Managing specific scenarios

Consider these specific scenarios and how to manage the associated risks

Transacting online with the public

INF038

Online services offer the public a convenient, efficient way to access government and other services. However, as the demand for online services grows, so too does the scale and sophistication of cybercrime and malicious activities.

The New Zealand Government recognises cyber threats and identifies cyber security as a top-tier priority for national security.

Organisations should adopt mitigation strategies to reduce the public’s exposure to cyber security risks online. If your online services are compromised, your services may expose your clients to harm. Malicious software posted on your online services could result in:

  • corruption of the users’ device and loss of information
  • propagation of malicious software and infection to other websites and devices
  • theft of users’ identity or financial details
  • users being blackmailed or drawn into illegal activities.

Consider the impacts of unintended information disclosure. For example, unintentionally disclosing location information about the people you are transacting with.

Organisations that provide online services should maintain skilled, in-house IT security staff who work closely with the organisation’s chief security officer (CSO). The Chief Information Security Officer (CISO) should lead this function.

Mitigate risks when transacting online with the public

The New Zealand Information Security Manual(external link) (NZISM) provides details of the mandatory and recommended controls for protecting official information. You can also contact the National Cyber Security Centre(external link) (NCSC) for guidance.

Ensure that users are aware of the risks surrounding the use of public-facing systems and how to mitigate them.

Provide training and documentation on how to use systems and services safely and appropriately for each of the usage scenarios described in this section. Develop policies for usage and ensure that all system users follow them.

Take care with insecure browsers. Restrict access to browser versions that are known to have security weaknesses, are out of date or unsupported, or warn users about them.

Protect online accounts

If your public users need to set up an online account to transact with your organisation, use the following measures to protect their security.

  • Require users to accept account terms and conditions before they open an account, and the first time they use a different computer.
  • Include in terms and conditions a warning that simply explains the specific risks associated with using the online service and give details of alternative channels for service or support.
  • When you update terms and conditions, require account holders to accept the new details.
  • Link a query button to your organisation’s privacy policy page to provide more information about the conditions of acceptance.

  • Provide ICT resources and information intended via an unclassified standalone system. If this is not possible, the host system should be connected to an unclassified network that is separated from other networks and systems by a suitable gateway.
  • Site the kiosk where it can be monitored by people from the host organisation.
  • Your people should watch users and promptly investigate suspicious behaviour.
  • Lock down kiosk functionality to just what is essential for the services on offer.
  • Refresh kiosk sessions when a user logs out, or after a period of session inactivity that indicates the kiosk has been left unattended.
  • Minimise physical access to a kiosk and its ports, allowing only what is essential.

  • Provide a warning before the download starts, identifying the potential risk. For example, ‘Warning, you are about to download information across an unsecured connection’. Give the options ‘Proceed’, ‘Cancel’ and ‘?’.
  • Link ‘?’ with information on associated risks. For example, with a hover tag.

Consider providing advice or links to cyber security and cyber safety information

  • Monitor the gateway for any unauthorised activity.
  • Use a web proxy server to control access to external websites and to limit public access to permitted internal web services. You can configure a web proxy server as a web guard to check internet traffic and content for malware. 

Also see NZISM: Network security(external link)

  • Use authentication methods that are proportionate to the service or information you are making publicly available. A registered user account with an associated password is the minimum authentication requirement for accessing sensitive, private or protectively marked information.
  • Apply access controls to all information repositories, folders and files. Restrict access in line with user rights and privileges.
  • Display the previous login time and date when a user next logs in. If the transaction is high-value or high-risk, consider sending the user a follow-up email telling them that their account has been accessed, with details of the associated Internet Protocol (IP) address.
  • Where warranted, offer or impose higher level security credentials such as one-time passwords, digital certificates, or tokens. 

Also see NZISM: Access control and passwords(external link)

  • Perform a code audit of any web application used on the organisation’s web site, to ensure there are no security vulnerabilities that could be exploited. 

Also see NZISM: Conducting audits(external link)

  • Your organisation’s emails should carry clear messages about what the organisation would not do via email, such as asking the user to provide logon credentials or other sensitive information.
  • Use a reputable mail guard to check email content and attachments.
  • Block unapproved file types and sizes.
  • Detect and block spam and malware.
  • Enforce mandatory protective marking for all email.
  • Restrict the sending of protectively marked or sensitive emails to external addresses in line with policy.

