Charting Your Course: Cyber Security Governance
The NCSC's Charting Your Course series of documents provides organisations with practical advice on enhancing cyber security governance. The steps outlined in Charting Your Course define the principles of a cyber security programme and help to focus engagement between senior leadership and security practitioners. The series consists of the following sections:
Introduction: Cyber security governance
Every organisation’s journey toward cyber resilience will be different. The steps set out in this series provide a general direction of travel to assist you on your cyber resilience journey.
Step One: Building a culture of cyber resilience
Organisations must develop a culture of cyber resilience. Everyone in the organisation should feel supported to make decisions that protect the confidentiality, integrity and availability of information assets.
Step Two: Establishing roles and responsibilities
Clearly defining an organisation’s cyber security roles and responsibilities, and establishing who is best suited to performing them, is an important step to achieving effective cyber security governance.
Step Three: Holistic risk management
Effective risk management is a core aspect of governance and must be embedded within an organisation's overall risk framework.
Step Four: Cyber security collaboration
Successfully translating a cyber security strategy and vision into action requires the wider organisation’s support. This can be achieved by establishing a committee and a working group with representation from key stakeholders across the business.
Step Five: Create a cyber security programme
A cyber security programme will help ensure any investment provides the best possible improvement in cyber resilience.
Step Six: Measuring resilience
The effectiveness of cyber security activity should be accurately measured and reported. Measurement and reporting provide the basis for continuous improvement.
It is important to use algorithms that adequately protect sensitive information and the NZISM prescribes approved algorithms and protocols. Each algorithm is carefully assessed for longevity, resistance to attack, ease of use and consumption of resource.
Agencies need to follow a security process when decommissioning and disposing of IT equipment and media that has been used for official, sensitive or security classified information. This process is outlined in the document Approved Secure Destruction Facilities - Guidance to Agencies.
The status of "approved facility" for the destruction of media and equipment may be granted by the Director-General GCSB under the NZISM. Approval depends upon the Director-General's satisfaction that the proposed facilities are capable of securely destroying IT equipment, devices and media to the standard required under the NZISM and related policies.
The process of obtaining approval is outlined in the document Approval of Secure Destruction Facilities - Information for Service Providers [PDF, 284.56 KB]
Top Four Mitigation Strategies to Protect Your IT System [PDF, 379.72 KB] Top Four In A Linux Environment [PDF, 290.09 KB] Restricting Administrative Privileges Explained [PDF, 269.00 KB] Application Whitelisting Explained [PDF, 207.28 KB] Assessing Security Vulnerabliities and Patches [PDF, 639.80 KB] Bring Your Own Device (BYOD) [PDF, 212.72 KB] Classified Document Handling [PDF, 280.89 KB] Malicious Email Strategies [PDF, 1.07 MB] Traffic Light Protocol [PDF, 353.94 KB]
The National Cyber Security Centre (NCSC) has prepared the following guidance to provide agencies with high-level information about lawful access to official data held in jurisdictions outside of New Zealand.
Understanding the different possible roles involved in cloud computing, their respective responsibilities, and how they interrelate, will be helpful for organisations using cloud services.
A variety of cloud service models are available to Consumers, each entailing different types of service management operation, as well as differing levels of responsibility for security for the parties involved.
Weak information security (Infosec) policies and procedures, and inappropriate user access to networks and systems, have been identified as key risks for many government agencies. The National Cyber Security Centre (NCSC) has developed the following guidance to help agencies address these issues and improve their Infosec capability and maturity.