January 2022 New Zealand Information Security Manual v3.5 Release

The New Zealand Information Security Manual (NZISM)(external link) has released an update (v3.5), which includes updates to Chapter 2 – Information Security Services within Government, Chapter 3 – Roles & Responsibilities, Chapter 5 – Security Documentation, Chapter 13 – Media and IT Equipment Management, Decommissioning and Disposal and Chapter 17 – Cryptography:

Chapter 2 – Information Security Services within Government

  • Updated guidance for agencies using cloud services, including support for agencies producing cloud adoption strategies and recommendations on the adoption of cloud native security services and zero trust approaches.
  • Information related to agencies maintaining control over their systems and information has been lifted from the cryptographic section of the NZISM to the overarching Industry Engagement and Outsourcing advice, to reflect that the guidance relates to more than just control of cryptographic keys.
  • “Agency Control” has also been redescribed in clearer terms of being either “Direct” or “Indirect” as the previous wording was unclear that “Agency Control” was the desired outcome (regardless of being direct or indirect).
  • A new section has been included to provide information for agencies to assist preparations for the impacts of quantum computing on information security controls, specifically related to encryption. The main focus of the advice is that agencies should gather important information about their cryptographically protected assets and start planning for migration to post-quantum cryptographic standards.
  • An introduction to zero trust concepts and terminology has been included in the NZISM to increase awareness of zero trust approaches and enable the NZISM to more directly reflect zero trust in future releases.

Chapter 3 – Roles and Responsibilities

  • Clarified inconsistent advice about agency head delegation of the Accreditation Authority role to CISOs; CISOs being best placed to perform the role of Certification Authorities; and Accreditation Authority and Certification Authority not being held by the same position.

Section 5.9 – Vulnerability Disclosure Policy (VDP)

  • Agencies are now expected to implement a policy to accept and action system vulnerability reports from members of the public. The agency policy is expected to include the scope of the systems the policy applies to and the responsible disclosure of details once the vulnerabilities have been remediated.

Section 13.5 - Media and IT Equipment Destruction

  • Incineration is included as an option for the destruction of media. Guidance is provided on how to undertake this kind of activity in a responsible manner.

Chapter 17 - Cryptography

  • Updated to make agencies aware of the cryptographic implications of quantum computing and to prepare through focussing on using stronger encryption based on length of keys instead of migrating RSA based systems to ECC.
  • Updated the guidance around what is considered “legacy” use of cryptography, as distinct from legacy (i.e. outdated) systems and modernised terminology and references throughout.
  • Updated approved algorithms (RSA and ECC) in line with the changes to the Cryptographic Fundamentals guidance related to approved algorithms and appropriate key lengths.
  • Clarified that SHA-256 is approved for the protection of information classified IN CONFIDENCE or below (SHA-384 is still required for SENSITIVE/RESTRICTED and above).

Wording Changes

  • There are also a number of minor wording changes throughout the document, these amendments are designed to simplify language and to help with clarity and interpretation.

The January 2022 NZISM v3.5(external link) replaces the previous edition, NZISM v3.4.