Managing specific scenarios

• Require users to accept account terms and conditions before they open an account, and the first time they use a different computer.
• Include in terms and conditions a warning that simply explains the specific risks associated with using the online service and give details of alternative channels for service or support.
• When you update terms and conditions, require account holders to accept the new details.
• Link a query button to your organisation’s privacy policy page to provide more information about the conditions of acceptance.

• Provide ICT resources and information intended via an unclassified standalone system. If this is not possible, the host system should be connected to an unclassified network that is separated from other networks and systems by a suitable gateway.
• Site the kiosk where it can be monitored by people from the host organisation.
• Your people should watch users and promptly investigate suspicious behaviour.
• Lock down kiosk functionality to just what is essential for the services on offer.
• Refresh kiosk sessions when a user logs out, or after a period of session inactivity that indicates the kiosk has been left unattended.
• Minimise physical access to a kiosk and its ports, allowing only what is essential.

• Provide a warning before the download starts, identifying the potential risk. For example, ‘Warning, you are about to download information across an unsecured connection’. Give the options ‘Proceed’, ‘Cancel’ and ‘?’.
• Link ‘?’ with information on associated risks. For example, with a hover tag.

Consider providing advice or links to cyber security and cyber safety information

• New Zealand National Cyber Security Centre(external link)
• The Department of Internal Affairs — Scam Complaints(external link)
• CERT NZ(external link)
• NetSafe: Cyber and Security Advice for New Zealand(external link)
• The New Zealand Government Cyber Security Strategy(external link)
• New Zealand Police(external link)

• Monitor the gateway for any unauthorised activity.
• Use a web proxy server to control access to external websites and to limit public access to permitted internal web services. You can configure a web proxy server as a web guard to check internet traffic and content for malware. 

Also see NZISM: Network security(external link)

• Use authentication methods that are proportionate to the service or information you are making publicly available. A registered user account with an associated password is the minimum authentication requirement for accessing sensitive, private or protectively marked information.
• Apply access controls to all information repositories, folders and files. Restrict access in line with user rights and privileges.
• Display the previous login time and date when a user next logs in. If the transaction is high-value or high-risk, consider sending the user a follow-up email telling them that their account has been accessed, with details of the associated Internet Protocol (IP) address.
• Where warranted, offer or impose higher level security credentials such as one-time passwords, digital certificates, or tokens. 

Also see NZISM: Access control and passwords(external link)

• Perform a code audit of any web application used on the organisation’s web site, to ensure there are no security vulnerabilities that could be exploited. 

Also see NZISM: Conducting audits(external link)

• Your organisation’s emails should carry clear messages about what the organisation would not do via email, such as asking the user to provide logon credentials or other sensitive information.
• Use a reputable mail guard to check email content and attachments.
• Block unapproved file types and sizes.
• Detect and block spam and malware.
• Enforce mandatory protective marking for all email.
• Restrict the sending of protectively marked or sensitive emails to external addresses in line with policy.

Also see NZISM: Email security(external link)

• If your organisation uses social media platforms to interact with the public, consider privacy. Carefully evaluate privacy and security implications when collecting and holding personal information as part of a service

• Do not use transaction processes that put the user at risk of unnecessary harm. For example, by requiring a public user to reduce their security protection measures.
• Use a secure connection for online transactions that transfer personal details to the government and only transfer the required details.
• Only collect the information from users that is necessary for delivering the service.
• Provide guidance to help users select a secure password.

Also see NZISM: Access control and passwords(external link)

• If you provide wireless connectivity to your network, use WPA2 with EAL-TLS for authentication and encryption. Change wireless keys and pass phrases regularly. Only provide wireless access outside office hours if necessary.

 Also see NZISM: Network security(external link)

• Log all successful and unsuccessful user activity. Investigate repeated unsuccessful attempts to perform actions.
• Notify users about unusual or higher risk online activity on their accounts.
• Analyse patterns of online user interactions for unusual activity that could indicate a security compromise.
• Profile user access devices to detect unusual access vectors that could suggest a security compromise. 

