Information security guidance

New Zealand organisations should consider the risk of third-party data breaches to their own cyber security. Where a data breach includes account information or user credentials, malicious cyber actors can leverage this information to conduct password attacks and targeted social engineering. If you suspect your organisation is affected by a third-party data breach, the NCSC recommends you consider the mitigations contained in this guidance to address the risks.

Download NCSC Guidance: Responding to Third-Party Data Breaches [PDF, 347 KB]

This NCSC Cyber Resilience Advice sets out considerations to assist New Zealand Government agencies in making risk-based decisions about the use of social media applications (apps) on government phones and other devices.

Download the NCSC's Cyber Resilience Advice [PDF, 243 KB]

Download a one-page discussion document for senior leaders [PDF, 168 KB]

This guide is for project managers working on ICT projects that need to meet New Zealand Government information security standards, regulations, and policies.

Information security guidance for project managers [PDF, 270 KB]

(July 2019) Understanding the different possible roles involved in cloud computing, their respective responsibilities, and how they interrelate, will be helpful for organisations using cloud services.

Cloud Services: Who’s Who – Roles and Responsibilities [PDF, 455 KB]

(July 2019) A variety of cloud service models are available to consumers, each entailing different types of service management operation, as well as differing levels of responsibility for security for the parties involved.

Cloud Computing: Shared Responsibility Security Models [PDF, 477 KB]

(November 2019) Weak information security (InfoSec) policies and procedures, and inappropriate user access to networks and systems, have been identified as key risks for many government agencies. The National Cyber Security Centre (NCSC) has developed the following guidance to help agencies address these issues and improve their Infosec capability and maturity.

Improving information security: The Importance of policy and procedures [PDF, 349 KB]

Working Remotely: Advice for Organisations and Staff

(March 2020) This document has been compiled to help organisations think about the cybersecurity risks that arise when staff need to work from remote locations. We’ve provided a series of recommendations that can be used as a starting point in addressing these risks.

Download the NCSC's advice on working remotely [PDF, 488 KB]

Working Remotely: Getting Started on Cloud Security

(March 2020) Cloud services are one of the few practical solutions available to meet the challenge of working remotely, however the movement to cloud services at pace creates risks. Managing these risks should be an organisation’s objective in order to ensure short-term fixes don’t become long-term problems.

Download the NCSC's advice on cloud security [PDF, 426 KB]

(April 2020) Microsoft Azure and Office 365 (O365) are cloud services used by many organisations providing remote working solutions for staff. Some organisations already have a well-established O365 security posture, but for those who are required to stand it up in a hurry, this document provides straightforward starting guidance to securing the O365 environment.

Download the NCSC's advice on securing Microsoft Azure and Office 365 [PDF, 180 KB]

(April 2020) This paper sets out the Government Chief Information Security Officer’s advice to public servants on important security settings when using Zoom remote conferencing services for official New Zealand Government business, either within a public-sector organisation, or when collaborating with partner agencies.

Download advice from the GCISO on using Zoom [PDF, 309 KB]

(May 2020) There are a number of technology options for communicating that now include voice, group messaging, and video. While many of these technologies require specific measures to ensure they are used securely, some enduring principles can be used to help organisations make sound security decisions.

Download advice on secure video, voice, and messaging communications [PDF, 637 KB]

(May 2020) This page contains guidance designed to help organisations begin the process of securing cloud resources in Amazon Web Services (AWS).

Download advice on securing Amazon Web Services [PDF, 481 KB]

Responding to third-party data breaches

Assessing the risks of social media applications on government mobile devices

Information security guidance for project managers

Cloud services: roles and responsibilities

Cloud computing: shared responsibility security models

Improving information security: the importance of policy and procedures

Working remotely: advice for organisations and staff

Working Remotely: Advice for Organisations and Staff

Working remotely: getting started on cloud security

Working Remotely: Getting Started on Cloud Security

Working remotely: Microsoft Azure

Zoom advice from the GCISO

Principles for secure communications

Securing Amazon Web Services