Access to information on systems is controlled in accordance with agency policy and the NZISM.

]]> This section covers information on accessing systems for all system users.

]]> Additional information on privileged users can be found in Section 16.3 - Privileged User Access and additional information on security clearance, briefing and authorisation requirements can be found in Section 9.2 - Authorisations, Security Clearances and Briefings.

]]> A clearly defined process will assist an organisation in the consistent development of access control lists for their systems.

]]> Agencies MUST follow a defined process for developing an access control list, such as described in the table below.

Stage Description
1 Establish groups of all system resources based on similar security objectives.
2 Determine the information owner for each group of resources.
3

Obtain agreement from system owners.
4

Establish groups encompassing all system users based on similar functions or security objectives.
5

Determine the group owner or manager for each group of system users.
6

Determine the degree of access to the resource for each system user group, incorporating the principal of least-privilege access.
7

Decide on the level of access for security administration, based on the internal security policy.
8

Identify any classification, protective markings, and releasability indicators (such as NZEO or compartmented information).
]]> Use of access controls on a system will assist in enforcing the need-to-know principle. How access controls are set up in organisations are becoming increasing important to mitigate threats and minimise attack surfaces.

]]> Agencies MUST have authorisation of system users enforced by access controls.

]]> Compartmented information is particularly sensitive and as such extra measures need to be put in place on systems to restrict access to those with sufficient authorisation, briefings and a demonstrated need-to-know or need- to access.

]]> Agencies MUST restrict access to compartmented information. Such restriction MUST be enforced by the system.

]]> If a New Zealand system is to be accessed overseas it will need to be from at least a facility owned by a country that New Zealand has a multilateral or bilateral agreement with. NZEO systems can be accessed only from facilities under the sole control of the government of New Zealand and by New Zealand citizens.

]]> Agencies MUST NOT allow access to NZEO information from systems and facilities not under the sole control of the government of New Zealand and New Zealand citizens.

]]> Unless a multilateral or bilateral security agreement is in place, agencies SHOULD NOT allow access to classified information from systems and facilities not under the sole control of the government of New Zealand and New Zealand citizens.

]]>