The purpose of these requirements is to:
- provide guidance on achieving a consistent approach when implementing information security controls to public websites to minimise the risk of harm to the public when transacting online with the New Zealand government
- help agencies apply the New Zealand Government Cyber Security Strategy targeted initiatives to reduce the risks from threats found on the internet, by adopting best security practice models to maintain an agency’s high level of information assurance
- help agencies to determine the business impact of loss and compromise of information
- help agencies determine the level of control required to:
‒ meet the threat environment
‒ give suitable protection to information
‒ provide assurance to other agencies for information sharing
- outline the types of controls that are suitable.
The audience for these requirements is:
- New Zealand government agencies
- organisations implementing or operating publicly accessible information systems on behalf of government.
These requirements cover:
- provision of internet access to the workforce
- public access to services and information, using the internet
- public access to services and information from kiosks located on government premises
- public wireless access to services and information from government premises.
The scope of advice does not include risks specific to email, social media and removable media used to facilitate online transactions.
Online services offer the public a convenient, efficient and accessible means to access government services.
However, as the demand for online government services continues to grow, so too does the scale, sophistication and perpetration of cyber crime and activities by malicious actors.
The New Zealand government recognises cyber threats and identifies cyber security as one of its top-tier national security priorities.
As New Zealand continues to experience an increase in cyber activities, it is essential for New Zealand government agencies to continue to actively consider the risks to public users of government online services.
The New Zealand government is committed to maintaining a safe, secure, resilient and trusted online environment that supports New Zealand’s national security and maximises the benefits of the digital economy.
These requirements support the implementation of the New Zealand Protective Security Requirements (PSR).
In particular, they support the New Zealand Information Security Manual (NZISM)
The requirements are part of a suite of documents that help agencies to meet their information security requirements.
Where legislative requirements are higher than controls identified in these requirements, the legislative requirements take precedence and need to be applied.
Agencies should protect any information or physical assets provided by another government in accordance with international agreements.
Also refer to Safeguarding Foreign Government Information (under development).
These requirements include advice on the New Zealand government’s expectations for the protection of New Zealand information and physical assets by foreign governments.
1.4 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist
- or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head. In particular an agency should pose the following questions:
- Is the agency willing to accept additional risk?
- Have any implications for All of Government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.
The PSR provides agencies with mandatory and best practice security measures.
The controls detailed above identify if and when agencies need to consider specific security measures to comply with the mandatory requirements.