Also see NZISM: Event logging and auditing(external link)

• Ensure that read and write operations and the use of media types is appropriately restricted.
• Control device usage and data flow in line with usability requirements by using device disabling, device whitelisting, and by write-blocking devices.
• To ensure data integrity, restrict the size and types of files that may be uploaded or downloaded to or from the system. Use a reputable security suite.
• Use application whitelisting to prevent unauthorised or unwanted execution of files.
• For sensitive or protectively marked information, consider a ‘review and release’ process to control inadvertent, inappropriate or unauthorised data transfers.

Also see:

• NZISM: Data management(external link)
• NZISM: Media usage (external link)
• NZISM: Application allow listing(external link)

• Have your organisation’s IT support give priority to applying patches for online services (including the maintenance of information-only web pages) and associated web servers. Delays in patching may create cyber security vulnerabilities for public users.

Also see:

• NZISM: Product patching and updating (external link)
• NZISM: Software security(external link)

If you’re considering outsourcing functions, services, or capabilities to third parties — inside or outside of New Zealand — make sure you understand the value, classification, and relevant risks of the information that the supplier and their sub-contractors will have access to.  

Follow guidelines

New Zealand Government organisations must follow the outsourcing and offshoring guidelines and policies defined below.

• You can enter into outsourced and offshore ICT arrangements for storing or processing information protectively marked at, or below, RESTRICTED.
• You must not enter into offshore ICT arrangements for storing or processing information protectively marked CONFIDENTIAL, SECRET, or TOP SECRET.
• You can enter into outsourced ICT arrangements which are physically located in New Zealand for storing or processing information protectively marked CONFIDENTIAL, SECRET or TOP SECRET with the approval of the Government Communications Security Bureau (GCSB).
• If you’re considering using cloud services, you must contact the Government Chief Digital Officer (GCDO) for advice and guidance and follow the advice and guidance on digital.govt.nz about using cloud services.
  Cloud Services(external link)— digital.govt.nz
• If you’re planning to use cloud services, you must perform a formal risk assessment. Use your organisation's process for information security risk assessment and the guidance provided by the GCDO below. Identify the controls needed to manage the information security and privacy risks associated with your use of the service.
  Cloud Computing: Information Security and Privacy Considerations(external link)— digital.govt.nz.
• You must verify you have put effective controls in place to manage security and privacy risks before certifying and accrediting the service for use.

You need to take the steps below when using cloud services to store or process New Zealand Government information. They apply to:

• using New Zealand or overseas cloud services for information protectively marked at, or below, RESTRICTED (excluding non-protectively marked information that is publicly available)
• using New Zealand cloud services for information protectively marked above RESTRICTED.

Your organisation must do these things:

• Conduct a formal risk assessment to identify the controls required to manage the information security and privacy risks associated with using the service.
• Formally accept the residual risk associated with using the service to process protectively-marked information
• Inform the GCDO of your decision to use the service.
• Provide the GCDO with evidence you have completed a formal risk assessment, followed the GDCO’s guidance and advice, and formally accepted the residual risk associated using the service.
• Accredit the systems used by the contractor to at least the same minimum standard as the your systems.
• Ensure cloud service providers apply the controls specified in the New Zealand Information Security Manual (NZISM) to any systems hosting, processing, or storing your data and systems.

You must not use public or hybrid cloud services to host, process, or store material marked New Zealand Eyes Only (NZEO).

Outsourcing for unclassified information that is publicly available

You can outsource services for storing and processing information that is publicly available and not protectively marked to providers outside New Zealand.

Before entering into any arrangements, you must formally assess the security risks and identify controls to manage them.

You must follow the requirements for handling, storing, transmitting, transporting, and disposing of information in the Management protocol for information security.

