NZISM-3.2-to-3.5.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8" />

    <title>NZISM Comparison</title>

    <style type="text/css">
        body {
    font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
}

h1 {
    color: #040477;
}

table {
    border: 1px solid black;
    border-collapse: collapse;
}

thead {
    background-color: #040477;
    color: white;
}

th, td {
    padding: 0.3em;
    text-align: left;
}

td {
    border: 1px solid black;
    max-width: 800px;
    overflow-wrap: break-word;
}

span.insert {
    text-decoration: underline;
    background-color: mediumseagreen;
}

span.delete {
    text-decoration: line-through;
    background-color: firebrick;
}
    </style>
</head>
<body>
    <section>
        <p>This is a report of changes between <strong>nzism-data/NZISM-FullDoc-V.3.2-Jan-2019.xml</strong> and <strong>nzism-data/NZISM-FullDoc-V.3.5-January-2022.xml</strong>.</p>
        <ul>
            <li><a href="#controls_added">Controls Added</a></li>
            <li><a href="#controls_removed">Controls Removed</a></li>
            <li><a href="#controls_changed">Controls Changed</a></li>
        </ul>
    </section>
    <section id="controls_added">
        <h1>Controls Added</h1>

        <table>
            <thead>
                <tr>
                    <th>CID</th>
                    <th>Title</th>
                    <th>Classifications</th>
                    <th>Compliances</th>
                    <th>Text</th>
                </tr>
            </thead>
            <tbody>
                
                <tr>
                    <td>7045</td>
                    <td>2.3.25.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies intending to adopt public cloud technologies or services MUST develop a plan for how they intend to use these services.  This plan can be standalone or part of an overarching ICT strategy.</td>
                </tr>
                
                <tr>
                    <td>7046</td>
                    <td>2.3.25.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>An agency’s cloud adoption plan SHOULD cover:
Outcomes and benefits that the adoption of cloud technologies will bring;
Risks introduced or mitigated through the use of cloud, and the agency’s risk tolerance;
Financial and cost accounting models;
Shared responsibility models;
Cloud deployment models;
Cloud security strategy;
Resilience and recovery approaches;
Data recovery on contract termination;
Cloud exit strategy and other contractual arrangements; and
A high level description of the foundation services that enable cloud adoption, including:

User, device and system identity;
Encryption and key management;
Information management;
Logging and alerting;
Incident management;
Managing privileged activities; and
Cost management.


</td>
                </tr>
                
                <tr>
                    <td>7049</td>
                    <td>2.3.26.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies intending to adopt public cloud technologies or services SHOULD incorporate Zero Trust philosophies and concepts.</td>
                </tr>
                
                <tr>
                    <td>7050</td>
                    <td>2.3.26.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD leverage public cloud environment native security services as part of legacy system migrations, in preference to recreating application architectures that rely on legacy perimeter controls for security.</td>
                </tr>
                
                <tr>
                    <td>7084</td>
                    <td>3.2.10.C.04.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The CISO SHOULD work with system owners, system certifiers and system accreditors to determine appropriate information security policies for their systems and ensure consistency with the Protective Security Requirements (PSR) and in particular the relevant NZISM components.</td>
                </tr>
                
                <tr>
                    <td>7130</td>
                    <td>5.9.23.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>An agency MUST undertake a risk assessment to determine which systems and services to include in the agency’s VDP.</td>
                </tr>
                
                <tr>
                    <td>7133</td>
                    <td>5.9.24.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>An agency MUST develop and publish a VDP.</td>
                </tr>
                
                <tr>
                    <td>7134</td>
                    <td>5.9.24.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>An agency’s VDP MUST contain at least the following core content:
A scoping statement listing the systems the policy applies to;
Contact details;
Secure communication options (including any public keys);
Information the finder should include in the report;
Acknowledgement of reports and a response time;
Guidance on what forms of vulnerability testing are out of scope for reporters/finders (permitted activities);
Reporters/finders agreeing to not share information about the vulnerability until the end of the disclosure period, in order to allow let the agency to address any issues before they become public;
Illegal activities are not permitted (specifying the relevant legislation, such as the Crimes Act); and
Either that “Bug bounties” will not be paid for any discoveries, or it should provide information about the agency’s bug bounty programme.
</td>
                </tr>
                
                <tr>
                    <td>7136</td>
                    <td>5.9.25.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>An agency SHOULD publish a security.txt to permit secure communications and direct any reports to a specific agency resource, in accordance with the agency’s VDP.</td>
                </tr>
                
                <tr>
                    <td>7138</td>
                    <td>5.9.26.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>An agency MUST commit to addressing disclosed vulnerabilities within the timeframe it sets in its policy.</td>
                </tr>
                
                <tr>
                    <td>7139</td>
                    <td>5.9.26.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>An agency’s vulnerability disclosure timeframe SHOULD be set to no more than 90 days.</td>
                </tr>
                
                <tr>
                    <td>7141</td>
                    <td>5.9.27.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST ensure they integrate their VDP with other elements of their information security policies.</td>
                </tr>
                
                <tr>
                    <td>6592</td>
                    <td>7.2.24.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST replace compromised cryptographic keys as a matter of urgency and record the replacement in the incident reporting.</td>
                </tr>
                
                <tr>
                    <td>6997</td>
                    <td>12.6.10.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Because of the risks that data can be recovered from monitors, it is essential that any redeployment or disposal of monitors MUST follow the guidance in the NZISM.</td>
                </tr>
                
                <tr>
                    <td>7165</td>
                    <td>13.5.24.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Where a facility is NOT an approved facility, agencies MUST ensure any incineration equipment is rated for the destruction of electronic waste (WEEE) and the operator is properly authorised or licensed.</td>
                </tr>
                
                <tr>
                    <td>7166</td>
                    <td>13.5.24.C.04.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Where a facility is NOT an approved facility, agencies MUST ensure processes are in place for the safe handling of electronic waste (WEEE), including any residual material from the destruction process.</td>
                </tr>
                
                <tr>
                    <td>6553</td>
                    <td>16.1.38.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Password and other authentication data SHOULD be hashed before storage using an approved cryptographic protocol and algorithm.</td>
                </tr>
                
                <tr>
                    <td>6835</td>
                    <td>16.4.30.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST establish a Privileged Access Management (PAM) policy.</td>
                </tr>
                
                <tr>
                    <td>6836</td>
                    <td>16.4.30.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Within the context of agency operations, the agency’s PAM policy MUST define:
a privileged account; and
privileged access.
</td>
                </tr>
                
                <tr>
                    <td>6837</td>
                    <td>16.4.30.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST manage Privileged Accounts in accordance with the Agency’s PAM Policy.</td>
                </tr>
                
                <tr>
                    <td>6842</td>
                    <td>16.4.31.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST apply the Principle of Least Privilege when developing and implementing a Privileged Access Management (PAM) policy.</td>
                </tr>
                
                <tr>
                    <td>6843</td>
                    <td>16.4.31.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD use two-factor or Multi-Factor Authentication to allow access to Privileged Accounts.</td>
                </tr>
                