Also see NZISM: Email security(external link)

  • If your organisation uses social media platforms to interact with the public, consider privacy. Carefully evaluate privacy and security implications when collecting and holding personal information as part of a service

  • Do not use transaction processes that put the user at risk of unnecessary harm. For example, by requiring a public user to reduce their security protection measures.
  • Use a secure connection for online transactions that transfer personal details to the government and only transfer the required details.
  • Only collect the information from users that is necessary for delivering the service.
  • Provide guidance to help users select a secure password.

Also see NZISM: Access control and passwords(external link)

  • If you provide wireless connectivity to your network, use WPA2 with EAL-TLS for authentication and encryption. Change wireless keys and pass phrases regularly. Only provide wireless access outside office hours if necessary.

 Also see NZISM: Network security(external link)

  • Log all successful and unsuccessful user activity. Investigate repeated unsuccessful attempts to perform actions.
  • Notify users about unusual or higher risk online activity on their accounts.
  • Analyse patterns of online user interactions for unusual activity that could indicate a security compromise.
  • Profile user access devices to detect unusual access vectors that could suggest a security compromise. 

Also see NZISM: Event logging and auditing(external link)

  • Ensure that read and write operations and the use of media types is appropriately restricted.
  • Control device usage and data flow in line with usability requirements by using device disabling, device whitelisting, and by write-blocking devices.
  • To ensure data integrity, restrict the size and types of files that may be uploaded or downloaded to or from the system. Use a reputable security suite.
  • Use application whitelisting to prevent unauthorised or unwanted execution of files.
  • For sensitive or protectively marked information, consider a ‘review and release’ process to control inadvertent, inappropriate or unauthorised data transfers.

Also see:

  • Have your organisation’s IT support give priority to applying patches for online services (including the maintenance of information-only web pages) and associated web servers. Delays in patching may create cyber security vulnerabilities for public users.

Also see:


Outsourcing, offshoring, and supply chains

INF039

Supply chains are becoming more complex. When you conduct your risk assessment, consider each part of your organisation’s supply chain.

If you’re considering outsourcing functions, services, or capabilities to third parties, make sure you understand the value and classification of the information that the supplier and their sub-contractors will have access to.

Check that your suppliers can articulate who and what they are connected to, and what dependencies they have.

Your organisation should consider using common capability solutions if they exist, rather than sourcing individual solutions themselves, because the security and capability has already been scoped.

Products and services(external link) — digital.govt.nz

Your organisation’s heads will remain accountable for ensuring that information is appropriately protected, even if you outsource responsibility for security controls.

It is your responsibility to perform due diligence, validation, and acceptance for supply chain services, even when you use common capability solutions.

If you’re considering outsourcing functions, services, or capabilities to third parties — inside or outside of New Zealand — make sure you understand the value, classification, and relevant risks of the information that the supplier and their sub-contractors will have access to.  

Follow guidelines

New Zealand Government organisations must follow the outsourcing and offshoring guidelines and policies defined below.

  • You can enter into outsourced and offshore ICT arrangements for storing or processing information protectively marked at, or below, RESTRICTED.
  • You must not enter into offshore ICT arrangements for storing or processing information protectively marked CONFIDENTIAL, SECRET, or TOP SECRET.
  • You can enter into outsourced ICT arrangements which are physically located in New Zealand for storing or processing information protectively marked CONFIDENTIAL, SECRET or TOP SECRET with the approval of the Government Communications Security Bureau (GCSB).
  • If you’re considering using cloud services, you must contact the Government Chief Digital Officer (GCDO) for advice and guidance and follow the advice and guidance on digital.govt.nz about using cloud services.
    Cloud Services(external link)— digital.govt.nz
  • If you’re planning to use cloud services, you must perform a formal risk assessment. Use your organisation's process for information security risk assessment and the guidance provided by the GCDO below. Identify the controls needed to manage the information security and privacy risks associated with your use of the service.
    Cloud Computing: Information Security and Privacy Considerations(external link)— digital.govt.nz.
  • You must verify you have put effective controls in place to manage security and privacy risks before certifying and accrediting the service for use.

