Change overview

Rationale: 

Standards and technologies have significantly advanced since previous review of this chapter.

Technical controls have been updated to help agencies to better manage risks through securing their authentication and authorisation processes.

Controlling access to systems is a critical component to security strategies that safeguard agencies assets and sensitive information. It is also fundamental to adequate implementation of Zero Trust principles into agencies.

The changes bring greater consistency with updated NZ Government Digital Identity Standards, published by DIA. 

The changes also align with guidance published on ‘Own your Online’.

Change description: 

Significant change to the chapter was necessary. The majority of changes in this chapter are in sections 16.1 and 16.7.

Key changes include:

• Changing the name of the chapter
• Updating controls for passwords to align with industry standards including NIST. These changes include controls for increased character length, and removal of complexity controls and expiry requirements.
• Introduction to passwordless authentication.
• Extending logging and auditing to include event monitoring.
• Inclusion of phishing resistant multi-factor authentication.

Additional guidance around multi-factor authentication for external facing systems or systems critical to the Agency.

Expected outcome: 

Minimise risk of access and authentication attacks to agencies through and implementing stronger system controls and making it harder for attackers to identify vectors into agency systems.

Rationale: 

To improve guidance for detecting and managing security incidents and establishing clearer reporting expectations for GCISO mandated agencies to report incidents. Increased reporting from mandated agencies will help build a consolidated picture of the operating environment.

This update ensures NZISM aligns with industry guidance and practices.

Change description: 

Changes to this chapter intend on improving incident reporting to provide a better view of cyber threats that is impacting public sector. Some of the changes made to the chapter:

• provides better clarity on the nature of incidents required to be reported
• encourages agencies to share post incident review reports
• focuses on newer technologies to improve detection while deprecating obsolete technologies
• improves language around the definition of information security and cyber security incidents

Expected outcome: 

Agencies up have updated guidance on when to report information security incidents to the NCSC and/or appropriate action or processes to take on Information Security incidents.

Controls will also allow agencies to become equipped to handle Information security incidents or know what action to take.

Agencies share post incident review reports with NCSC.

Rationale: 

The previous update (v3.8) makes these controls redundant – the risk is now addressed in 11.2.11, which has suitable caveats to allow for physical access control readers and issued cards.

Change description: 

Removal of section 11.6.72, rationale and controls.

Expected outcome: 

Simplification and consistency of document.

Rationale: 

Agencies may choose to monitor their printing to give them the ability to detect malicious behaviour and investigate security incidents. If they do so then they should store these logs in a central system, such as a security information and event management tool or central database, which can only be accessed or modified by authorized and authenticated users. Logs are stored for a duration informed by risk or regulatory guidelines.

Change description: 

New control:

- For TS, S and C SHOULD centrally log the use of multifunction devices for printing, scanning, and copying

Expected outcome: 

Better ability to detect malicious behaviour and investigate security incidents, while ensuring appropriate access controls and retention policies.

Rationale: 

Wireless local area networks are used by every NZ Government agency; this work ensures that our guidance is up to date, relevant, and in line with our partners as well as the latest standards

Change description: 

Introduction of Wi-Fi Protected Access 3 (WPA3), which provides equivalent or greater security than WPA2 and WPA.

New controls:

• MUST NOT use WPA for wireless deployments
• SHOULD NOT use WPA2 for wireless deployments
• SHOULD use WPA3 for wireless deployments
• Classifications CONFIDENTIAL and above MUST use EAP-TLS or PEAP-EAP-TLS

Expected outcome: 

Greater wireless network security by reducing the possibility of unauthorised access and ensuring that network traffic has suitable cryptographic protections.