict access to authorised parties.
7469 23.4.11.C.01. All Classifications Must Agencies MUST identify where data used in conjunction with a public cloud service is stored or processed, including any replicas or backups that may be created.
7470 23.4.11.C.02. All Classifications Must Agency risk assessments of public cloud services MUST include any risks arising from data location. Any actions required to mitigate these risks must be identified and documented prior to implementation or adoption of public cloud services.
7474 23.4.12.C.01. All Classifications Must Agencies MUST update their disaster recovery plans prior to storing or replicating data in public cloud services, to ensure these plans address any cloud-specific aspects of backup and recovery.
7475 23.4.12.C.02. All Classifications Must When planning tests of disaster recovery processes in accordance with 6.4.6 Backup strategy, agencies MUST include tests of any cloud-specific data recovery processes.
7494 23.5.10.C.01. All Classifications Must Agencies MUST understand the range of logging capabilities provided by their cloud service providers and determine whether they are sufficient for agency needs.
7496 23.5.11.C.01. All Classifications Must Agencies MUST ensure that logs associated with public cloud services are collected, protected, and that their integrity can be confirmed in accordance with the agency’s documented logging requirements.
7498 23.5.12.C.01. All Classifications Must Agencies MUST ensure that cloud service provider logs are incorporated into overall enterprise logging and alerting systems or procedures in a timely manner to detect information security incidents.
7499 23.5.12.C.02. All Classifications Should Agencies SHOULD ensure that tools and procedures used to detect potential information security incidents account for the public cloud services being consumed by the agency.

Controls Removed

CID Title Classifications Compliances Text

Controls Changed

CID Title Classifications Compliances Text
391 3.3.8.C.01. All Classifications Must ITSMs MUST be responsible for ensuring the development, maintenance, updating and implementation of Security Risk Management Plans (SRMPs), Systems Security Plans (SecPlanSP) and any Standard Operating Procedures (SOPs) for all agency systems.
569 4.3.18.C.01. All Classifications Must The SecPol, SRMP, SecSPlan, SOPs and IRP documentation MUST be reviewed by the auditor to ensure that it is comprehensive and appropriate for the environment the system is to operate within.
702 5.1.10.C.01. All Classifications Must Agencies MUST ensure that every system is covered by a SecSPlan.
718 5.1.15.C.01. All Classifications Should Agencies SHOULD ensure that their SRMP, Systems Architecture, SecSPlan, SOPs and IRP are logically connected and consistent for each system, other agency systems and with the agency’s SecPol.
729 5.1.18.C.01. All Classifications Must Agencies MUST ensure that their SecPol, SRMP, SecSPlan, SOPs and IRP are appropriately classified.
828 5.4.5.C.01. All Classifications Must Agencies MUST select controls from this manual to be included in the SecSPlan based on the scope of the system with additional system specific controls being included as a result of the associated SRMP. Encryption Key Management requires specific consideration; refer to Chapter 17 – Cryptography.
829 5.4.5.C.02. All Classifications Should Agencies SHOULD use the latest baseline of this manual when developing, and updating, their SecSPlans as part of the certification, accreditation and reaccreditation of their systems.
831 5.4.5.C.03. All Classifications Should Agencies SHOULD include a Key Management Plan in the SecSPlan.
7134 5.9.24.C.02. All Classifications Must An agency’s VDP MUST contain at least the following core content: A scoping statement listing the systems the policy applies to; Contact details; Secure communication options (including any public keys); Information the finder should include in the report; Acknowledgement of reports and a response time; Guidance on what forms of vulnerability testing are out of scope for reporters/finders (permitted activities); Reporters/finders agreeing to not share information about the vulnerability until the end of the disclosure period, in order to allow let the agency to address any issues before they become public; Illegal activities are not permitted (specifying the relevant legislation, such as the Crimes Act); and Either that “Bug bounties” will not be paid for any discoveries, or it should provide information about the agency’s bug bounty programme.
1048 6.1.9.C.01. All Classifications Should Agencies SHOULD review the components detailed in the table below. Agencies SHOULD also ensure that any adjustments and changes as a result of any vulnerability analysis are consistent with the vulnerability disclosure policy. Component Review Information security documentation The SecPol, Systems Architecture, SRMPs, SecSPlans, SitePlan, SOPs, the VDP, the IRP, and any third party assurance reports. Dispensations Prior to the identified expiry date. Operating environment When an identified threat emerges or changes, an agency gains or loses a function or the operation of functions are moved to a new physical environment. Procedures After an information security incident or test exercise. System security Items that could affect the security of the system on a regular basis. Threats Changes in threat environment and risk profile. NZISM Changes to baseline or other controls, any new controls and guidance.