Outsourcing for information that is protectively marked at, or below, RESTRICTED

You can outsource services for storing and processing information protectively marked at, or below, RESTRICTED to providers outside New Zealand. Before entering into any outsourced or offshore ICT arrangements, your organisation must:

• contact the GCDO for advice and guidance when using cloud services
• follow the advice and guidance in GCDO Cloud Computing: Information Security and Privacy Considerations(external link) — digital.govt.nz.

Before you certify and accredit the service, as part of the validate stage of the security lifecycle, verify that the security controls for managing security and privacy risks have been implemented and are effective.

Your chief executive, or their formal delegate, must:

• ensure that a formal risk assessment has been completed
• accept the residual risk associated with your use of the service
• inform the GCDO of your decision to enter into the outsourced or offshore arrangement.

Information protectively marked at CONFIDENTIAL, SECRET or TOP SECRET

You must not outsource services for storing and processing information protectively marked at CONFIDENTIAL, SECRET or TOP SECRET outside New Zealand.

You can outsource services to a provider physically located in New Zealand for storing and processing information protectively marked at CONFIDENTIAL, SECRET or TOP SECRET. However, you must get approval from the GCSB first.

Supporting documents and information

• Handling requirements for protectively marked information and equipment
• Supply chain security
• Public Cloud services(external link)— digital.govt.nz
• Public Cloud security(external link)— NZISM

• Ensure that mobile devices have been updated with security and application updates.
• Enable mobile device security features.
• Change PINs and passwords. Always use complex passwords containing upper and lower case letters, numbers and symbols.
• Reduce the risk of information exposure by removing any information that is not required for the deployment or period of travel.
• Back up information stored on the device. If the device becomes compromised, you may not be able to recover information from it.
• Be aware of the emergency security procedures for the mobile device.

• Maintain physical control of mobile devices at all times. Do not leave mobile devices unattended in places where they may be stolen or tampered with.
• Avoid taking mobile devices into situations where sensitive or private conversation is likely. Where this cannot be avoided, turn off the device and, where possible, remove the battery.
• If you have to give someone else the mobile device or it is lost (for example, if you have to hand it over for secure storage outside a meeting), check with your Information and Communications Technology (ICT) security people for guidance before you use it again.

• Ideally, use only corporate devices with all relevant security measures enabled for storing, processing, and communicating sensitive or private information.
• Only use personal mobile devices for official business when a risk assessment process, enabling policy, and suitable security controls are all in place.
• Be vigilant at all times. When using a mobile device, make sure that others cannot overhear your conversation or see your screen.
• If the risk of tracking is a concern, disable any GPS capability. For extra security, turn off the mobile device and, where possible, remove the battery.
• Disable any features or capabilities that are not required. For example, disable wireless, Bluetooth, and location services if you do not need them. Consider doing this before having confidential conversations.
• Always confirm the integrity of any new storage media with ICT security staff before you connect it to a mobile device. Have storage media scanned regularly for threats.
• Email usage
• Never use private email accounts to store or communicate official information.
• Never forward email from corporate email systems to personal email accounts. For example, Gmail.
• Where you need additional security, ensure that email connections are encrypted.
• To reduce the risk of downloading hidden malware, disable image loading in all email applications.

• Activate the privacy mode in the internet browser.
• Set an internet browser to prompt before installing cookies.
• Turn off auto-fill to prevent the browser from storing usernames and passwords.
• Never join or connect to wireless networks where the integrity is unknown. Make sure wireless settings require manual confirmation before connecting to a wireless network.

• Change all mobile device passwords when the deployment or travel is over.

Supporting documents and information

The New Zealand Information Security Manual (NZISM) provides details of the mandatory and recommended controls for the protection of official information. You can also contact the National Cyber Security Centre(external link) (NCSC) for guidance.

• Travelling overseas with electronic devices (PDF, 279KB)
• Working away from the office
• Agency-owned mobile devices(external link)
• Working outside the office(external link)— New Zealand Information Security Manual
• Agency-owned mobile devices(external link)— New Zealand Information Security Manual