1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to:

  • provide guidance on achieving a consistent approach when implementing information security controls to public websites to minimise the risk of harm to the public when transacting online with the New Zealand government
  • help agencies apply the New Zealand Government Cyber Security Strategy targeted initiatives to reduce the risks from threats found on the internet, by adopting best security practice models to maintain an agency’s high level of information assurance
  • help agencies to determine the business impact of loss and compromise of information
  • help agencies determine the level of control required to:
    ‒ meet the threat environment
    ‒ give suitable protection to information
    ‒ provide assurance to other agencies for information sharing
  • outline the types of controls that are suitable.
Back to the top of page Print this subsection

1.2 Audience

The audience for these requirements is:

  • New Zealand government agencies
  • organisations implementing or operating publicly accessible information systems on behalf of government.
Back to the top of page Print this subsection

1.3 Scope

These requirements cover:

  • provision of internet access to the workforce
  • public access to services and information, using the internet
  • public access to services and information from kiosks located on government premises
  • public wireless access to services and information from government premises.

The scope of advice does not include risks specific to email, social media and removable media used to facilitate online transactions.

Online services offer the public a convenient, efficient and accessible means to access government services.

However, as the demand for online government services continues to grow, so too does the scale, sophistication and perpetration of cyber crime and activities by malicious actors.

The New Zealand government recognises cyber threats and identifies cyber security as one of its top-tier national security priorities.

As New Zealand continues to experience an increase in cyber activities, it is essential for New Zealand government agencies to continue to actively consider the risks to public users of government online services.

The New Zealand government is committed to maintaining a safe, secure, resilient and trusted online environment that supports New Zealand’s national security and maximises the benefits of the digital economy.

These requirements support the implementation of the New Zealand Protective Security Requirements (PSR).

In particular, they support the New Zealand Information Security Manual (NZISM)

The requirements are part of a suite of documents that help agencies to meet their information security requirements.

Where legislative requirements are higher than controls identified in these requirements, the legislative requirements take precedence and need to be applied.

Agencies should protect any information or physical assets provided by another government in accordance with international agreements.

Also refer to Safeguarding Foreign Government Information (under development).

These requirements include advice on the New Zealand government’s expectations for the protection of New Zealand information and physical assets by foreign governments.

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above identify if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements

Back to the top of page Print this subsection

1.5 Relevant standards

Back to the top of page Print this subsection

2 Cyber security action required

Agencies should adopt mitigation strategies to reduce exposing the public to cyber security risks when they transact online with government.

First, agencies should assess this risk. As a starting point, agencies should evaluate the threat scenarios identified in Annex A in their assessment and adopt applicable security controls for online services provided.

In order to inform this assessment, agencies should consult with the public. Agencies should also consider using the mitigation strategy examples at Annex B when developing their risk management plan.

In this context, New Zealand government agencies should apply sound security risk management practices in accordance with AS/NZS 31000:2009 and the HB 167/2006 Security Risk Management.

GOV3 mandates this. 

Print this section

2.1 Further information

The first point of contact for an agency to seek specific security advice is the agency's Chief Security Officer (CSO).

Agency business areas that provide online services should seek to maintain an inhouse Information Technology (IT) security capability that works closely with the agency CSO. This should be led by the Chief Information Security Officer (CISO).

Each CSO is expected to maintain awareness of cyber security policy and the threat environment.

Additional information on this requirement and the New Zealand Government Cyber Security Strategy should be directed to: 

National Cyber Policy Office
Pipitea House
1–15 Pipitea Street
Thorndon
WELLINGTON

Phone: (04) 819-8200

Technical questions should be directed to:

National Cyber Security Centre (NCSC)
Phone: (04) 498-7654
Fax: (04) 498-7655
Email: info@ncsc.govt.nz

Back to the top of page Print this subsection

2.2 Reporting and managing security incidents

New Zealand government agencies or Critical National Infrastructure (CNI) organisations that encounter or suspect the presence of a cyber threat should complete and return an Incident Reporting Form, available online from the NCSC website.

Go to: www.ncsc.govt.nz

If required, contact the NCSC directly on (04) 498-7654.

All incident reports provided to the NCSC are treated in the strictest of confidence.

Agencies should report any ‘high-priority vulnerabilities’ in Information and Communications Technology (ICT) systems to the Government Chief Information Officer (GCIO) along with a remediation plan to address it.

A high-priority vulnerability is a weak point in system security that may result in the release of private and/or sensitive information. The impact on information also needs to be taken into account.

As a simple equation, the vulnerability multiplied by the sensitivity of the information equals the priority of vulnerability. For example, a vulnerability (such as cross-site scripting or weak password strength) on a standalone system with unclassified publicly available information may have a low priority.

The same vulnerability on a tightly coupled application that holds confidential, financial and/or private details of individual citizens may have a high priority.

Back to the top of page Print this subsection