                <tr>
                    <td>6846</td>
                    <td>16.4.32.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>As part of a Privileged Access Management (PAM) policy, agencies MUST establish and implement a strong approval and authorisation process before any privileged access credentials are issued.</td>
                </tr>
                
                <tr>
                    <td>6847</td>
                    <td>16.4.32.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must Not</td>
                    <td>Privileged Access credentials MUST NOT be issued until approval has been formally granted.</td>
                </tr>
                
                <tr>
                    <td>6852</td>
                    <td>16.4.33.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST establish robust credential suspension and revocation procedures as part of the agency’s Privileged Access Management (PAM) policy.</td>
                </tr>
                
                <tr>
                    <td>6855</td>
                    <td>16.4.34.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST create and maintain a comprehensive inventory of privileged accounts and the associated access rights and credentials.</td>
                </tr>
                
                <tr>
                    <td>6859</td>
                    <td>16.4.35.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST create, implement and maintain a robust system of continuous discovery, monitoring and review of privileged accounts and the access rights and credentials associated with those accounts.</td>
                </tr>
                
                <tr>
                    <td>6860</td>
                    <td>16.4.35.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Privileged account monitoring systems MUST monitor and record:
individual user activity, including exceptions such as out of hours access;
activity from unauthorised sources;
any unusual use patterns; and
any creation of unauthorised privileges access credentials.
</td>
                </tr>
                
                <tr>
                    <td>6861</td>
                    <td>16.4.35.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST protect and limit access to activity and audit logs and records.</td>
                </tr>
                
                <tr>
                    <td>6864</td>
                    <td>16.4.36.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST develop and implement a response and remediation policy and procedure as part of an agency’s Privileged Access Management (PAM) policy.</td>
                </tr>
                
                <tr>
                    <td>6868</td>
                    <td>16.4.37.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST implement a Privileged Access Management (PAM) policy training module as part of the agency’s overall user training and awareness requirement.</td>
                </tr>
                
                <tr>
                    <td>6948</td>
                    <td>16.7.33.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST undertake a risk analysis before designing and implementing MFA.</td>
                </tr>
                
                <tr>
                    <td>6952</td>
                    <td>16.7.34.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The design of an agency’s MFA SHOULD include consideration of:
Risk Identification;
Level of security and access control appropriate for each aspect of an agency’s information systems (data, devices, equipment, storage, cloud, etc.)
A formal authorisation process for user system access and entitlements;
Logging, monitoring and reporting of activity;
Review of logs for orphaned accounts and inappropriate user access;
Identification of error and anomalies which may indicate inappropriate or malicious activity;
Incident response;
Remediation of errors;
Suspension and/or revocation of access rights where policy violations occur;
Capacity planning.
</td>
                </tr>
                
                <tr>
                    <td>6953</td>
                    <td>16.7.34.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Where an agency has implemented MFA they SHOULD:
Require MFA for administrative or other high privileged users; and
Implement a secure, multi-factor process to allow users to reset their normal usage user credentials.
</td>
                </tr>
                
                <tr>
                    <td>6956</td>
                    <td>16.7.35.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The design of an agency’s MFA system SHOULD be integrated with the agency’s Information Security Policy and the agency’s Privileged Access Management (PAM) Policy.</td>
                </tr>
                
                <tr>
                    <td>6960</td>
                    <td>16.7.36.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>When agencies implement MFA they MUST ensure users have an understanding of the risks, and include appropriate usage and safeguards for MFA in the agency’s user training and awareness programmes.</td>
                </tr>
                
                <tr>
                    <td>7189</td>
                    <td>17.2.21.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using DSA, for the approved use of digital signatures, MUST use a modulus of at least 1024 bits.</td>
                </tr>
                
                <tr>
                    <td>7181</td>
                    <td>17.2.24.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies using RSA, for the approved use of digital signatures and passing encryption session keys or similar keys, SHOULD use a modulus of at least 4096 bits.</td>
                </tr>
                
                <tr>
                    <td>7186</td>
                    <td>17.2.25.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using RSA keys within internet X.509 Public Key Infrastructure certificates MUST use a modulus of at least 2048 bits.</td>
                </tr>
                
                <tr>
                    <td>7187</td>
                    <td>17.2.26.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>In all other cases when information requires integrity protection using hashing algorithms, Agencies MUST use a minimum of SHA-256.</td>
                </tr>
                
                <tr>
                    <td>6560</td>
                    <td>17.2.27.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Memorised secrets such as passwords MUST be stored in a form that is resistant to offline attacks.</td>
                </tr>
                
                <tr>
                    <td>6561</td>
                    <td>17.2.27.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Memorised secrets such as passwords SHOULD be salted and hashed using a suitable one-way key derivation function. See 17.2.24.</td>
                </tr>
                
                <tr>
                    <td>6562</td>
                    <td>17.2.27.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The salt SHOULD be at least 32 bits in length, be chosen arbitrarily, and each instance is unique so as to minimise salt value collisions among stored hashes.</td>
                </tr>
                
            </tbody>
        </table>
    </section>

    <section id="controls_removed">
        <h1>Controls Removed</h1>

        <table>
            <thead>
                <tr>
                    <th>CID</th>
                    <th>Title</th>
                    <th>Classifications</th>
                    <th>Compliances</th>
                    <th>Text</th>
                </tr>
            </thead>
            <tbody>
                
                <tr>
                    <td>383</td>
                    <td>3.3.6.C.05.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>ITSMs SHOULD work with system owners, systems certifiers and systems accreditors to determine appropriate information security policies for their systems and ensure consistency with the Protective Security Requirements (PSR) and in particular the relevant NZISM components.</td>
                </tr>
                
                <tr>
                    <td>1263</td>
                    <td>7.3.5.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST follow the NZ implementation of the STIXX / TAXII and CyBox protocols and SHOULD include the following information in their register:
the date the information security incident was discovered;
the date the information security incident occurred;
a description of the information security incident, including the personnel, systems and locations involved;
the action taken;
to whom the information security incident was reported; and
the file reference.
</td>
                </tr>
                
                <tr>
                    <td>1350</td>
                    <td>8.2.5.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD use a secured server or communications room within a secured facility.</td>
                </tr>
                
                <tr>
                    <td>2141</td>
                    <td>17.2.17.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using DSA, for the approved use of digital signatures, MUST use a modulus of at least 1024 bits.</td>
                </tr>
                
                <tr>
                    <td>2161</td>
                    <td>17.2.23.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>3DES MUST use either two distinct keys in the order key 1, key 2, key 1 or three distinct keys.</td>
                </tr>
                
                <tr>
                    <td>2170</td>
                    <td>17.2.24.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>AES implementations for symmetric encryption of data SHOULD use the Galois/Counter Mode (GCM).</td>
                </tr>
                
            </tbody>
        </table>
    </section>

    <section id="controls_changed">
        <h1>Controls Changed</h1>

        <table>
            <thead>
                <tr>
                    <th>CID</th>
                    <th>Title</th>
                    <th>Classifications</th>
                    <th>Compliances</th>
                    <th>Text</th>
                </tr>
            </thead>
            <tbody>
                
