1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to:

  • provide guidance on the risks and mitigations to protect from threats targeting mobile devices
  • help to increase the security of information and communications stored or transmitted using mobile devices
  • help in establishing consistent terminology for information security across the New Zealand government
  • give agencies a framework for the assurance needed to share information.

 

Back to the top of page Print this subsection

1.2 Audience

The audience for these requirements is New Zealand government agencies.

Back to the top of page Print this subsection

1.3 Scope

These requirements cover:

  • the potential risks associated with mobile devices
  • mitigations to reduce mobile device risks.

It is important to follow this advice when travelling overseas and working in areas where there is an increased threat.

The sophistication and versatility of modern mobile electronic devices means they are often used to extend office functionality outside of the workplace, both nationally and internationally.

Modern mobile devices are capable of running numerous applications and offer capabilities and features even beyond those commonly found on more expensive laptops and computers.

In terms of convenience, connectivity and increased productivity, the benefits of mobile devices are undeniable.

However, their use does not come without increasing risk and they should be used in strict compliance with agency policy and security requirements.

The New Zealand government recognises cyber threats and identifies cyber security as one of its top-tier national security priorities.

As New Zealand continues to experience an increase in cyber activities, it is essential for New Zealand government agencies to continue to actively consider the risks to mobile devices.

These information security requirements provide a consistent and structured approach to determine:

  • the business impact of loss or compromise of information
  • the level of control required to:

          ‒  meet the threat environment

          ‒  give suitable protection to information

          ‒  provide assurance to other agencies for information sharing

  • the types of controls that are suitable.

Where legislative requirements are higher than controls identified in these requirements, legislative requirements take precedence and need to be applied.

These requirements support the implementation of the New Zealand Protective Security Requirements (PSR).

In particular, they support the New Zealand Information Security Manual (NZISM).

They are part of a suite of documents that aid agencies to meet their information security requirements.

Agencies should protect any information or physical assets provided by another government in accordance with international agreements.

Also refer to Safeguarding Foreign Government Information (under development).

These requirements include advice on the New Zealand government’s expectations for the protection of New Zealand information and assets by foreign governments.

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements.

Back to the top of page Print this subsection

1.5 Relevant standards

Other relevant requirements and documents are:

Back to the top of page Print this subsection

2 Cyber security action required

Agencies should adopt mitigation strategies to reduce exposing the public to cyber security risks when using mobile devices.

First, agencies should assess this risk. As a starting point, agencies should evaluate the risk scenarios identified in Annex A in their assessment and adopt applicable security controls for online services provided.

Agencies should also consider using the strategy examples at Annex B when developing their risk management plan.

In this context, New Zealand government agencies should apply sound security risk management practices in accordance with AS/NZS 31000:2009 and the NZS HB 167/2006 Security Risk Management.

New Zealand Government Protective Security Requirement GOV3 mandates this. 

Print this section

2.1 Further information

The first point of contact for an agency to seek specific security advice is the Chief Security Officer (CSO).

Agency business areas that provide online services should seek to maintain an inhouse Information Technology (IT) security capability that works closely with the agency CSO. This should be led by the Chief Information Security Officer (CISO).

Each CSO is expected to maintain awareness of cyber security policy and the threat environment.

Additional information on this guideline and the New Zealand Government Cyber Security Strategy should be directed to:

 

National Cyber Policy Office
Pipitea House
1–15 Pipitea Street
Thorndon
WELLINGTON
Phone: (04) 819-8200


Technical questions should be directed to:
National Cyber Security Centre (NCSC)
Phone: (04) 498-7654
Fax: (04) 498-7655
Email: info@ncsc.govt.nz

Back to the top of page Print this subsection

2.2 Reporting and managing security incidents

New Zealand government agencies or Critical National Infrastructure (CNI) organisations that encounter or suspect the presence of a cyber threat, should complete and return an Incident Reporting Form available online from the NCSC website.

Go to: www.ncsc.govt.nz.

If required, contact the NCSC directly on (04) 498-7654.

All incident reports provided to the NCSC are treated in the strictest of confidence.

Back to the top of page Print this subsection

Tagged with the terms:

mobile devices mitigation

About

The purpose of these requirements is to:

  • provide guidance on the risks and mitigations to protect from threats targeting mobile devices
  • help to increase the security of information and communications stored or transmitted using mobile devices
  • help in establishing consistent terminology for information security across the New Zealand government
  • give agencies a framework for the assurance needed to share information. 

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information