Government security manual

An updated version of the New Zealand Information Security Manual (NZISM) - in effect the government's information security policy manual, or at least the public non-secret element - was released this month:

NZISM is painstakingly maintained and published by the Government Communications Security Bureau (GCSB) - our spooks in other words. It is a substantial tome, well over six hundred A4 pages split across two volumes.

Part 1 (365 pages) covers:
  • A brief introduction to the topic and the manual, in the NZ government context;
  • Governance arrangements including overall controls such as accountability and responsibility, and compliance through system certification and accreditation, audits and reviews;
  • Policies, plans, Standard Operating Procedures plus emergency and incident response procedures;
  • Change management;
  • Business continuity and Disaster Recovery management; 
  • Physical security;
  • Personnel security (including security awareness;
  • Infrastructure security (well, cabling and TEMPEST anyway);
  • Communications systems and devices (e.g. cellphones and wearables);
  • Product security (acquiring commercial goods and services);
  • Storage media (lifecycle management).
Part 2 (another 300 pages) covers:
  • Software security (e.g. hardened Standard Operating Environments, app and website whitelisting, software development);
  • Email security (mostly concerns classification marking, not crypto except TLS);
  • Access control (identification and authentication of IT users, privileges, VPNs, logging etc.);
  • Cryptography;
  • Network security;
  • Gateway security (essentially firewalls with special arrangements to isolate and control traffic between differently classified networks);
  • Data management including data transfers and databases;
  • Working off-site;
  • Enterprise systems security (mostly cloud in fact);
  • Supporting information including a glossary.
NZISM distinguishes mandatory from recommended policies using MUST or SHOULD respectively, in red, with the added complication that some are only mandatory on highly classified systems.

Here's part of the section on security awareness and training, illustrating the style:


Overall, it's an impressive piece of work, [information] risk-driven if rather IT-centric. Some cybersecurity issues (such as malware, VoIP and resilience) aren't immediately obvious but I haven't read all 600+ pages (yet!). 

Despite the scope section 1.1.2 stating:
"This manual is intended for use by New Zealand Government departments, agencies and organisations. Crown entities, local government and private sector organisations are also encouraged to use this manual."
it would take some effort to adapt/interpret and apply NZISM in private sector organizations that aren't engaged in government work, especially small organizations without the implied hierarchical structure, and multinationals. Applying other standards such as ISO27k may make more sense there, but the principle of adopting generally accepted good security practices or templates rather than starting from scratch is sensible and sound.

By the way, NZISM refers to the Protective Security Requirements in a few places. The PSR, in turn, seems to be an even broader framework spanning strategies to procedures including policies for "protecting our people, information and assets":


Picking nits here, people and information are assets, hence the tag line ought to end "and other assets". If I have enough time and energy after slogging through the NZISM, I'd like to check the PSR for this too. 

Coordinating updates between NZISM and PSR, plus laws and regulations, contracts with suppliers and internal agreements, and no doubt various other relevant requirements (not least, politics!), must be a tough job for those involved. As an NZ resident and taxpayer, I wish 'em all the best for 2018!