                <tr>
                    <td>127</td>
                    <td>1.1.64.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>System owners seeking a dispensation for non-compliance with any <span class="delete">essential</span><span class="insert">baseline</span> controls in this manual MUST be granted a dispensation by their Accreditation Authority. Where High <span class="delete">Grad</span><span class="insert">Assuranc</span>e Cryptographic Systems (H<span class="insert">ACS) are implemented, the Accreditation Authority will be the Director-General </span>GCS<span class="delete">) are implemented, the Accreditation Authority will be the Director-General GCS</span>B or a formal delegate.</td>
                </tr>
                
                <tr>
                    <td>131</td>
                    <td>1.1.65.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>System owners seeking a dispensation for non-compliance with <span class="delete">essential</span><span class="insert">baseline</span> controls MUST complete an agency risk assessment which documents:
the reason(s) for not being able to comply with this manual;
the effect on any of their own, multi-agency or All-of-Government system;
the alternative mitigation measure(s) to be implemented;
The strength and applicability of the alternative mitigations;
an assessment of the residual security risk(s); and
a date by which to review the decision.
</td>
                </tr>
                
                <tr>
                    <td>143</td>
                    <td>1.1.67.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>If a system processes, stores or communicates data and information with multiple agencies or forms part of an All-of-Government system, interested parties MUST be formally consulted before non-compliance with any <span class="delete">essential</span><span class="insert">baseline</span> controls.</td>
                </tr>
                
                <tr>
                    <td>151</td>
                    <td>1.1.69.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST retain a copy and maintain a record of the supporting risk assessment and decisions to be non-compliant with any <span class="delete">es</span><span class="insert">ba</span>se<span class="insert">li</span>n<span class="delete">tial</span><span class="insert">e</span> controls from this manual.</td>
                </tr>
                
                <tr>
                    <td>255</td>
                    <td>2.3.27.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies intending to adopt cloud technologies or services MUST conduct a comprehensive risk assessment, in accordance with the guidance provided by the G<span class="insert">overnment </span>C<span class="delete">I</span><span class="insert">hief Digital </span>O<span class="insert">fficer (GCDO)</span> before implementation or adoption.</td>
                </tr>
                
                <tr>
                    <td>283</td>
                    <td>3.1.8.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>When the agency head de<span class="delete">vo</span>l<span class="delete">v</span><span class="insert">egat</span>es their authority<span class="insert">,</span> the delegate SHOULD be <span class="insert">a senior executive who understands </span>the <span class="delete">CISO</span><span class="insert">consequences and potential impact to the business of the acceptance of residual risk</span>.</td>
                </tr>
                
                <tr>
                    <td>284</td>
                    <td>3.1.8.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Where the head of a smaller agency is not able to satisfy all segregation of duty requirements because of scalability and small personnel numbers, all<span class="delete">,</span> potential conflicts of interest SHOULD be clearly identified, declared and actively managed.</td>
                </tr>
                
                <tr>
                    <td>311</td>
                    <td>3.2.8.C.05.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Where <span class="insert">mul</span>t<span class="delete">h</span><span class="insert">ipl</span>e role<span class="insert">s</span> <span class="delete">of</span><span class="insert">are held by</span> the CISO <span class="delete">is outsourced,</span><span class="insert">any</span> potential conflicts of interest<span class="delete"> in availability, response times or working with vendors</span> SHOULD be identified and carefully managed.</td>
                </tr>
                
                <tr>
                    <td>322</td>
                    <td>3.2.11.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The CISO SHOULD be responsible for e<span class="insert">stablishing mechanisms and programs to e</span>nsur<span class="delete">ing</span><span class="insert">e</span> compliance with the information security policies and standards within the agency.</td>
                </tr>
                
                <tr>
                    <td>323</td>
                    <td>3.2.11.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The CISO SHOULD be responsible for ensuring agency compliance with the NZISM through facilitating a continuous program of certification and accreditation <span class="delete">b</span><span class="insert">of </span>a<span class="delete">sed</span><span class="insert">ll</span> <span class="delete">on security risk man</span>age<span class="insert">ncy syste</span>m<span class="delete">ent</span><span class="insert">s</span>.</td>
                </tr>
                
                <tr>
                    <td>334</td>
                    <td>3.2.13.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The CISO SHOULD liaise with agenc<span class="insert">y technolog</span>y architecture teams to ensure alignment between security and agency architectures.</td>
                </tr>
                
                <tr>
                    <td>570</td>
                    <td>4.3.18.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>The Information Security Policy (SecPol) MUST be reviewed by the auditor to ensure that all <span class="delete">re</span><span class="insert">applicab</span>le<span class="delete">vant</span> controls specified in this manual are addressed.</td>
                </tr>
                
                <tr>
                    <td>634</td>
                    <td>4.4.12.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST notify the Government C<span class="delete">I</span><span class="insert">hief Digital </span>O<span class="insert">fficer (GCDO)</span> where All-of-Government systems are connected to agency systems operating with expired accreditations.</td>
                </tr>
                
                <tr>
                    <td>675</td>
                    <td>4.5.18.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>The Accreditation Authority MUST advise the GC<span class="delete">I</span><span class="insert">D</span>O where the accreditation decision may affect any All-of-Government systems.</td>
                </tr>
                
                <tr>
                    <td>780</td>
                    <td>5.2.3.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The Information Security Policy (SecPol) SHOULD document the information security<span class="delete">,</span> guidelines, standards and responsibilities of an agency.</td>
                </tr>
                
                <tr>
                    <td>781</td>
                    <td>5.2.3.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The Information Security Policy (SecPol) SHOULD include topics such as:
accreditation processes;
personnel responsibilities;
configuration control;
access control;
networking and connections with other systems;
physical security and media control;
emergency procedures and information security incident management;
<span class="insert">vulnerability disclosure;
</span>change management; and
information security awareness and training.
</td>
                </tr>
                
                <tr>
                    <td>1048</td>
                    <td>6.1.9.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD review the components detailed in the table below.<span class="insert"> Agencies SHOULD also ensure that any adjustments and changes as a result of any vulnerability analysis are consistent with the vulnerability disclosure policy.</span>


Component
Review


Information security documentation
The SecPol, Systems Architecture, SRMPs, SecPlans, SitePlan, SOPs<span class="insert">, the VDP,</span> the IRP, and any third party assurance reports.


Dispensations
Prior to the identified expiry date.


Operating environment
When an identified threat emerges or changes, an agency gains or loses a function or the operation of functions are moved to a new physical environment.


Procedures
After an information security incident or test exercise.


System security
Items that could affect the security of the system on a regular basis.


Threats
Changes in threat environment and risk profile.


NZISM
Changes to baseline or other controls, any new controls and guidance.