1095 6.3.7.C.03. All Classifications Should Agencies SHOULD follow this change management process outline: produce a written change request; submit the change request to all stakeholders for approval; document the changes to be implemented; test the approved changes; notification to user of the change schedule and likely effect or outage; implement the approved changes after successful testing; update the relevant information security documentation including the SRMP, SecSPlan and SOPs notify and educate system users of the changes that have been implemented as close as possible to the time the change is applied; and continually educate system users in regards to changes.
1409 8.4.11.C.01. All Classifications Should Agencies choosing to prevent the storage of classified information on non-volatile media and enforcing scrubbing of temporary data at logoff or shutdown SHOULD: assess the security risks associated with such a decision; and specify the processes and conditions for their application within the system’s SecSPlan.  
1412 8.4.12.C.01. All Classifications Should Agencies securing volatile media for IT equipment during non-operational hours SHOULD: disconnect power from the equipment the media resides within; assess the security risks if not sanitising the media; and specify any additional processes and controls that will be applied within the system’s SecSPlan.
1480 9.2.10.C.01. All Classifications Must Agencies MUST specify in the System Security Plan (SecSPlan) any authorisations, security clearances and briefings necessary for system access.
1484 9.2.11.C.02. All Classifications Should Agencies SHOULD: limit system access on a need-to-know/need-to-access basis; provide system users with the least amount of privileges needed to undertake their duties; and have any requests for access to a system authorised by the supervisor or manager of the system user; and ensure a formal acknowledgement of the security briefing is obtained and recorded.
1487 9.2.12.C.01. All Classifications Should Agencies SHOULD: maintain a secure record of: all authorised system users; their user identification; why access is required; role and privilege level, who provided the authorisation to access the system; when the authorisation was granted; and keep a copy of the acknowledgement signed by the individual granted a clearance; and maintain the record, for the life of the system or information to which access is granted, or the length of employment, whichever is the longer, to which access is granted.
1508 9.2.18.C.01. All Classifications Must Agencies granting limited higher access to a system MUST ensure that: effectithe approve controls are in place to restrict access to onlyal for access is formally acknowledged and recorded; and either effective controls are in place to restrict access only to classified information that is necessary to undertake the system user’s duties; or the system user is continually supervised by another system user who has the appropriate security clearances to access the system.
2412 10.5.11.C.01. All Classifications Should Agencies SHOULD inspect cables for inconsistencies with the cable register in accordance with the frequency defined in the SecSPlan.
5626 10.6.29.C.01. Confidential, Secret, Top Secret Must Cabinet rails MUST be installed to: provide adequate room for patch cables and wire managers; provide adequate space for cable management at front, sides, and rear; and arrange switches and patch panels to minimize patching between cabinets & racks.
3455 12.4.5.C.01. All Classifications Should Where known vulnerabilities cannot be patched, or security patches are not available, agencies SHOULD implement: controls to resolve the vulnerability such as: disable the functionality associated with the vulnerability though product configuration; ask the vendor for an alternative method of managing the vulnerability; install a version of the product that does not have the identified vulnerability; install a different product with a more responsive vendor; or engage a software developer to correct the software. controls to prevent exploitation of the vulnerability including: apply external input sanitisation (if an input triggers the exploit); apply filtering or verification on the software output (if the exploit relates to an information disclosure); apply additional access controls that prevent access to the vulnerability; or configure firewall rules to limit access to the vulnerable software. controls to contain the exploit including: apply firewall rules limiting outward traffic that is likely in the event of an exploitation; apply mandatory access control preventing the execution of exploitation code; or set file system permissions preventing exploitation code from being written to disk;  allowhite and black and deny listing to prevent code execution; and controls to detect attacks including: deploy an IDS; monitor logging alerts; or use other mechanisms as appropriate for the detection of exploits using the known vulnerability. controls to prevent attacks including: deploy an IPS or HIPS; or use other mechanisms as appropriate for the diversion of exploits using the known vulnerability, such as honey pots and Null routers.
1234 14.2.4.C.01. All Classifications Should Agencies SHOULD implement application allowhite listing as part of the SOE for workstations, servers and any other network device.
1242 14.2.5.C.01. All Classifications Must Agencies MUST ensure that a system user cannot disable the application allowhite listing mechanism.
898 14.2.5.C.04. All Classifications Should Agencies SHOULD ensure that application allowhite listing does not replace the antivirus and anti-malware software within a system.
907 14.2.6.C.01. All Classifications Should Agencies SHOULD ensure that system administrators are not automatically exempt from application allowhite listing policy.
936 14.2.7.C.02. All Classifications Should Agencies SHOULD ensure that application allowhite listing is used in addition to a strong access control list model and the use of limited privilege accounts.
940 14.2.7.C.03. All Classifications Should Agencies SHOULD plan and test application allowhite listing mechanisms and processes thoroughly prior to implementation.
