IA Standards & Best Practice

There are many documents in print and on the Internet claiming to be the last word in information security. However, the following is a list of some of the organisations and resources NZ government departments and agencies should consider when developing their IT requirements and architectures.

Government Communications Security Bureau The GCSB maintains the NZ Security of IT (NZSIT) publications. Several additional NZSITs are available on CD to NZ Government by request from liaison@gcsb.govt.nz, along with the GCSB's training programme (on the CD or as hardcopy). The GCSB also produces doctrine for use of high-grade cryptographic systems, available to departments as required.
The Department of the Prime Minister and Cabinet (DPM&C)
The DPMC maintains the Government 'bible' on information security, “Security in Government Sector” (SIGS - pronounced “sig-ess”). SIGS is issued by the Prime Minister and defines the minimum information security requirements for all NZ Government departments, agencies and State Owned Enterprises. See http://www.dpmc.govt.nz/.
The State Services Commission (SSC)
The SSC maintains the http://www.security.govt.nz/ website, a gateway to online NZ government security resources. SSC also manages the standards for e-government and the S.E.E. systems and agencies. See http://www.e.govt.nz/.
Standards New Zealand (SNZ)
SNZ promulgates several New Zealand specific standards as well as a host of joint Australian/New Zealand and international standards. AS/NZS17799 Information Security Management provides an overview into the types of factors that should be considered and included to protect information and information systems. NZS6656 Code of Practice for Implementation and Operation of a Trustworthy Computer System discusses security-related factors that should be considered in a computer operation, (for instance when outsourcing system management). HB231 describes the process of information security risk management, and NZMP6653 is a directory of national and international security standards. These standards and guides are available in hardcopy or electronic form to order or download, see the Standards New Zealand website http://www.standards.co.nz/.
The Internet Engineering Task Force (IETF)
The IETF working groups produce the Request For Comments (RFC) documents that define the protocols and operations of the Internet. Security protocols such as SSL, S/MIME, IPSec, and SKIP are defined, as well as PKI standards and gateway configuration guidelines. The RFCs are available from www.ietf.org/rfc.html.