</td>
                </tr>
                
                <tr>
                    <td>1066</td>
                    <td>6.2.5.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD conduct vulnerability assessments in order to establish a baseline<span class="insert">. This SHOULD be done</span>:
before a system is first used;
after any significant incident;
after a significant change to the system;
after changes to standards, policies and guidelines;<span class="delete"> and/or
as</span><span class="insert"> 
when</span> specified by an ITSM or <span class="delete">the </span>system owner.
</td>
                </tr>
                
                <tr>
                    <td>1120</td>
                    <td>6.4.5.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST determine availability and recovery requirements for their systems and implement <span class="delete">appropriate </span>measures<span class="insert"> consistent with the agency's SRMP</span> to support them.</td>
                </tr>
                
                <tr>
                    <td>1153</td>
                    <td>7.1.7.C.01.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>Agencies MUST develop, implement and maintain tools and procedures covering the detection of potential information security incidents, incorporating:
<span class="insert">user awareness and training;
</span>counter-measures against malicious code<span class="insert">, known attack methods and types</span>;
intrusion detection strategies;
data egress monitoring & control;
access control anomalies;
audit analysis;
system integrity checking; and
vulnerability assessments.
</td>
                </tr>
                
                <tr>
                    <td>1154</td>
                    <td>7.1.7.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD develop, implement and maintain tools and procedures covering the detection of potential information security incidents, incorporating:
<span class="insert">user awareness and training;
</span>counter-measures against malicious code<span class="insert">, known attack methods and types</span>;
intrusion detection strategies;
data egress monitoring & control;
access control anomalies;
audit analysis;
system integrity checking; and
vulnerability assessments.
</td>
                </tr>
                
                <tr>
                    <td>1155</td>
                    <td>7.1.7.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD use the results of the security risk assessment to determine the appropriate balance of resources allocated to prevention versus <span class="insert">resources allocated to </span>detection of information security incidents.</td>
                </tr>
                
                <tr>
                    <td>1205</td>
                    <td>7.2.17.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD:
encourage personnel to note and report any observed or suspected security weaknesses in, or threats to, systems or services;
establish and follow procedures for reporting s<span class="insert">ystem, s</span>oftware<span class="insert"> or other</span> malfunctions;
put mechanisms in place to enable the types, volumes and costs of information security incidents and malfunctions to be quantified and monitored; and
deal with the violation of agency information security policies and procedures by personnel through <span class="insert">training and, where warranted, </span>a formal disciplinary process.
</td>
                </tr>
                
                <tr>
                    <td>1216</td>
                    <td>7.2.19.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>The Agency ITSM, MUST report <span class="delete">signi</span><span class="insert">in</span>f<span class="delete">icant inf</span>ormation security incidents<span class="delete">, or incidents related to m</span><span class="insert"> categorised as:
Critical;
Serio</span>u<span class="insert">s; or
incidents related to mu</span>lti-agency or government systems<span class="delete">, </span><span class="insert">;
</span>to the NCSC (see <span class="insert">also </span>below)<span class="insert"> as soon as possible</span>.</td>
                </tr>
                
                <tr>
                    <td>1220</td>
                    <td>7.2.20.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD<span class="delete">, through an ITSM,</span> repor<span class="delete">t non-significan</span>t information security incidents <span class="insert">categorised as Low </span>to the NCSC.</td>
                </tr>
                
                <tr>
                    <td>1223</td>
                    <td>7.2.21.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD formally report information security incidents using the NCSC <span class="delete">ad</span>o<span class="insert">n-line re</span>p<span class="insert">or</span>ti<span class="insert">ng f</span>o<span class="delete">n of the TAXII, STIX and CyBox p</span>r<span class="delete">otocols</span><span class="insert">m</span>.</td>
                </tr>
                
                <tr>
                    <td>1226</td>
                    <td>7.2.22.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies that outsource their information technology services and functions MUST ensure that the service provider <span class="insert">advises and </span>consults with the agency when an information security incident occurs.</td>
                </tr>
                
                <tr>
                    <td>1233</td>
                    <td>7.2.23.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST notify all system users of any suspected <span class="insert">or confirmed </span>loss or compromise of keying material.</td>
                </tr>
                
                <tr>
                    <td>1237</td>
                    <td>7.2.25.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST<span class="insert"> urgently</span> notify GCSB of any suspected loss or compromise of keying material associated with H<span class="delete">G</span><span class="insert">A</span>CE.</td>
                </tr>
                
                <tr>
                    <td>1285</td>
                    <td>7.3.8.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>When a data spill<span class="insert"> involving classified information or contaminating classified systems</span> occurs and systems cannot be segregated or isolated agencies SHOULD immediately contact the <span class="delete">G</span><span class="insert">N</span>CS<span class="delete">B</span><span class="insert">C</span> for further advice.</td>
                </tr>
                
                <tr>
                    <td>1290</td>
                    <td>7.3.9.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD follow the steps described below when malicious code is detected:
isolate the infected system;
decide whether to request assistance from <span class="delete">G</span><span class="insert">N</span>CS<span class="delete">B</span><span class="insert">C</span>;
if such assistance is requested and agreed to, delay any further action until advised by <span class="delete">G</span><span class="insert">N</span>CS<span class="delete">B</span><span class="insert">C</span>;
scan all previously connected systems and any media used within a set period leading up to the information security incident, for malicious code;
isolate all infected systems and media to prevent reinfection;
change all passwords and key material stored or potentially accessed from compromised systems, including any websites with password controlled access;
advise system users of any relevant aspects of the compromise, including a recommendation to change all passwords on compromised systems;
use up-to-date anti-malware software to remove the malware from the systems or media;
monitor network traffic for malicious activity;<span class="delete"> </span>
report the information security incident and perform any other activities specified in the IRP; and
in the worst case scenario, rebuild and reinitialise the system.
</td>
                </tr>
                
                <tr>
                    <td>1300</td>
                    <td>7.3.12.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD ensure that any requests for <span class="delete">G</span><span class="insert">N</span>CS<span class="delete">B</span><span class="insert">C</span> assistance are made as soon as possible after the information security incident is detected and that no actions which could affect the integrity of the evidence are carried out prior to <span class="delete">G</span><span class="insert">N</span>CS<span class="delete">B</span><span class="insert">C</span>’s involvement.</td>
                </tr>
                
                <tr>
                    <td>1327</td>
                    <td>8.1.11.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD position desks, screens and keyboards <span class="delete">so that they cannot be </span><span class="insert">away from windows and doorways so that they cannot be over</span>seen by unauthorised pe<span class="delete">op</span><span class="insert">rsons.  If required, b</span>l<span class="delete">e</span><span class="insert">inds or drapes SHOULD be fixed to the inside of windows</span>, <span class="delete">or fix b</span><span class="insert">and doors kept c</span>l<span class="delete">inds or drapes to the inside of windows and away from doorways</span><span class="insert">osed to avoid oversight</span>.</td>
                </tr>
                
                <tr>
                    <td>1449</td>
                    <td>9.1.4.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agency management MUST ensure that all personnel who have access to a system have sufficient <span class="insert">training and ongoing </span>information security awareness<span class="delete"> and training</span>.</td>
                </tr>
                
                <tr>
                    <td>1452</td>
                    <td>9.1.5.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST provide ongoing information security awareness and <span class="delete">training</span><span class="insert">a training programme</span> for personnel on topics such as responsibilities, legislation and regulation, consequences of non-compliance with information security policies and procedures, and potential security risks and counter-measures.</td>
                </tr>
                
                <tr>
                    <td>1457</td>
                    <td>9.1.6.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD align the detail, content and coverage of information security awareness and training <span class="insert">programmes </span>to system user responsibilities.</td>
                </tr>
                