You need to take the steps below when using cloud services to store or process New Zealand Government information. They apply to:

  • using New Zealand or overseas cloud services for information protectively marked at, or below, RESTRICTED (excluding non-protectively marked information that is publicly available)
  • using New Zealand cloud services for information protectively marked above RESTRICTED.

Your organisation must do these things:

  • Conduct a formal risk assessment to identify the controls required to manage the information security and privacy risks associated with using the service.
  • Formally accept the residual risk associated with using the service to process protectively-marked information
  • Inform the GCDO of your decision to use the service.
  • Provide the GCDO with evidence you have completed a formal risk assessment, followed the GDCO’s guidance and advice, and formally accepted the residual risk associated using the service.
  • Accredit the systems used by the contractor to at least the same minimum standard as the your systems.
  • Ensure cloud service providers apply the controls specified in the New Zealand Information Security Manual (NZISM) to any systems hosting, processing, or storing your data and systems.

You must not use public or hybrid cloud services to host, process, or store material marked New Zealand Eyes Only (NZEO).

Outsourcing for unclassified information that is publicly available

You can outsource services for storing and processing information that is publicly available and not protectively marked to providers outside New Zealand.

Before entering into any arrangements, you must formally assess the security risks and identify controls to manage them.

You must follow the requirements for handling, storing, transmitting, transporting, and disposing of information in the Management protocol for information security.

Outsourcing for information that is protectively marked at, or below, RESTRICTED

You can outsource services for storing and processing information protectively marked at, or below, RESTRICTED to providers outside New Zealand. Before entering into any outsourced or offshore ICT arrangements, your organisation must:

Before you certify and accredit the service, as part of the validate stage of the security lifecycle, verify that the security controls for managing security and privacy risks have been implemented and are effective.

Your chief executive, or their formal delegate, must:

  • ensure that a formal risk assessment has been completed
  • accept the residual risk associated with your use of the service
  • inform the GCDO of your decision to enter into the outsourced or offshore arrangement.

Information protectively marked at CONFIDENTIAL, SECRET or TOP SECRET

You must not outsource services for storing and processing information protectively marked at CONFIDENTIAL, SECRET or TOP SECRET outside New Zealand.

You can outsource services to a provider physically located in New Zealand for storing and processing information protectively marked at CONFIDENTIAL, SECRET or TOP SECRET. However, you must get approval from the GCSB first.

Supporting documents and information


Mobile and remote working

INF040

Mobile and remote working is now the norm, yet many people are unaware of the threats that they face.

Taking work home, working in the field, working from hotels or conference venues, visiting client offices, and working while on public transport are just a few ways that people work remotely, using portable computers and mobile devices.

Mobile working increases the risks of compromise. It can result in the loss of sensitive, high-value, corporate or personal information, affecting your information’s confidentiality, integrity and availability. The types of risks are:

  • Loss or theft: Portable devices are easy to lose or steal, and sensitive information stored on the device can be exposed.
  • Confidentiality: When devices are used in public spaces, information can be overheard or overseen, leading to loss of confidentiality.
  • Electronic interception: Devices used over wireless and public networks are vulnerable to electronic interception. Malicious software can disable security features and activate inbuilt microphones and cameras, giving attackers to access private or privileged content and conversations.
  • Tracking: Built in GPS receivers and transmitters may allow tracking of the precise location of the user.
  • Malicious software (malware): Just like any home or office computer, portable devices are susceptible to malware, which can be passed on to connected networks and other computing equipment.
  • External storage devices: USB devices, portable storage devices, CDs, and DVDs are an easy way to distribute malware and data exfiltration.

These risks may be increased when privileged users have remote access to your systems. For example, systems are at greater risk when a system administrator has access to remotely manage systems from home or a mobile device.

Also consider how to secure and manage use of personal devices in bring-your-own-device (BYOD) scenarios. Today, more people are using their personal devices for corporate purposes or their corporate devices for personal purposes, increasing the risks of compromise. User education is crucial to managing your organisation’s risks.

Before approving your people for mobile or remote working, you should conduct a mobile work risk assessment.

Reduce risks when using mobile devices using these procedures.

