1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to provide guidance on the use and control of Communications Security (COMSEC) material by referring to the relevant standards and instructions.

Back to the top of page Print this subsection

1.2 Audience

The audience of these requirements is all users of high-grade cryptographic equipment including:

  • New Zealand government employees with responsibility for COMSEC
  • New Zealand government contractors.
Back to the top of page Print this subsection

1.3 Scope

These requirements support the implementation of the New Zealand Protective Security Requirements (PSR).

In particular, they support the Information Security Management Protocol and the New Zealand Information Security Manual (NZISM).

They are part of a suite of documents available to help agencies meet their information security requirements.

Where legislative requirements are higher than controls identified in these requirements, legislative requirements take precedence and need to be applied.

These requirements include advice on the New Zealand government’s expectations for the protection of New Zealand information and assets by foreign governments.

COMSEC includes cryptography, transmission security, emission security, traffic-flow security and physical security of COMSEC equipment. 

These forms of security safeguard and reduce the threat of unauthorised persons gaining access to our communications.

The New Zealand government recognises cyber threats and identifies cyber security as one of its top tier national security priorities.

As New Zealand continues to experience an increase in cyber activities, it is essential for New Zealand government agencies to continue to actively consider the risks.

These requirements will help to establish a consistent terminology for information security across the New Zealand government and give agencies a framework for the assurance needed to share information.

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above identify if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements.

Back to the top of page Print this subsection

1.5 Relevant standards

The standards relevant to these requirements are listed here.

  • New Zealand Communications Security Standard No. 300 (NZCSS 300). This standard provides the minimum security requirements for the control and accountability of communications security material within the New Zealand government and agencies.
  • New Zealand Communications Security Standard No. 400 (NZCSS 400). This standard provides a minimum standard of installation engineering for all New Zealand government agencies, organisations or personnel concerned with the planning or engineering of New Zealand installations processing protectively marked information.
  • New Zealand Communications Security Standard No. 500 (NZCSS 500). This standard provides consolidated statements of national communications security policy. Where necessary, more information about the policy will be provided in the relevant national communications security standards or instructions.
  • New Zealand Information Security Manual.
Back to the top of page Print this subsection

2 Cyber security action required

Agencies should adopt mitigation strategies to reduce the threat of unauthorised access to communications.

Firstly, agencies should assess this risk to determine the threat of unauthorised persons gaining access to its communications.

In this context, New Zealand government agencies should apply sound security risk management practices in accordance with:

Print this section

2.1 Further information

The first point of contact for an agency to seek specific security advice is the Chief Security Officer (CSO).

Agency business areas that provide online services should seek to maintain an in-house Information Technology (IT) security capability that works closely with the agency CSO. This should be led by the Chief Information Security Officer (CISO)

Each CSO should maintain awareness of cyber security policy and the threat environment.

Additional information on these requirements and the New Zealand Communications Security Standards should be directed to:

National Cyber Policy Office, Pipitea House, 1-15 Pipitea Street, Thorndon, Wellington.
Phone: (04) 819-8200.

Technical questions concerning cryptographic products should be directed to:

Government Communications Security Bureau (GCSB), Manager, Cryptographic Services
Phone: (04) 472-6881
Fax: (04) 499-3701
Email: products.services@gcsb.govt.nz

Back to the top of page Print this subsection

2.2 Reporting and managing security incidents

New Zealand government agencies and Critical National Infrastructure (CNI) organisations that have encountered or suspect the presence of a cyber threat should complete and return an Incident Reporting Form.

If required, people can contact the National Cyber Security Centre (NCSC) directly on (04) 498-7654.

All incident reports provided to the NCSC are treated in the strictest of confidence.

Back to the top of page Print this subsection

About

The purpose of these requirements is to provide guidance on the use and control of Communications Security (COMSEC) material by referring to the relevant standards.

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information