                <tr>
                    <td>1484</td>
                    <td>9.2.6.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies <span class="delete">M</span><span class="insert">SHO</span>U<span class="delete">ST</span><span class="insert">LD</span>:
limit system access on a need-to-know/need-to-access basis;
provide system users with the least amount of privileges needed to undertake their duties; and
have any requests for access to a system authorised by the supervisor or manager of the system user.
</td>
                </tr>
                
                <tr>
                    <td>5626</td>
                    <td>10.6.29.C.01.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>Cabinet rails MUST be installed to
<span class="delete">§ </span>provide adequate room for patch cables and wire managers<span class="delete">
§ A</span><span class="insert">;
provide a</span>dequate space for cable management at front, sides, and rear<span class="delete">
§ A</span><span class="insert">; and
a</span>rrange switches and patch panels to minimize patching between cabinets & racks<span class="delete">
</span><span class="insert">.
</span></td>
                </tr>
                
                <tr>
                    <td>2662</td>
                    <td>11.3.12.C.02.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>Agencies <span class="insert">MU</span>S<span class="delete">HOULD</span><span class="insert">T</span> use push-to-talk <span class="insert">mec</span>han<span class="delete">d</span><span class="insert">i</span>s<span class="delete">et</span><span class="insert">m</span>s to meet the requirement for off-hook audio protection.<span class="insert"> PTT activation MUST be clearly labelled.</span></td>
                </tr>
                
                <tr>
                    <td>2767</td>
                    <td>11.5.16.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Where the use of personal wearable devices is permitted on medical grounds and used within a corporate or agency environment, agencies MUST ensure any relevant legislation and regulation pertaining to the protection of Personally Identifiable Information (PII) is <span class="delete">properly managed and protect</span><span class="insert">follow</span>ed.</td>
                </tr>
                
                <tr>
                    <td>3460</td>
                    <td>12.4.6.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST ensure that any firmware updates are performed in a manner that verifies the integrity and authenticity of the source and of the updating process<span class="insert"> or updating utility</span>.</td>
                </tr>
                
                <tr>
                    <td>3465</td>
                    <td>12.4.7.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD assess the security risk of <span class="insert">continued </span>us<span class="delete">ing</span><span class="insert">e of</span> software or IT equipment when a cessation date for support is announced or when the product is no longer supported by the developer.</td>
                </tr>
                
                <tr>
                    <td>3537</td>
                    <td>12.6.4.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST sanitise or destroy, then declassify, IT equipment containing <span class="insert">any </span>media before disposal.</td>
                </tr>
                
                <tr>
                    <td>3566</td>
                    <td>12.6.8.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST visually inspect video screens by turning up the brightness to the maximum level to determine if any classified information has been burnt into or persists on the screen<span class="insert">, before redeployment or disposal</span>.</td>
                </tr>
                
                <tr>
                    <td>3572</td>
                    <td>12.6.9.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST attempt to sanitise video screens with minor burn-in or image persistence by displaying a solid white image on the screen for an extended period of time.<span class="insert"> If burn-in cannot be corrected the screen MUST be processed through an approved destruction facility.</span></td>
                </tr>
                
                <tr>
                    <td>3709</td>
                    <td>12.7.21.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>For equipment that is expected to have an extended operational life in a critical system<span class="insert">, and in the event that the supplier is no longer able to supply these</span>, agencies SHOULD provide for the acquisition of<span class="delete"> </span><span class="insert">:
</span>necessary licences<span class="delete"> and </span><span class="insert">;
</span>information to produce spare parts, components, assemblies<span class="delete">, </span><span class="insert">;
</span>testing equipment<span class="delete"> and </span><span class="insert">; and
</span>technical assistance agreements<span class="delete"> in the event that the supplier is no longer able to supply the equipment, products and essential spares</span>.<span class="insert">
</span></td>
                </tr>
                
                <tr>
                    <td>3832</td>
                    <td>13.1.10.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD undertake a risk assessment with consideration given to proportionality in respect of<span class="delete"> </span><span class="insert">:
</span>scale and impact of the processes<span class="delete">, data, </span><span class="insert">;
data;
</span>users<span class="delete"> and </span><span class="insert">;
</span>licences<span class="delete"> system and </span><span class="insert">;
usage agreements; and
</span>service to be migrated or decommissioned.<span class="insert">
</span></td>
                </tr>
                
                <tr>
                    <td>4302</td>
                    <td>13.5.24.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td><span class="delete">Agencies </span>M<span class="delete">UST employ approved equipment for the purpose of m</span>edia and IT <span class="delete">E</span><span class="insert">e</span>quipment destruction<span class="insert"> MUST be performed using approved destruction equipment, facilities and methods</span>.</td>
                </tr>
                
                <tr>
                    <td>4304</td>
                    <td>13.5.24.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Where agenc<span class="delete">y</span><span class="insert">ies do not</span> own<span class="insert"> th</span>e<span class="delete">d</span><span class="insert">ir</span> <span class="delete">appr</span>o<span class="delete">ved</span><span class="insert">wn</span> destruction equipment<span class="delete"> is not available</span><span class="insert">,</span> agencies MUST use an approved destruction facility for media and IT <span class="delete">E</span><span class="insert">e</span>quipment destruction.</td>
                </tr>
                
                <tr>
                    <td>4343</td>
                    <td>13.5.25.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST, at minimum, store and handle the resulting waste for all methods, <span class="delete">as for</span><span class="insert">in accordance with</span> the classification given in the table below.



Initial media or IT Equipment classification


Screen aperture size particles can pass through




Less than or equal to 3mm
Treat as


Less than or equal to 6mm
Treat as



 TOP SECRET

UNCLASSIFIED

RESTRICTED


SECRET

UNCLASSIFIED

RESTRICTED


CONFIDENTIAL

UNCLASSIFIED

RESTRICTED


RESTRICTED

UNCLASSIFIED


UNCLASSIFIED



Particle size: measured in any direction, should not exceed stated measurement.</td>
                </tr>
                
                <tr>
                    <td>4359</td>
                    <td>13.5.27.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The Destruction Register SHOULD record:
D<span class="delete">ate o</span><span class="insert">estruction </span>f<span class="insert">acility used;
Destruction method used;
Date of</span> destruction;
Operator and witness<span class="insert">es</span>;
Media<span class="delete"> or</span><span class="insert"> and</span> IT <span class="delete">E</span><span class="insert">e</span>quipment classification; and
Media<span class="delete"> or</span><span class="insert"> and</span> IT <span class="delete">E</span><span class="insert">e</span>quipment type, characteristics and serial number.
</td>
                </tr>
                
                <tr>
                    <td>4367</td>
                    <td>13.5.29.C.01.</td>
                    <td>Top Secret</td>
                    <td>Must Not</td>
                    <td>Agencies MUST NOT outsource the supervision and oversight of the destruction of TOP SECRET or NZEO media and IT <span class="delete">E</span><span class="insert">e</span>quipment or other accountable material to a non-government entity or organisation.</td>
                </tr>
                