  • Ensure that mobile devices have been updated with security and application updates.
  • Enable mobile device security features.
  • Change PINs and passwords. Always use complex passwords containing upper and lower case letters, numbers and symbols.
  • Reduce the risk of information exposure by removing any information that is not required for the deployment or period of travel.
  • Back up information stored on the device. If the device becomes compromised, you may not be able to recover information from it.
  • Be aware of the emergency security procedures for the mobile device.

  • Maintain physical control of mobile devices at all times. Do not leave mobile devices unattended in places where they may be stolen or tampered with.
  • Avoid taking mobile devices into situations where sensitive or private conversation is likely. Where this cannot be avoided, turn off the device and, where possible, remove the battery.
  • If you have to give someone else the mobile device or it is lost (for example, if you have to hand it over for secure storage outside a meeting), check with your Information and Communications Technology (ICT) security people for guidance before you use it again.

  • Ideally, use only corporate devices with all relevant security measures enabled for storing, processing, and communicating sensitive or private information.
  • Only use personal mobile devices for official business when a risk assessment process, enabling policy, and suitable security controls are all in place.
  • Be vigilant at all times. When using a mobile device, make sure that others cannot overhear your conversation or see your screen.
  • If the risk of tracking is a concern, disable any GPS capability. For extra security, turn off the mobile device and, where possible, remove the battery.
  • Disable any features or capabilities that are not required. For example, disable wireless, Bluetooth, and location services if you do not need them. Consider doing this before having confidential conversations.
  • Always confirm the integrity of any new storage media with ICT security staff before you connect it to a mobile device. Have storage media scanned regularly for threats.
  • Email usage
  • Never use private email accounts to store or communicate official information.
  • Never forward email from corporate email systems to personal email accounts. For example, Gmail.
  • Where you need additional security, ensure that email connections are encrypted.
  • To reduce the risk of downloading hidden malware, disable image loading in all email applications.

  • Activate the privacy mode in the internet browser.
  • Set an internet browser to prompt before installing cookies.
  • Turn off auto-fill to prevent the browser from storing usernames and passwords.
  • Never join or connect to wireless networks where the integrity is unknown. Make sure wireless settings require manual confirmation before connecting to a wireless network.

  • Change all mobile device passwords when the deployment or travel is over.

Supporting documents and information

The New Zealand Information Security Manual (NZISM) provides details of the mandatory and recommended controls for the protection of official information. You can also contact the National Cyber Security Centre(external link) (NCSC) for guidance.


Cloud computing

INF041

Cloud computing offers organisations cost effective, agile information storage. Cloud computing is generally more secure and provides greater choice than in-house solutions.

Cloud computing is key to the Government ICT Strategy and Action Plan to 2017 for improving service delivery, and will deliver substantial savings across government. Cabinet’s Cloud First policy requires agencies to adopt cloud services in preference to traditional IT systems.

Cloud computing poses some security risks for organisations. The Government Chief Digital Officer (GCDO) provides useful guidance for agencies when implementing cloud computing. digital.govt.nz has a cloud risk assessment process outlining the requirements for New Zealand government agencies.

Supporting documents and information


Communication security

INF042

Communication security (COMSEC) safeguards reduce the threat of unauthorised people gaining access to your communications. 

COMSEC includes cryptography, transmission security, emission security, traffic-flow security, and physical security of COMSEC equipment.

Your organisation should use mitigation strategies to reduce the threat of unauthorised access to communications. Encrypt all communications during transmission. You may need high-grade cryptographic equipment. 

The standards relevant to these requirements are:

  • NZCSP 301 Safeguarding Communications Security (COMSEC) Material. This standard provides the minimum security requirements for the control and accountability of communications security material within New Zealand Government and agencies.
  • New Zealand Communications Security Standard No. 400 (NZCSS 400). This standard provides a minimum standard of installation engineering for all New Zealand Government agencies, organisations, or personnel concerned with the planning or engineering of New Zealand installations processing protectively-marked information.
  • New Zealand Information Security Manual(external link)

 

The Communications Security Standards are classified documents. For more information, contact GCSB.

GCSB

Phone

(04) 819-8200

If you have technical questions on cryptographic products, contact Cryptographic Services.

Cryptographic Services

Phone

(04) 472-6881

Fax

(04) 499-3701