Guidance

Incident Management: Be Resilient, Be Prepared 

This document sets out five key steps designed to help business leaders and cyber security professionals strengthen their organisation’s ability to manage cyber security incidents.

These first five steps are fundamental to establishing an incident management capability. They are the initial areas for an organisation to focus on when commencing this process. Taking these first steps will enable a foundational ability to identify, respond and recover from cyber security incidents.

This resource accompanies the NCSC’s advice on enhancing organisational cyber security governance.

Download Incident Management: Be Resilient, Be Prepared

Charting Your Course: Cyber Security Governance

The NCSC's Charting Your Course series of documents provides organisations with practical advice on enhancing cyber security governance. The steps outlined in Charting Your Course define the principles of a cyber security programme and help to focus engagement between senior leadership and security practitioners. The series consists of the following sections:

Introduction: Cyber security governance

Every organisation’s journey toward cyber resilience will be different. The steps set out in this series provide a general direction of travel to assist you on your cyber resilience journey. 

Download Introduction

Step One: Building a culture of cyber resilience

Organisations must develop a culture of cyber resilience. Everyone in the organisation should feel supported to make decisions that protect the confidentiality, integrity and availability of information assets.

Download Step One

Step Two:  Establishing roles and responsibilities

Clearly defining an organisation’s cyber security roles and responsibilities, and establishing who is best suited to performing them, is an important step to achieving effective cyber security governance.

Download Step Two

Step Three: Holistic risk management

Effective risk management is a core aspect of governance and must be embedded within an organisation's overall risk framework.

Download Step Three

Step Four: Cyber security collaboration

Successfully translating a cyber security strategy and vision into action requires the wider organisation’s support.  This can be achieved by establishing a committee and a working group with representation from key stakeholders across the business.

Download Step Four

Step Five: Create a cyber security programme

A cyber security programme will help ensure any investment provides the best possible improvement in cyber resilience.

Download Step Five

Step Six: Measuring resilience

The effectiveness of cyber security activity should be accurately measured and reported.  Measurement and reporting provide the basis for continuous improvement.

Download Step Six

This joint advisory released in September 2020 is the result of a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States. It highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The purpose of this report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.

Click here to view the advisory on CISA's site.

Working Remotely: Advice for Organisations and Staff

This document has been compiled to help organisations think about the cybersecurity risks that arise when staff need to work from remote locations. We’ve provided a series of recommendations that can be used as a starting point in addressing these risks.

Download the NCSC's advice on working remotely

Working Remotely: Getting Started on Cloud Security

Cloud services are one of the few practical solutions available to meet the challenge of working remotely, however the movement to cloud services at pace creates risks. Managing these risks should be an organisation’s objective in order to ensure short-term fixes don’t become long-term problems.

Download the NCSC's advice on cloud security

 Working Remotely: Securing Microsoft Azure and Office 365

Microsoft Azure and Office 365 (O365) are cloud services used by many organisations providing remote working solutions for staff. Some organisations already have a well-established O365 security posture, but for those who are required to stand it up in a hurry, this document provides straightforward starting guidance to securing the O365 environment.

Download the NCSC's advice on securing Microsoft Azure and Office 365

Zoom Security Advice from the GCISO 

This paper sets out the Government Chief Information Security Officer’s advice to public servants on important security settings when using Zoom remote conferencing services for official New Zealand Government business, either within a public-sector organisation, or when collaborating with partner agencies.

Download advice from the GCISO on using Zoom

Principles for Secure Video, Voice, and Messaging Communications

There are a number of technology options for communicating that now include voice, group messaging, and video. While many of these technologies require specific measures to ensure they are used securely, some enduring principles can be used to help organisations make sound security decisions.

Download advice on secure video, voice, and messaging communications

Securing Amazon Web Services

This page contains guidance designed to help your organisation commence the process of securing cloud resources in Amazon Web Services (AWS).

Download advice on securing Amazon Web Services

It is important to use algorithms that adequately protect sensitive information and the NZISM prescribes approved algorithms and protocols.  Each algorithm is carefully assessed for longevity, resistance to attack, ease of use and consumption of resource.

Approved Cryptographic Algorithms and Retiring Older Cryptographic Algorithms [PDF, 48.47 KB]

Agencies need to follow a security process when decommissioning and disposing of IT equipment and media that has been used for official, sensitive or security classified information. This process is outlined in the document Approved Secure Destruction Facilities - Guidance to Agencies.

Guidance-to-Agencies-ASDFs-15-Aug-version.pdf  [PDF, 306.16 KB]

GCSB Approved Secure Destruction Facilities

The status of "approved facility" for the destruction of media and equipment may be granted by the Director-General GCSB under the NZISM.  Approval depends upon the Director-General's satisfaction that the proposed facilities are capable of securely destroying IT equipment, devices and media to the standard required under the NZISM and related policies.

The process of obtaining approval is outlined in the document Approval of Secure Destruction Facilities - Information for Service Providers [PDF, 284.56 KB]

The National Cyber Security Centre (NCSC) has prepared the following guidance to provide agencies with high-level information about lawful access to official data held in jurisdictions outside of New Zealand.

Lawful Access FAQs

Understanding the different possible roles involved in cloud computing, their respective responsibilities, and how they interrelate, will be helpful for organisations using cloud services.

Cloud Services: Who’s Who – Roles and Responsibilities

A variety of cloud service models are available to Consumers, each entailing different types of service management operation, as well as differing levels of responsibility for security for the parties involved.

Cloud Computing: Shared Responsibility Security Models

Weak information security (Infosec) policies and procedures, and inappropriate user access to networks and systems, have been identified as key risks for many government agencies. The National Cyber Security Centre (NCSC) has developed the following guidance to help agencies address these issues and improve their Infosec capability and maturity. 

Improving information security: The importance of policy and procedures