                <tr>
                    <td>6019</td>
                    <td>15.2.22.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Before implementing DMARC agencies SHOULD:
Create a DMARC policy;
List all domains<span class="delete"> </span><span class="insert">, in partic</span>u<span class="delete">sed for the sending</span><span class="insert">lar those used for the sending and/or receiving of</span> email;
Review the configuration of SPF and DKIM for all active domains<span class="insert"> and all published domains</span>; and
Establish one or more monitored inboxes to receive <span class="insert">DMARC </span>reports.
</td>
                </tr>
                
                <tr>
                    <td>6020</td>
                    <td>15.2.22.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD enable DMARC for all email originating from or received by their domain(s), including:
sending domain owners SHOULD publish a DMARC record <span class="insert">with a related DNS entry </span>advising mail receivers<span class="insert"> of</span> the characteristics of messages purporting to originate from the sender’s domain;
received<span class="insert"> DMARC</span> messages SHOULD be managed in accordance with the agency’s published DMARC policy; and
agencies SHOULD produce failure reports and aggregate reports according to the agency’s DMARC policies.
</td>
                </tr>
                
                <tr>
                    <td>1827</td>
                    <td>16.1.31.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST:
develop<span class="insert">, implement</span> and maintain a set of policies and procedures covering<span class="insert"> all</span> system users’:

identification;
authentication; 
authorisation;<span class="insert">
privileged access identification and management;</span> and

make their system users aware of the agency’s policies and procedures.
</td>
                </tr>
                
                <tr>
                    <td>2070</td>
                    <td>17.1.51.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using cryptographic functionality within a product <span class="delete">for the protection of classified</span><span class="insert">to protect the confidentiality, authentication, non-repudiation or integrity of</span> information<span class="insert">,</span> MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB.</td>
                </tr>
                
                <tr>
                    <td>2080</td>
                    <td>17.1.53.C.02.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>If an agency wishes to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they MUST encrypt the classified information using High <span class="delete">Grad</span><span class="insert">Assuranc</span>e Cryptographic Equipment (H<span class="delete">G</span><span class="insert">A</span>CE).<span class="delete"> </span> <span class="insert"> </span>It is important to note that the classification of the information itself remains unchanged.</td>
                </tr>
                
                <tr>
                    <td>2081</td>
                    <td>17.1.53.C.03.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use:
full disk encryption; or
partial<span class="delete"> </span><span class="insert"> </span>disk encryption where the access control will allow writing <span class="delete">only</span><span class="insert">ONLY</span> to the encrypted partition holding the classified information.
</td>
                </tr>
                
                <tr>
                    <td>2082</td>
                    <td>17.1.53.C.04.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use:
full disk encryption; or
partial<span class="delete"> </span><span class="insert"> </span>disk encryption where the access control will <span class="delete">only </span>allow writing<span class="insert"> ONLY</span> to the encrypted partition holding the classified information.
</td>
                </tr>
                
                <tr>
                    <td>2089</td>
                    <td>17.1.55.C.01.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>Agencies MUST use H<span class="delete">G</span><span class="insert">A</span>CE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks.</td>
                </tr>
                
                <tr>
                    <td>2090</td>
                    <td>17.1.55.C.02.</td>
                    <td>Restricted/Sensitive</td>
                    <td>Must</td>
                    <td>Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an <span class="delete">a</span><span class="insert">A</span>pproved <span class="delete">encryption al</span><span class="insert">Crypto</span>g<span class="delete">orithm and p</span><span class="insert">raphic Algorithm and P</span>rotocol if information is transmitted or systems are communicating over <span class="delete">any </span>insecure or unprotected network<span class="delete"> such as the Internet</span><span class="insert">s</span>, <span class="insert">such as the Internet, </span>public <span class="delete">infrastructure</span><span class="insert">networks</span> or non-agency controlled networks.</td>
                </tr>
                
                <tr>
                    <td>2091</td>
                    <td>17.1.55.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST encrypt ag<span class="insert">gregated ag</span>ency data using an approved algorithm and protocol <span class="delete">when data is transmitted </span><span class="insert">over insecure or unprotected networks such as the Internet, pu</span>b<span class="delete">etween data centres over insecure or unprotect</span><span class="insert">lic infrastructure or non-agency controll</span>ed networks <span class="delete">such as the Internet, public in</span><span class="insert">when the compromise o</span>f<span class="delete">rastructure or non-agency controlled networks</span><span class="insert"> the aggregated data would present a significant impact to the agency</span>.<span class="insert">  </span></td>
                </tr>
                
                <tr>
                    <td>2092</td>
                    <td>17.1.55.C.04.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD <span class="delete">use</span><span class="insert">encrypt agency data using</span> an approved <span class="delete">encryption product</span><span class="insert">algorithm and protocol</span> if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks.</td>
                </tr>
                
                <tr>
                    <td>2097</td>
                    <td>17.1.56.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agenc<span class="delete">y</span><span class="insert">ies</span> MUST consult the GCSB for further advice on the powered off status and treatment of specific <span class="delete">p</span><span class="insert">softwa</span>r<span class="delete">oduc</span><span class="insert">e, sys</span>t<span class="insert">em</span>s and <span class="insert">IT eq</span>u<span class="delete">sag</span><span class="insert">ipm</span>e<span class="insert">nt</span>.</td>
                </tr>
                
                <tr>
                    <td>2105</td>
                    <td>17.1.58.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies<span class="insert"> using HACE</span> MUST consult <span class="delete">with </span>the GCSB for<span class="delete"> the</span> key management requirements<span class="delete"> for HGCE</span>.</td>
                </tr>
                
                <tr>
                    <td>2128</td>
                    <td>17.2.17.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies<span class="delete"> using an unevaluated product that implements an Approved Cryptographic Algorithm</span> MUST ensure that only Approved Cryptographic Algorithms can be used<span class="insert"> when using an unevaluated product that implements a combination of approved and non-approved Cryptographic Algorithms</span>.</td>
                </tr>
                
                <tr>
                    <td>2134</td>
                    <td>17.2.19.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using DH, for the approved use of agreeing on encryption session keys, MUST use a modulus of at least <span class="delete">4</span><span class="insert">3</span>0<span class="delete">96</span><span class="insert">72</span> bits.</td>
                </tr>
                
                <tr>
                    <td>2137</td>
                    <td>17.2.20.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td><span class="delete">Legacy d</span><span class="insert">D</span>evices which are NOT capable of implementing required key lengths MUST be reconfigured with the longest feasible key length as a matter of urgency.</td>
                </tr>
                
                <tr>
                    <td>2138</td>
                    <td>17.2.20.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td><span class="delete">Legacy d</span><span class="insert">D</span>evices which are NOT capable of implementing required key lengths MUST be scheduled for replacement as a matter of urgency.</td>
                </tr>
                
                <tr>
                    <td>2148</td>
                    <td>17.2.23.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using ECDSA, for the approved use of digital signatures, MUST implement the curve<span class="delete">s P-256 and</span> P-384 (prime moduli).</td>
                </tr>
                
