NZ government agencies require security awareness

The New Zealand government published the PSR Protective Security Requirements this week, a well-written, readable policy manual. 

Publishing the manual in an online format through a content management system is commendable, not least because it is so easy to browse, search and (presumably) maintain. The custom views for 4 primary audiences (senior managers, security practitioners, employees and service providers) addressing common questions etc. are cool. The site structure/navigation, formatting/presentation and writing style are clear. More diagrams and figures would have been welcome to supplement the somewhat tedious monochrome text but I have certainly seen worse! Overall, it's a nice bit of web design.

Personally, I would have preferred the PSR to have explicitly adopted the structure of ISO/IEC 27001 and 27002.  Although one might argue that the ISO27k structure is arbitrary, it is at least reasonably logical and familiar around the world, making it easier to compare and contrast the NZ approach with globally-accepted good information security practices.  NZ may be special but it is hardly unique! Unfortunately, NZ Government pays scant regard to ISO27k, in contrast to our colleagues across the ditch in Australia. An opportunity squandered.

Rather than attempt to review and comment further on the entire document, I'll give you a flavour of its strengths and weaknesses by delving deeper into the section on security awareness training, an area of particular interest for me.

The PSR awareness section starts out quite well: 

"Security awareness training is an important element of protective security. It supports physical, information (including information privacy) and personnel security measures, as well as informing staff of the security governance requirements within their organisation."

The PSR goes on to recommend that "Security education should:" [with my comments added]

• be ongoing [presumably meaning continuous/year-round, not sporadic/once-a-year or even less frequently]
  
  
• be provided to all staff [but not managers? Later text mentions that awareness should involve contractors and security-cleared people but fails to address the managers or professional explicitly, a significant oversight if it is interpreted to mean that it only applies to staff]
  
  
• be designed to promote a sense of personal responsibility for effective security, regardless of position, grade or level of access ['a sense of personal responsibility' hints at the security culture which is mentioned later, although I wish it had gone further still by promoting demonstrable improvements in behaviour rather than just changing attitudes or beliefs]
  
  
• help [to] counter threats through imparting a basic knowledge of security principles [there's more to information security than countering threats per se: reducing vulnerabilities and impacts are at least as important if not more so.  'Treat risks' might have been more accurate than 'counter threats'."

I'll ignore the apparent confusion between awareness, training and education which are, in reality, distinct approaches with differing aims and methods as explained so eloquently in NIST SP800-50. At one level, it's merely a semantic issue, a common one at that.

The suggested content for awareness programs is rather basic although there's nothing to stop 'agencies' (i.e. users of the PSR) elaborating on the final bullet point's "additional security briefings" and being far more creative in the types of awareness activity and materials. I heartily recommend taking a much broader perspective on information security, going well beyond the largely legal compliance matters specified. There's much more value to be gained from strong information security than simply avoiding legal/regulatory breaches and hence not embarrassing the minister, important though those objectives might be in the government context (as we know from "Yes, Minister"). I'll mention just a single example for now: business continuity. Having narrowly scraped through the Christchurch earthquakes, I would have expected the government to be crystal clear about the value of resilience and recovery arrangements for vital information, processes and systems, but perhaps this is covered elsewhere? As a consumer of NZ government services, and tax payer, I sincerely hope this is one area in which NZ leads the world, with the possible exceptions of Sendai in Japan, Banda Aceh in Indonesia, oh and California.

Rebecca Herold offers excellent advice on the design and coverage of awareness programs.

A curious emphasis on 'personnel security' (which in practice means compliance with health and safety obligations) in the second half of the awareness section makes me wonder if it might perhaps have been derived from a health and safety awareness policy donor/template, or by someone with experience in that particular field. To be clear, there are health and safety aspects to information security (e.g. protecting secure computer suites against fire, providing fire exits, securing safety-critical building, machinery and vehicle controls etc.), plus environmental protection, plus risk management, compliance, governance and so on - it is just one of many objectives or constraints. On this aspect, the PSR feels somewhat unbalanced to me.

PS  I'm a little confused about the relationship between the PSR and the NZISM (New Zealand Information Security Manual). Perhaps at some point those two documents might either be merged into one or at least properly cross-referenced/hyperlinked from the relevant places? Given the chance, I would also suggest publishing the NZISM in the same online format as the PSR, rather than as a 500-page (!) PDF document - so 20th Century!