Information security

INF038

Transacting online with the public

Online services offer the public a convenient, efficient way to access government and other services. However, as the demand for online services grows, so too does the scale and sophistication of cybercrime and malicious activities.

The New Zealand Government recognises cyber threats and identifies cyber security as a top-tier priority for national security.

Organisations should adopt mitigation strategies to reduce the public’s exposure to cyber security risks online. If your online services are compromised, your services may expose your clients to harm. Malicious software posted on your online services could result in:

  • corruption of the users’ device and loss of information
  • propagation of malicious software and infection to other websites and devices
  • theft of users’ identity or financial details
  • users being blackmailed or drawn into illegal activities.

Consider the impacts of unintended information disclosure. For example, unintentionally disclosing location information about the people you are transacting with.

Organisations that provide online services should maintain skilled, in-house IT security staff who work closely with the organisation’s chief security officer (CSO). The Chief Information Security Officer (CISO) should lead this function.

Mitigate risks when transacting online with the public

The New Zealand Information Security Manual (NZISM) provides details of the mandatory and recommended controls for protecting official information. You can also contact the National Cyber Security Centre (NCSC) for guidance.

Ensure that users are aware of the risks surrounding the use of public-facing systems and how to mitigate them.

Provide training and documentation on how to use systems and services safely and appropriately for each of the usage scenarios described in this section. Develop policies for usage and ensure that all system users follow them.

Take care with insecure browsers. Restrict access to browser versions that are known to have security weaknesses, are out of date or unsupported, or warn users about them.


Protect online accounts

If your public users need to set up an online account to transact with your organisation, use the following measures to protect their security.

Keep users up to date with your terms and conditions

  • Require users to accept account terms and conditions before they open an account, and the first time they use a different computer.
  • Include in terms and conditions a warning that simply explains the specific risks associated with using the online service and give details of alternative channels for service or support.
  • When you update terms and conditions, require account holders to accept the new details.
  • Link a query button to your organisation’s privacy policy page to provide more information about the conditions of acceptance.


Keep public users’ data safe

  • Do not use transaction processes that put the user at risk of unnecessary harm. For example, by requiring a public user to reduce their security protection measures.
  • Use a secure connection for online transactions that transfer personal details to the government and only transfer the required details.
  • Only collect the information from users that is necessary for delivering the service.
  • Provide guidance to help users select a secure password.

Also see NZISM: Access Control


Protect the security of on-site kiosks where the public can access information and services

  • Provide ICT resources and information intended via an unclassified standalone system. If this is not possible, the host system should be connected to an unclassified network that is separated from other networks and systems by a suitable gateway.
  • Site the kiosk where it can be monitored by people from the host organisation.
  • Your people should watch users and promptly investigate suspicious behaviour.
  • Lock down kiosk functionality to just what is essential for the services on offer.
  • Refresh kiosk sessions when a user logs out, or after a period of session inactivity that indicates the kiosk has been left unattended.
  • Minimise physical access to a kiosk and its ports, allowing only what is essential.


Protect the security of wireless network access

  • If you provide wireless connectivity to your network, use WPA2 with EAL-TLS for authentication and encryption. Change wireless keys and pass phrases regularly. Only provide wireless access outside office hours if necessary.

 Also see NZISM: Network Security


Warn public users about downloading information

  • Provide a warning before the download starts, identifying the potential risk. For example, ‘Warning, you are about to download information across an unsecured connection’. Give the options ‘Proceed’, ‘Cancel’ and ‘?’.
  • Link ‘?’ with information on associated risks. For example, with a hover tag.


Consider providing advice or links to cyber security and cyber safety information


Use gateway technology to separate public network services from corporate systems

  • Monitor the gateway for any unauthorised activity.
  • Use a web proxy server to control access to external websites and to limit public access to permitted internal web services. You can configure a web proxy server as a web guard to check internet traffic and content for malware. 

Also see NZISM: Network Security


Audit and monitor activity

  • Log all successful and unsuccessful user activity. Investigate repeated unsuccessful attempts to perform actions.
  • Notify users about unusual or higher risk online activity on their accounts.
  • Analyse patterns of online user interactions for unusual activity that could indicate a security compromise.
  • Profile user access devices to detect unusual access vectors that could suggest a security compromise. 

Also see NZISM: Event Logging and Auditing


Control authentication and access

  • Use authentication methods that are proportionate to the service or information you are making publicly available. A registered user account with an associated password is the minimum authentication requirement for accessing sensitive, private or protectively marked information.
  • Apply access controls to all information repositories, folders and files. Restrict access in line with user rights and privileges.
  • Display the previous login time and date when a user next logs in. If the transaction is high-value or high-risk, consider sending the user a follow-up email telling them that their account has been accessed, with details of the associated Internet Protocol (IP) address.
  • Where warranted, offer or impose higher level security credentials such as one-time passwords, digital certificates, or tokens. 

Also see NZISM: Access Control


Perform code audits

  • Perform a code audit of any web application used on the organisation’s web site, to ensure there are no security vulnerabilities that could be exploited. 

Also see NZISM: Conducting Audits


Take measures to keep email secure

  • Your organisation’s emails should carry clear messages about what the organisation would not do via email, such as asking the user to provide logon credentials or other sensitive information.
  • Use a reputable mail guard to check email content and attachments.
  • Block unapproved file types and sizes.
  • Detect and block spam and malware.
  • Enforce mandatory protective marking for all email.
  • Restrict the sending of protectively marked or sensitive emails to external addresses in line with policy.

Also see NZISM: Email Security


Protect data when uploading or downloading files

  • Ensure that read and write operations and the use of media types is appropriately restricted.
  • Control device usage and data flow in line with usability requirements by using device disabling, device whitelisting, and by write-blocking devices.
  • To ensure data integrity, restrict the size and types of files that may be uploaded or downloaded to or from the system. Use a reputable security suite.
  • Use application whitelisting to prevent unauthorised or unwanted execution of files.
  • For sensitive or protectively marked information, consider a ‘review and release’ process to control inadvertent, inappropriate or unauthorised data transfers.

Also see:


Consider privacy if you use social media

  • If your organisation uses social media platforms to interact with the public, consider privacy. Carefully evaluate privacy and security implications when collecting and holding personal information as part of a service.

 
Prioritise patching and maintaining online services

  • Have your organisation’s IT support give priority to applying patches for online services (including the maintenance of information-only web pages) and associated web servers. Delays in patching may create cyber security vulnerabilities for public users.

Also see:

Supporting documents and information

Page last modified: 2/10/2018