                <tr>
                    <td>2151</td>
                    <td>17.2.24.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using RSA, for the approved use of digital signatures and passing encryption session keys or similar keys, MUST use a modulus of at least <span class="insert">307</span>2<span class="delete">048</span> bits.</td>
                </tr>
                
                <tr>
                    <td>2155</td>
                    <td>17.2.26.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST use the SHA-2 family <span class="delete">be</span>for<span class="insert"> new systems. Us</span>e <span class="delete">using</span><span class="insert">of</span> SHA-1<span class="insert"> is permitted ONLY for legacy systems</span>.</td>
                </tr>
                
                <tr>
                    <td>5905</td>
                    <td>17.2.26.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies <span class="insert">MU</span>S<span class="delete">HOULD</span><span class="insert">T</span> use a minimum of SHA-384<span class="insert"> when using hashing algorithms to provide integrity protection for information classified as RESTRICTED/SENSITIVE or above</span>.</td>
                </tr>
                
                <tr>
                    <td>2158</td>
                    <td>17.2.28.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should Not</td>
                    <td>Agencies using <span class="insert">approved symmetric encryption algorithms (e.g. </span>AES<span class="delete"> or 3DES</span><span class="insert">)</span> SHOULD NOT use <span class="delete">e</span><span class="insert">E</span>lectronic <span class="delete">c</span><span class="insert">C</span>ode<span class="delete">b</span><span class="insert"> B</span>ook<span class="insert"> (ECB)</span> mode.</td>
                </tr>
                
                <tr>
                    <td>2598</td>
                    <td>17.4.16.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD use the current version of TLS (version 1.<span class="delete">2</span><span class="insert">3</span>).</td>
                </tr>
                
                <tr>
                    <td>2737</td>
                    <td>17.5.9.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies that use SSH-agent or other similar key caching programs SHOULD:
only use the software on workstation and servers with screenlocks;
ensure that the key cache expires within four hours of inactivity; and
ensure that agent credential forwarding is used when multiple SSH tra<span class="delete">ns</span>versal is needed.
</td>
                </tr>
                
                <tr>
                    <td>3043</td>
                    <td>17.9.31.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST comply with NZCSI when using H<span class="delete">GCP or HG</span><span class="insert">A</span>CE.</td>
                </tr>
                
                <tr>
                    <td>3053</td>
                    <td>17.9.32.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should Not</td>
                    <td>Agencies SHOULD NOT transport commercial grade cryptographic equipment <span class="insert">or products </span>in a keyed state.</td>
                </tr>
                
                <tr>
                    <td>3290</td>
                    <td>18.2.6.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies deploying a wireless network for public access MUST se<span class="delete">g</span><span class="insert">pa</span>r<span class="delete">eg</span>ate it from any other agency network<span class="insert">s; including BYOD networks</span>.</td>
                </tr>
                
                <tr>
                    <td>3617</td>
                    <td>18.2.33.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The effective range of wireless communications outside an agency’s area of control SHOULD be limited by:
Minimising the output power level of wireless devices<span class="delete">; and/or</span><span class="insert">.</span>
Implementing RF shielding within buildings in which wireless networks are used.
</td>
                </tr>
                
                <tr>
                    <td>3621</td>
                    <td>18.2.34.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Wireless networks SHOULD <span class="delete">be sufficiently segregated through the </span>use<span class="delete"> of</span> channel separation.</td>
                </tr>
                
                <tr>
                    <td>3777</td>
                    <td>18.3.17.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD use access control software to control USB ports on workstations using softphones and webcams by utilising the specific vendor and product identifier of the authorised <span class="delete">phon</span><span class="insert">devic</span>e.</td>
                </tr>
                
                <tr>
                    <td>4015</td>
                    <td>19.4.4.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST use devices as shown in the following table for controlling the data flow of one-way gateways between networks of different classifications.



High networ<span class="delete">r</span><span class="insert">k</span>
Low network
You require


RESTRICTED
 
UNCLASSIFIED
EAL2 or PP diode


RESTRICTED
EAL2 or PP diode


CONFIDENTIAL
 
UNCLASSIFIED
high assurance diode


RESTRICTED
high assurance diode


CONFIDENTIAL
high assurance diode


SECRET
 
UNCLASSIFIED
high assurance diode


RESTRICTED
high assurance diode


CONFIDENTIAL
high assurance diode


SECRET
high assurance diode


TOP SECRET
 
UNCLASSIFIED
high assurance diode


RESTRICTED
high assurance diode


CONFIDENTIAL
high assurance diode


SECRET
high assurance diode


TOP SECRET
high assurance diode



</td>
                </tr>
                
                <tr>
                    <td>4710</td>
                    <td>19.5.24.C.07.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies procuring or using VoIP or UC services to be used by multiple agencies MUST ensure all interested parties formally agree t<span class="insert">o t</span>he risks,<span class="delete"> essential</span> controls and any residual risks of such VoIP and UC services.  The lead agency normally has this responsibility (see Chapter 2 - Information Security within Government and Chapter 4 - System Certification and Accreditation).</td>
                </tr>
                
                <tr>
                    <td>4715</td>
                    <td>19.5.25.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST follow the gateway requirements described in <span class="delete">this </span>Chapter<span class="insert"> 19 - Gateway Security</span>.</td>
                </tr>
                
                <tr>
                    <td>4742</td>
                    <td>19.5.27.C.06.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Event logs covering all VoIP and UC services SHOULD be maintained in accordance with the requirements of the NZISM.<span class="insert"> See section 16.5 - Event logging and Auditing and 13.1.12 - Archiving.</span></td>
                </tr>
                
                <tr>
                    <td>4301</td>
                    <td>20.2.10.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>To prevent the export of NZEO data to foreign systems, agencies MUST implement <span class="insert">NZEO </span>data filtering performed by a product specifically designed <span class="insert">or configured </span>for that purpose.</td>
                </tr>
                
                <tr>
                    <td>4336</td>
                    <td>20.3.8.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD perform content<span class="delete">/</span><span class="insert"> conversion, </span>file conversion<span class="insert"> or both</span> for all ingress or egress data transiting a security domain boundary.</td>
                </tr>
                
                <tr>
                    <td>4339</td>
                    <td>20.3.9.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD perform content<span class="delete">/</span><span class="insert"> and </span>file sanitisation on suitable file types if content<span class="delete">/</span><span class="insert"> conversion or </span>file conversion is not appropriate for data transiting a security domain boundary.</td>
                </tr>
                
                <tr>
                    <td>4401</td>
                    <td>20.3.11.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD extract the contents from archive<span class="delete">/</span><span class="insert"> and </span>container files and subject the extracted files to content filter tests.</td>
                </tr>
                
                <tr>
                    <td>4402</td>
                    <td>20.3.11.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD perform controlled inspection of archive<span class="delete">/</span><span class="insert"> and </span>container files to ensure that content filter performance <span class="delete">or</span><span class="insert">and</span> availability is not adversely affected.</td>
                </tr>
                
                <tr>
                    <td>4406</td>
                    <td>20.3.12.C.01.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>Agencies MUST<span class="delete"> identify,</span> create and enforce a whitelist of permitted content types based on business requirements and the results of a security risk assessment.</td>
                </tr>
                
