September 2020 New Zealand Information Security Manual v3.4 Release

The New Zealand Information Security Manual (NZISM)(external link) has released an update (v3.4), which includes:

  • Chapter 16 - Access Control and Passwords. This chapter was reviewed in light of increased agency remote-working practices under Covid-19, and now contains two new sections that both collate and expand on existing controls under single headings;
    • Section 16.4 – Privileged Access Management (PAM); and
    • Section 16.7 – Multi-Factor Authentication (MFA).

  • Section 17.1 Cryptographic Fundamentals. Additional content has been added and encryption standards updated.
  • Section 15.2 – Email Infrastructure. Updates made around Domain-based Messaging Authentication, Reporting & Conformance (DMARC).
  • International and NZ Government Standards referenced in several chapters, notably around Cloud and Identity, have been reviewed and updated to reflect the most current published versions.
  • The NZISM was reviewed in context of Denial of Service (DDoS/RDoS) scenarios, though no changes were identified as needed at this time.
  • There are a number of minor wording changes throughout the document, these amendments are designed to simplify language and to help with clarity and interpretation.

The September 2020 NZISM v3.4 replaces the previous edition, NZISM v3.3, which was published in February 2020.