NZISM Baseline Security Templates

Introduction

New Zealand Government agencies are migrating from traditional systems to public cloud services following Cabinet’s decision to support a ‘cloud first’ approach to consuming ICT services.

The Government Communications Security Bureau (GCSB) is supporting agencies with secure migration to cloud services by providing information security advice and tools to facilitate secure cloud adoption.

One way the GCSB is achieving this is by working with cloud providers to develop templates based on the New Zealand Information Security Manual (NZISM) that will validate agencies’ cloud environment configuration settings and report on potential areas of poor security practice.

The GCSB also leads the security work stream of the All-of-Government (AoG) Cloud Programme. The programme is accelerating agency adoption of public cloud services, and the GCSB is supporting the programme by supplementing the security templates with additional guidance, specific cloud-related updates to the NZISM, and support to agencies.

Purpose of the baseline security templates

The NZISM baseline security templates are intended to assist agencies in understanding the security posture of their cloud environments.

The templates, when combined with existing agency and All-of-Government control certifications, provide a baseline level of security within a cloud environment to significantly reduce agencies’ assurance activities and focus them on moving towards continuous security posture assessments.

The baseline security templates don't cover all relevant NZISM controls, nor specific line-of-business requirements (for example, privacy, financial, or health information). There is likely to be additional agency certification work required to fully assess a cloud environment against the relevant NZISM control set.

The pyramid diagram below shows where the baseline security templates fit into the overall certification and accreditation process for government agencies.

The base of the pyramid consists of two existing certifications for an agency:

1. All-of-Government certification for the cloud provider’s environment, covering controls such as physical data centre environments, personnel security, and vendor-specific security processes and controls (such as patching cloud systems). These controls are the responsibility of the cloud service provider to implement and manage.
2. Agency standard controls such as governance, incident management and acceptable use. These controls are not specific to the cloud environment, although need to take cloud technology into account.

The central section of the pyramid depicts controls that are assessed through the use of the baseline security templates. These controls are specific to a cloud provider, and are able to be:

• configured by the agency as part of their tenant environment
• continually assessed by the cloud provider
• reported and presented to the agency in real-time, or near real-time through a dashboard
• aligned to one or more controls in the NZISM

The top of the pyramid depicts controls that the agency has identified are required beyond the baseline level. These controls may or may not be able to be continually assessed, or reported on in the dashboard.

Benefits of the baseline security templates

The baseline security templates support and encourage agency adoption of continuous assurance (certification) processes. Dashboard reports from the templates provide real-time security status for an environment.

The templates will be updated as the NZISM changes, giving an immediate view of new recommendations for agencies.

The dashboard reports are expected to be of value to multiple roles within agencies’ ICT departments. For example, architects, designers, DevOps engineers, risk assessors, assurance/audit staff, and Chief Information Security Officers (CISOs) or Information Technology Security Managers (ITSMs).

Agency security activities can shift from manually determining and reporting on NZISM compliance to focusing on the current security posture of their environment, without losing overall visibility of their compliance status.

Future of the baseline security templates

Over time, cloud providers and the GCSB will include more NZISM controls and more cloud provider configuration checks into the baseline security templates. This will be achieved through two mechanisms:

1. As the cloud providers release more capabilities, these will be assessed by the GCSB against the NZISM for inclusion in updates released to the baselines; and
2. Feedback from the cloud providers will be used to inform potential updates to the NZISM.

The second mechanism is also likely to be informed by updates to the NZISM that are aligned to the principles of zero trust security.

Further information

More information on the currently published NZISM baseline security templates is available from the cloud providers:

AWS Conformance Pack

• Conformance Pack Sample Templates(external link)
• Operational Best Practices for NZISM(external link)
• NZISM Implementation Guide for AWS(external link)
• Template source on GitHub(external link)

Azure Regulatory Compliance Policy Initiative

Policy Initiative 

• Details of the New Zealand ISM Restricted Regulatory Compliance built-in initiative(external link)
• Regulatory Compliance in Azure Policy(external link)