• Our Vision

    To be the trusted guardian of
    New Zealand's
    Information Assets


December 2017 New Zealand Information Security Manual

The New Zealand Information Security Manual (NZISM) has been updated to include new guidance on audit evidence, cable trays and clarification on emergency procedures.

The December 2017 NZISM v2.7 updates the previous edition NZISM v2.6 which was published in July 2017.

Changes include new paragraphs on Audit Evidence (Section 4.3); Cable Trays (Section 10.1); and updates to Emergency procedures (Section 5.7).  Extensive work has also been done in updating Section 23.2 Glossary of Terms, including new terms such as Accountable material and Codewords.  

A large number of supporting amendments and other minor and editorial updates have also been completed as points of clarification and to aid policy interpretation, as well as minor wording changes for the purposes of clarification.

All new materials and amendments are designed to simplify approaches while maintaining existing levels of governance and assurance. 

read more

2016-17 Unclassified Cyber Threat Report

NCSC 2016-17 Unclassified Cyber Threat Report

The National Cyber Security Centre has produced an unclassified cyber threat report for the 2016-17 reporting year. 

The report highlights achievements, including completing the roll out of our CORTEX cyber defensive capabilities, and identifies some of the key cyber threats impacting on New Zealand’s important systems and networks. 

It notes that advanced cyber threats have the potential to cause $640m harm annually to New Zealand’s organisations of national significance and that the operation of the NCSC’s cyber defence capabilities reduced harm by $39.47m in the 2016–17 year. 

The report also notes that the NCSC recorded 396 incidents for the 2016-17 year, an increase of 58 over the previous year. The increase reflects the evolving threat landscape and the NCSC’s increased capacity to detect and respond to threats. 

Given the NCSC’s primary focus on nationally significant organisations and cyber threats with the potential to have a high impact, these numbers reflect only a small proportion of the total cyber harm occurring in New Zealand.

read more

Security Vulnerabilities in Wi-Fi Protected Access II (WPA2)

The National Cyber Security Centre (NCSC) is aware of reports of security vulnerabilities in Wi-Fi Protected Access II (WPA2), this has been labelled as ‘KRACK attack’.  

The NCSC provides services to government agencies, critical infrastructure providers and organisations of national significance, to assist them to defend against cyber-borne threats.

The NCSC recommends our customers refer to the following US CERT advisory:

https://www.us-cert.gov/ncas/current-activity/2017/10/16/CERTCC-Reports-WPA2-Vulnerabilities

Members of the public and other organisations wanting further information can refer to guidance on the CERT NZ website:

https://www.cert.govt.nz/businesses-and-individuals/recent-threats/krack-attack-security-vulnerabilities-affecting-wifi-enabled-devices

read more

Reporting an Incident


If your organisation has encountered or suspects a cyber-security incident, please complete and return the Cyber Security Incident - Report Form. If you require assistance in dealing with the incident, please complete the Cyber Security Incident – Request for Assistance Form. If required, you can speak with us directly on (04) 498-7654.

Some Interesting Stats


338 cyber security incidents were recorded by the National Cyber Security Centre in the 12 months to 30 June 2016. This is an average of 28 incidents per month and represents a significant increase on the previous 12 months when there were 190 cyber security incidents. GCSB Director Andrew Hampton reviews the nature of the cyber threats to New Zealand in his address to the New Zealand Institute of International Affairs.

The Australian Signals Directorate (ASD) has updated its ‘Strategies to Mitigate Cyber Security Incidents’ guidance on prioritised security controls, expanding the ‘top four’ strategies to produce a new ‘essential eight’. The strategies are a list of practical actions that organisations can take to make their systems more secure. The eight essential strategies can be implemented as a baseline and the guidance can be tailored based on an organisation’s risk profile and the threats they face.

Security researchers believe the number of companies around the world experiencing ransomware events tripled between the first and third quarters of 2016. The American National Institute of Standards and Technology (NIST) has now published a “Guide for Cybersecurity Event Recovery” (NIST Special Publication 800-184) which offers guidance for developing, testing and improving recovery plans so organisations are ready when a cyber security event occurs.