945 14.2.7.C.05. All Classifications Should Agencies SHOULD restrict the process creation permissions of any executables which are permitted to run by the application allowhite listing controls.
947 14.2.7.C.07. All Classifications Should Logs from the application allowhite listing implementation SHOULD include all relevant information.
1602 14.3.8.C.01. All Classifications Should Agencies permitting TLS through their gateways SHOULD implement: a solution that decrypts and inspects the TLS traffic as per content filtering requirements; or a n allowhite list specifying the addresses (uniform resource locators) to which encrypted connections are permitted, with all other addresses blocked.
1609 14.3.10.C.01. All Classifications Should Agencies SHOULD implement allowhite listing for all HTTP traffic being communicated through their gateways.
1608 14.3.10.C.02. All Classifications Should Agencies using an allowhite list on their gateways to specify the external addresses, to which encrypted connections are permitted, SHOULD specify allowhite list addresses by domain name or IP address.
1610 14.3.10.C.03. All Classifications Should If agencies do not allowhite list websites they SHOULD blackdeny list websites to prevent access to known malicious websites.
1611 14.3.10.C.04. All Classifications Should Agencies blackdeny listing websites SHOULD update the blackdeny list on a frequent basis to ensure that it remains effective.
1621 14.3.13.C.01. All Classifications Must Not Users MUST NOT use agency useridID and login passwords as credentials for external websites.
1745 15.2.21.C.01. All Classifications Should Agencies SHOULD configure the following gateway filters: inbound and outbound email, including any attachments, that contain: malicious code; content in conflict with the agency’s email policy; content that cannot be identified; deny listed or unauthorised filetypes; and encrypted content, when that content cannot blacklisted or unauthorised filetye inspescted for malicious code or authenticated as originating from a trusted source; and encrypted content, emails addressed to internal email aliases when that content cannot be inspected for malicious code or authenticated as originating from a trusted sourceith source addresses located from outside the domain; emails addressed to internal email aliases and all emails arriving via an external connection with source addresses located from outside the domain; and all emails arriving via an external connection where the source address uses an internal agency domain name.
3021 17.9.25.C.01. All Classifications Should The table below describes the minimum contents which SHOULD be documented in the KMP. Topic   Content Objectives Objectives of the cryptographic system and KMP, including organisational aims. Refer to relevant NZCSIs. System description The environment. Maximum classification of information protected. Topology Diagram(s) and description of the cryptographic system topology including data flows. The use of keys. Key algorithm. Key length. Key lifetime. Roles and administrative responsibilities. Documents roles and responsibilities, including the: COMSEC Custodian; Cryptographic systems administrator; Record keeper; and Auditor. Accounting How accounting will be undertaken for the cryptographic system. What records will be maintained. How records will be audited. Classification Classification of the cryptographic system hardware. Classification of cryptographic system software. Classification of the cryptographic system documentation. Information security incidents A description of the conditions under which compromise of key material should be declared. References to procedures to be followed when reporting and dealing with information security incidents. Key management Who generates keys. How keys are delivered. How keys are received. Key distribution, including local, remote and central. How keys are installed. How keys are transferred. How keys are stored. How keys are recovered. How keys are revoked. How keys are destroyed. Maintenance Maintaining the cryptographic system software and hardware. Destroying equipment and media. References Vendor documentation. Related policies.
3740 18.3.12.C.01. Confidential, Secret, Top Secret Must Agencies MUST: configure VTC and VoIP devices to authenticate themselves to the call controller upon registration; disable phone auto-registration and only allow a n allowhite list of authorised devices to access the network; block unauthorised devices by default;  disable all unused and prohibited functionality; and use individual logins for IP phones.
3741 18.3.12.C.02. All Classifications Should Agencies SHOULD: configure VoIP phones to authenticate themselves to the call controller upon registration; disable phone auto-registration and onlyuse an allow a whitelist of authorised devices to access the network; block unauthorised devices by default;  disable all unused and prohibited functionality; and use individual logins for IP phones.
4742 19.5.27.C.06. All Classifications Should Event logs covering all VoIP and UC services SHOULD be maintained in accordance with the requirements of the NZISM. See sections 16.56 - Event lLogging and Auditing and 13.1.12 - Archiving.
4752 19.5.28.C.05. All Classifications Should Agencies SHOULD consider the use of balacklistingow and whitdeny listing to manage fraudulent calls to known fraudulent call destinations.
4406 20.3.12.C.01. Confidential, Secret, Top Secret Must Agencies MUST create and enforce an allowhite list of permitted content types based on business requirements and the results of a security risk assessment.
4407 20.3.12.C.02. All Classifications Should Agencies SHOULD create and enforce an allowhite list of permitted content types based on business requirements and the results of a security risk assessment.