Information assurance standards
When implementing IT infrastructure changes, the GCSB recommends consideration of information assurance standards.
The following are some of the organisations and resources New Zealand government departments and agencies should consider when developing their IT requirements and architectures.
The GCSB maintains the NZ Information Security Manual (NZISM) publications. The GCSB also produces doctrine for use of high-grade cryptographic systems, available to departments as required.
The NZISM is an integral part of the Protective Security Requirements (PSR) framework which sets out New Zealand Governments expectations for the management of personnel, information and physical security. The PSR framework superseded the SIGS and PSM documents in December 2014.
Standards New Zealand promulgates several New Zealand-specific standards as well as a host of joint Australian/New Zealand and international standards. These standards and guides are available in hardcopy or electronic form to order or download from Standards New Zealand.
AS/NZS17799 Information Security Management provides an overview of the types of factors that should be considered and included to protect information and information systems.
NZS6656 Code of Practice for Implementation and Operation of a Trustworthy Computer System discusses security-related factors that should be considered in a computer operation, for instance when outsourcing system management.
HB231 describes the process of information security risk management, and
NZMP6653 is a directory of national and international security standards.
The Internet Engineering Task Force (IETF) working groups produce the Request For Comments (RFC) documents that define the protocols and operations of the Internet.
Security protocols such as SSL, S/MIME, IPSec, and SKIP are defined, as well as PKI standards and gateway configuration guidelines. The RFCs are available from www.ietf.org/rfc.html.
Australasian Information Security Evaluation Programme (AISEP)
New Zealand is a member of the Australasian Information Security Evaluation Programme (AISEP) and is represented on its Management Board by the GCSB.
The programme provides for impartial evaluation of information technology products against an internationally recognised standard, the Common Criteria for information technology security evaluation.
The results of these evaluations are certified by the Australian Signals Directorate (ASD), and are published in the ASD Evaluated Products List (EPL).
Evaluation Assurance Levels (EAL) and Mutual Recognition Arrangement (MRA)
The Mutual Recognition Arrangement (MRA) provides for the recognition of Common Criteria certifications, up to and including EAL4, among what are known as “certificate producing” and “certificate consuming” nations, and all products certified between EAL1 and EAL4 are published to the Common Criteria Portal Certified Products List.
There is no MRA for products certified between EAL5 and EAL7. For products certified at these assurance levels, look at the national EPLs listed above.
GCSB recognises all products certified up to EAL4 (including EAL4+, which incorporates Flaw Remediation) as per the MRA. However, for products certified EAL5 and higher, the GCSB recognises those produced by ASD under the AISEP scheme only. The GCSB is to be consulted for products certified by other schemes to EAL5 and higher.
GCSB Policy Position: Mobile Phone Devices
The use of unevaluated mobile phone devices precludes their use for information above UNCLASSIFIED.