The purpose of these requirements is to provide guidance on the use and control of Communications Security (COMSEC) material by referring to the relevant standards and instructions.
The audience of these requirements is all users of high-grade cryptographic equipment including:
- New Zealand government employees with responsibility for COMSEC
- New Zealand government contractors.
These requirements support the implementation of the New Zealand Protective Security Requirements (PSR).
They are part of a suite of documents available to help agencies meet their information security requirements.
Where legislative requirements are higher than controls identified in these requirements, legislative requirements take precedence and need to be applied.
These requirements include advice on the New Zealand government’s expectations for the protection of New Zealand information and assets by foreign governments.
COMSEC includes cryptography, transmission security, emission security, traffic-flow security and physical security of COMSEC equipment.
These forms of security safeguard and reduce the threat of unauthorised persons gaining access to our communications.
The New Zealand government recognises cyber threats and identifies cyber security as one of its top tier national security priorities.
As New Zealand continues to experience an increase in cyber activities, it is essential for New Zealand government agencies to continue to actively consider the risks.
These requirements will help to establish a consistent terminology for information security across the New Zealand government and give agencies a framework for the assurance needed to share information.
1.4 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist
- or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head. In particular an agency should pose the following questions:
- Is the agency willing to accept additional risk?
- Have any implications for All of Government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.
The PSR provides agencies with mandatory and best practice security measures.
The controls detailed above identify if and when agencies need to consider specific security measures to comply with the mandatory requirements.
1.5 Relevant standards
The standards relevant to these requirements are listed here.
- New Zealand Communications Security Standard No. 300 (NZCSS 300). This standard provides the minimum security requirements for the control and accountability of communications security material within the New Zealand government and agencies.
- New Zealand Communications Security Standard No. 400 (NZCSS 400). This standard provides a minimum standard of installation engineering for all New Zealand government agencies, organisations or personnel concerned with the planning or engineering of New Zealand installations processing protectively marked information.
- New Zealand Communications Security Standard No. 500 (NZCSS 500). This standard provides consolidated statements of national communications security policy. Where necessary, more information about the policy will be provided in the relevant national communications security standards or instructions.
- New Zealand Information Security Manual.