Accreditation is the formal authority for a system to operate, and an important element in fundamental information system governance. Accreditation requires risk identification and assessment, selection and implementation of baseline and other appropriate controls and the recognition and acceptance of residual risks relating to the operation of a system including any outsourced services such as Telecommunications or Cloud. Accreditation relies on the completion of system certification procedures.

]]> This section covers information on the accreditation framework for systems.

]]> All types of government held information are covered, including Official Information and information subject to privacy requirements.

]]> The development of an accreditation framework within the agency will ensure that accreditation activities are conducted in a repeatable and consistent manner across the agency and that consistency across government systems is maintained. This requirement is a fundamental part of a robust governance model and provides a sound process to demonstrate good governance of information systems.

]]> Agencies MUST develop an accreditation framework for their agency.

]]> Accreditation ensures that either sufficient security measures have been put in place to protect information that is processed, stored or communicated by the system or that deficiencies in such measures have been identified, assessed and acknowledged by an appropriate authority. As such, when systems are awarded accreditation the Accreditation Authority accepts that the residual security risks relating to the system are appropriate for the information that it processes, stores or communicates.

]]> Once systems have been accredited, conducting on-going monitoring activities will assist in assessing changes to its environment and operation and to determine the implications for the security risk profile and accreditation status of the system.

]]> Agencies MUST ensure that each of their systems is awarded accreditation.

]]> Agencies MUST ensure that all systems are awarded accreditation before they are used operationally.

]]> Agencies MUST ensure that all systems are awarded accreditation prior to connecting them to any other internal or external system.

]]> Agencies SHOULD ensure information security monitoring, logging and auditing is conducted on all accredited systems.

]]> Determining the certification and accreditation authorities for multi-national and multi-agency systems via a formal agreement between the parties will ensure that the system owner has identified appropriate points of contact and that risk is appropriately managed. See Section 4.5 – Conducting Accreditations.

]]> For multi-national and multi-agency systems, the Certification and Accreditation Authorities SHOULD be determined by a formal agreement between the parties involved.

]]> In advising the certification and accreditation authorities of their intent to seek certification and accreditation for a system, the system owner can request information on the latest processes and requirements for their system.

]]> Prior to beginning the accreditation process the system owner SHOULD advise the certification and accreditation authorities of their intent to seek certification and accreditation for their system.

]]> Agencies SHOULD confirm governance arrangements with the certification authorities, and with the accreditation authorities.

]]> When an agency is connecting a system to another party they need to be aware of the security measures the other party has implemented to protect their information. More importantly, the agency needs to know where the other party may have varied from controls in this manual. This is vital where different classification systems are applied, such as in the use of multiple national classification systems.

]]> Methods that an agency may use to ensure that other agencies and third parties comply with the agency’s information security expectations include:

  • assurance and confirmation that the certification and accreditation process described in the NZISM is adhered to;
  • conducting or utilising any third party reviewed assurance reports;
  • conducting an accreditation of the system being connected to; and/or
  • seeking a copy of existing accreditation deliverables in order to make their own accreditation determination.
]]> Ultimately, the agency MUST accept any security risks associated with connecting their system to the other party’s system. This includes the risks of other party’s system potentially being used as a platform to attack their system or “spilling” information requiring subsequent clean up processes.

]]> Special care MUST be taken for multi- national, multi-agency and All-of-Government systems.

]]> Where an agency’s system exchanges information with a third-party system, the agency MUST ensure that the receiving party has appropriate measures in place to provide a level of protection commensurate with the classification or privacy requirements of their information and that the third party is authorised to receive that information.

]]> An agency MUST ensure that a third party is aware of the agency’s information security expectations and national security requirements by defining expectations in documentation that includes, but is not limited to:

  • contract provisions; 
  • a memorandum of understanding;
  • non-disclosure agreements.
]]> An agency MUST ensure that a third party complies with the agency’s information security expectations through a formal process providing assurance to agency management that the operation of information security within the third party meets, and continues to meet, these expectations.

]]> Agencies SHOULD review accreditation deliverables when determining whether the receiving party has appropriate measures in place to provide a level of protection commensurate with the classification of their information.

]]> When security is applied to systems, protective measures are put in place based on the highest classification that will be processed, stored or communicated by the system. As such, any classified information placed on the system above the level for which it has been accredited will receive an inappropriate level of protection and could be exposed to a greater risk of compromise.

]]> Agencies MUST NOT allow a system to process, store or communicate classified information above the classification for which the system has received accreditation.

]]> When processing compartmented information on a system, agencies need to ensure that the system has received accreditation.

]]> Compartments are invariably established for the additional protection of information of National security significance, over and above the protection provided by the primary classification.  It is extremely unlikely that such compartments would be established at a classification below CONFIDENTIAL.

]]> A system that processes, stores or communicates compartmented information MUST be accredited by the GCSB.

]]> NZEO systems process, store and communicate information that is particularly sensitive to the government of New Zealand. When agencies are dealing with New Zealand Eyes Only (NZEO) information they need to be aware of the requirement for a New Zealand national to remain in control of the system and information at all times. It is, therefore, essential that control of such systems is maintained by New Zealand citizens working for the government of New Zealand.

]]> Agencies MUST ensure that systems processing, storing or communicating NZEO information remain under the control of a New Zealand national working for the New Zealand government, at all times.

]]> Agencies should reaccredit their systems at least every two years; however, they can exercise an additional one year’s grace if they follow the procedures in this manual for non-compliance with a ‘SHOULD’ requirement, namely conducting a comprehensive security risk assessment, obtaining sign-off by senior management and formal acceptance of residual risk.

]]> Accreditations should be commenced at least six months before due date to allow sufficient time for the certification and accreditations processes to be completed. Once three years has elapsed between accreditations, the authority to operate the system (the accreditation) will lapse and the agency will need to either reaccredit the system or request a dispensation to operate without accreditation. It should be noted that operating a system without accreditation is considered extremely risky. This will be exacerbated when multiple agency or All-of-Government systems are involved.

]]> Additional reasons for conducting reaccreditation activities could include:

  • changes in the agency’s information security policies or security posture;
  • detection of new or emerging threats to agency systems;
  • the discovery that controls are not operating as effectively as planned; 
  • a major information security incident; and
  • a significant change to systems, configuration or concept of operation for the accredited system.
]]> Agencies MUST ensure that the period between accreditations of each of their systems does not exceed three years.

]]> Agencies MUST notify associated agencies where multiple agencies are connected to agency systems operating with expired accreditations.

]]> Agencies MUST notify the Government Chief Digital Officer (GCDO) where All-of-Government systems are connected to agency systems operating with expired accreditations.

]]> Agencies MUST NOT operate a system without accreditation or with a lapsed accreditation unless the accreditation authority has granted a dispensation.

]]> Agencies SHOULD ensure that the period between accreditations of each of their systems does not exceed two years.

]]>