- Posted February 28, 2024
- Media Releases
Updates
- The version 3.7 release of the NZISM comprises one policy change being an update to section 17.9 Key management, and editorial changes to the introductory content in sections 1.2 Applicability, authority, and compliance, and 2.1 Government engagement. There are also a small number of minor and editorial changes.
- These changes are driven by threats and risks identified through enquiries from agencies, our own research, information security policy gaps highlighted by changes in the way government agencies work, and changes to the international security frameworks and standards that the NZISM is based on. We also continue to engage with our Five Eyes partners and develop our policy and standards in line with theirs.
- Our new content on Bluetooth that we planned to release in v3.7 requires further work and consultation as we move it into a separate section that focusses solely on Bluetooth communication. It will now be published later this year.
Latest updates
The policy changes in this version are described below:
Change area | Key management (section 17.9) |
---|---|
Rationale | Section had not been revised in a few years. Opportunity to make section more accessible and easier to understand. |
Change description |
|
Expected outcome | Agencies have a clearer understanding of protecting cryptographic keying material through key management procedures. |
Change area | Applicability, authority, and compliance - GCISO (section 1.2) |
---|---|
Rationale | The GCISO role was established in 2018. In July 2022, the Public Service Commissioner formally appointed the GCISO as System Lead for Information Security. |
Change description |
The new content in section 1.2 outlines the role of the GCSIO under its new system lead mandate. |
Expected outcome | The GCISO mandate is introduced into the NZISM. The NZISM applies to the same agencies mandated under the Protective Security Requirements. |
Change area | Information security services within government (section 2.1) |
---|---|
Rationale | This section had not been updated in quite some time. The rapidly changing landscape of cyber security has seen changes in GCSB’s mission. NCSC has grown exponentially, and CERT NZ has also become part of the NCSC. |
Change description |
Originally this section gave a very brief description of the role of the GCSB and touched on other agencies. We have updated content on the GCSB, included information on the NCSC and provided information on System Leads such as GCISO, GCDO, GCDS, GCSL and GCPO. One control [199] has been changed from SHOULD to MUST: Security personnel MUST familiarise themselves with the information security roles and services provided by New Zealand Government organisations. |
Expected outcome | That this section provides an overview of the GCSB, NCSC and other government organisations providing information security advice to agencies. |