                <tr>
                    <td>4407</td>
                    <td>20.3.12.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD<span class="delete"> identify,</span> create and enforce a whitelist of permitted content types based on business requirements and the results of a security risk assessment.</td>
                </tr>
                
                <tr>
                    <td>4483</td>
                    <td>21.1.13.C.01.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>Agencies unable to lower the storage and physical transfer requirements of a mobile device to an unclassified level through the use of encryption MUST physically <span class="insert">store or </span>transfer the device as a classified asset in accordance with the relevant handling instructions<span class="delete"> (refer to the PSR)</span>.</td>
                </tr>
                
                <tr>
                    <td>4485</td>
                    <td>21.1.13.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies unable to lower the storage and physical transfer requirements of a mobile device to an unclassified level through the use of encryption SHOULD physically <span class="insert">store or </span>transfer the device as a classified asset in accordance with the relevant handling instructions<span class="delete"> (refer to the PSR)</span>.</td>
                </tr>
                
                <tr>
                    <td>4541</td>
                    <td>21.2.4.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must Not</td>
                    <td>Agencies MUST NOT allow personnel to access or communicate classified information on mobile devices outside of secure areas unless there is a reduced chance of being overheard <span class="delete">or</span><span class="insert">and</span> having the screen of the device observed.</td>
                </tr>
                
                <tr>
                    <td>4555</td>
                    <td>21.2.7.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Travelling personnel requested to decrypt mobile devices for inspection <span class="insert">or from whom mobile devices are taken out of sight </span>by <span class="delete">customs personnel or from whom mobile devices are taken out of sight by customs personne</span><span class="insert">border contro</span>l MUST report the potential compromise of classified information or the device to an ITSM as soon as possible.</td>
                </tr>
                
                <tr>
                    <td>4650</td>
                    <td>21.4.10.C.16.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>The responsibility for payment of voice and data plans and roaming charges MUST be specified<span class="insert"> and agreed</span>.</td>
                </tr>
                
                <tr>
                    <td>4658</td>
                    <td>21.4.11.C.04.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Network<span class="insert"> configuration</span> policies and authentication mechanisms MUST<span class="delete"> be configured to</span> allow access to agency resources ONLY through the BYOD network segment.</td>
                </tr>
                
                <tr>
                    <td>4660</td>
                    <td>21.4.11.C.06.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Wireless acces<span class="delete">se</span>s points used for access to agency networks MUST be implemented and secured in accordance with the directions in this manual (See Section 18.2 – Wireless Local Area Networks).</td>
                </tr>
                
                <tr>
                    <td>4666</td>
                    <td>21.4.11.C.12.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>BYOD MUST have a Mobile Device Management (MDM) solution implemented with a minimum of the following enabled:<span class="delete"> </span>
The MDM is enabled to “wipe” devices of any agency data if lost or stolen;
If the MDM cannot discriminate between agency and personal data, all data, including personal data, is deleted if the device is lost or stolen;
The MDM is capable of remotely applying agency security configurations for BYOD devices;
Mobile device security configurations are validated (health check) by the MDM before a device is permitted to connect to the agency’s systems;
“Jail-broken”, “rooted” or settings violations MUST be detected and isolated; 
“Jail-broken” devices are NOT permitted to access agency resources; 
Access to agency resources is limited until <span class="delete">the device and/or</span><span class="insert">both the device and</span> user is fully compliant with policy and SOPs;
Auditing and logging is enabled; and
Changes of Subscriber Identity Module (SIM) card are monitored to allow remote blocking and wiping in the event of theft or compromise.
</td>
                </tr>
                
                <tr>
                    <td>4667</td>
                    <td>21.4.11.C.13.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td><span class="delete">Appropriate i</span><span class="insert">I</span>ntrusion detection systems MUST be implemented.</td>
                </tr>
                
                <tr>
                    <td>4675</td>
                    <td>21.4.11.C.20.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>BYOD devices and systems SHOULD use Multi<span class="insert">-</span>factor (at least two-factor) authentication to connect to agency systems and prior to being permitted access to agency data.</td>
                </tr>
                
                <tr>
                    <td>4680</td>
                    <td>21.4.12.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST implement rogue AP and wireless “hot spot” detection and implement <span class="delete">appropriate </span>response procedures<span class="insert"> where detection occurs</span>.</td>
                </tr>
                
                <tr>
                    <td>4681</td>
                    <td>21.4.12.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD conduct a baseline survey to identify:
<span class="delete">Known and</span><span class="insert">All</span> authorised devices and AP’s; and
<span class="delete">K</span><span class="insert">A</span>n<span class="delete">own and</span><span class="insert">y</span> unauthorised devices and AP’s.
</td>
                </tr>
                
                <tr>
                    <td>4686</td>
                    <td>21.4.13.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>The use of virtual containers, sandboxes, wraps or similar mechanisms on the mobile device MUST be established for each authorised session for any organisational data.  These <span class="delete">virtual container</span><span class="insert">mechanism</span>s MUST be non-persistent and be removed at the end of each session.</td>
                </tr>
                
                <tr>
                    <td>4687</td>
                    <td>21.4.13.C.04.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Any sensitive agency data MUST be removed<span class="delete">/</span><span class="insert"> and </span>securely deleted, or encrypted at the end of a session.</td>
                </tr>
                
                <tr>
                    <td>4690</td>
                    <td>21.4.13.C.07.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST disable split-tunnelling when using a BYOD<span class="insert"> device</span> to connect to an agency network (See Section 21.1 – Agency Owned Mobile Devices).</td>
                </tr>
                
                <tr>
                    <td>4692</td>
                    <td>21.4.13.C.09.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>The use of passwords or PINs to unlock the BYOD device MUST be enforced in addition to a<span class="insert">ll other agency a</span>uthentication mechanisms<span class="delete"> agency access</span>.</td>
                </tr>
                
                <tr>
                    <td>4693</td>
                    <td>21.4.13.C.10.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td><span class="insert">BYO</span>D<span class="insert"> d</span>evice passwords MUST be distinct from any agency access and authentication passwords.</td>
                </tr>
                
                <tr>
                    <td>4812</td>
                    <td>22.1.21.C.05.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST consult with the GC<span class="delete">I</span><span class="insert">D</span>O to ensure the strategic and other cloud risks are comprehensively assessed.</td>
                </tr>
                
                <tr>
                    <td>4813</td>
                    <td>22.1.21.C.06.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies procuring or using cloud services to be used by multiple agencies MUST ensure all interested parties formally agree the risks, <span class="delete">essential </span>controls and any residual risks of such cloud services.</td>
                </tr>
                
                <tr>
                    <td>4814</td>
                    <td>22.1.21.C.07.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using cloud services MUST ensure they have conducted a documented risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GC<span class="delete">I</span><span class="insert">D</span>O.</td>
                </tr>
                
                <tr>
                    <td>4822</td>
                    <td>22.1.22.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using cloud services hosted offshore and connected to All-of-Government systems MUST ensure they have conducted a risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GC<span class="delete">I</span><span class="insert">D</span>O.</td>
                </tr>
                
            </tbody>
        </table>
    </section>
<body>
</html>