Question

How does the NZISM apply to UNCLASSIFIED or IN-CONFIDENCE systems and information?

Answer

The NZISM states: "This manual does not specifically deal with UNCLASSIFIED or IN-CONFIDENCE information. In determining security measures agencies should however, conform with the guidance in this manual. Information classified SENSITIVE should be treated as RESTRICTED for the purposes of determining information security and information handling." (Chapter 1, CONTEXT, Scope).

The Controls element of each section specifies the applicability to relevant classifications for example, "System Classification(s): R, C, S, TS; Compliance: should". If the controls specified in the subsequent text the controls apply to RESTRICTED information they will also be relevant to UNCLASSIFIED and IN-CONFIDENCE systems. The exception is where a control applies only to CONFIDENTIAL, SECRET or TOP SECRET classifications, in which case the control is specific to the stated classifications.

Applicability for all classifications will be specified in the next version of the NZISM.

Example 1

"Contents of IRPs System Classification(s): R, C, S, TS; Compliance: must Agencies must include, as a minimum, the following content within their IRP:" (4.6 Incident Response Plans, page 42).

Explanation:

This applies to all classification levels, including UNCLASSIFIED and IN-CONFIDENCE.

Example 2

"Recording seal usage System Classification(s): TS; Compliance: must Agencies must record the usage of seals in a register that is appropriately secured" (8.5 Tamper Evident Seals, page 82).

Explanation:

This control applies ONLY to TOP SECRET systems.

Question

In the section on Approved Cryptographic Algorithms (Section 16.2) it talks about legacy systems. How do you define legacy systems?

Answer

In terms of Approved Cryptographic Algorithms, a legacy system is any existing application that employs encryption. Where a legacy system that does not employ encryption is reconfigured to use encryption, the system ceases to be a legacy system for the purposes of selecting encryption algorithms. Similarly any legacy system that has a version change or update/upgrade (hardware, software or firmware) ceases to be a legacy system for the purposes of selecting encryption algorithms.

Question

Who is responsible for the agency’s use of the NZISM?

Answer

The Chief Executive, Agency Head, Director General or similar title is responsible for information security within their own agency or organisation. The day-to-day activities are usually delegated to the CISO, ITSM and DSO (described in Section 3 – Cyber Security Governance).

Question

Who “owns” the various documents comprising national policy?

Answer

The References section of Section 1 - About Cyber Security provides a table of relevant documentation and the issuing authority or document “owner”.

Question

Why has the list of risks shown in previous versions of the Australian ISM been removed?

Answer

Essentially the list of risks became a publication in its own right and was unable to identify all risks for all organisations or agencies on an ongoing basis. The key elements of risk identification are:

• Each organisation has the responsibility for the management of risk within their own organisation or agency;
• There is no complete list of risks;
• Risk is time-bound and some risks will change over time;
• Risk interpretation will be tied to an organisation’s culture, structure, operations etc.;
• Risk mitigation may be resource-dependant (noting that the NZISM provides base-line controls and counter-measures for known risks and threats).

The information in and selection of controls by described in the NZISM should be considered as the minimum level or baseline controls, based on the GSCB’s assessment of risk in each area. While agencies may assess risk in an individual area as a “low” risk, applying controls that fall below the NZISM minimum standards will inevitably raise residual risk levels above acceptable levels (because controls are inadequate or insufficient).