This year, the PSR annual self-assessment assurance process includes additional questions focused on INFOSEC, which are required in order to complete the assessment.
This document provides guidance on what good information security should look like, in response to the additional INFOSEC questions. This guidance is aligned with the NZISM, and recognised international information security frameworks. It also points agencies to their obligations under the Protective Security Requirements PSR Framework.
New Zealand’s National Cyber Security Centre (NCSC) – a part of the Government Communications Security Bureau – has developed a nationwide understanding of the cyber security resilience of New Zealand’s NSOs. This report shares insight gathered from the first comprehensive cyber security survey of New Zealand’s NSOs.
It identifes four key focus areas in which New Zealand organisations could improve, and provides practical steps that organisations can take to strengthen their cyber security posture and resilience.
The rapid adoption of digital technologies and services, and the drive to increase efficiency means that the traditional hard separation between these physical infrastructure and information technology environments is diminishing.
This leads to an increased risk that industrial control systems and infrastructure can become vulnerable to cyber threats.
To help address this risk the National Cyber Security Centre (NCSC) in partnership with the New Zealand Control Systems Security Information Exchange (CSSIE) has developed the new voluntary standards cyber security standard for control systems operators (VCSS-CSO).
This standard builds on the initial VCSS-CSO developed by industry and the NCSC in 2013.
China’s Cybersecurity Law aims to protect national security – the defnition of which extends to maintaining territorial integrity, social and economic stability, and the public order. It regulates how organisations and businesses should protect digital information, including whether and under what circumstances it can be transferred out of mainland China, and introduces measures aimed to safeguard internet systems, products and services against cyber-attacks.
It’s important that you understand how the law’s requirements may relate to you. This information sheet provides general information and does not constitute legal advice. You may wish to seek expert advice specifc to your circumstances.
ICT Security and Related Services Panel (SRS Panel)
The Security and Related Services Panel are a group of industry experts contracted to provide government agencies with ICT services and advice on a range of security and privacy practices. The Panel helps government agencies manage privacy and security issues effectively.
CERT NZ provides a central point for all New Zealanders to seek advice and report cyber incidents
While CERT NZ has a primary responsibility for cyber threat reporting, and a coordination role in threat response, NCSC takes the lead in the response to significant cyber events — particularly those which may impact on national security, and our nationally significant systems and information.
The ORB has been developed by Netsafe to offer all New Zealanders a simple and secure way to report their concerns about online incidents.
In some situations your Internet Service Provider may also be able to offer guidance
Internet Storm Centre is a program within the SANS Technology Institute, a branch of the SANS Institute which monitors the level of malicious activity on the Internet, particularly with regard to large-scale infrastructure events.
CERT Coordination Centre is part of the Software Engineering Institute, which is based in the Carnegie Mellon University, USA.
Netsafe is an independent not for profit New Zealand organisation focused on online safety. They provide online safety help, support expertise and education to people in New Zealand.
Connect Smart contains advice for home-users, businesses and schools, to help New Zealander's protect themselves and their businesses online. Connect Smart is led by the government's National Cyber Policy Office (NCPO), part of the Department of the Prime Minister and Cabinet, in partnership with a range of government agencies, non-government organisations, and private sector.
The Department of Internal Affairs is responsible for investigating complaints about unsolicited commerical electronic messages, commonly referred to as SPAM.
It is important to note these are supplementary references and resources to assist agencies in having a more complete understanding of the context of the controls specified in the NZISM.
The Cloud Security Alliance (CSA) provides a number of resources on cloud security and cloud management – https://cloudsecurityalliance.org/
CSA also publish the Cloud Control Matrix (CCM) now at version 3.0.1 (December 2018 update) – https://cloudsecurityalliance.org/working-groups/cloud-controls-matrix/#_overview
Cloud Computing Threats Report - https://cloudsecurityalliance.org/download/artifacts/top-threats-to-cloud-computing-egregious-eleven/
The Center for Internet Security (CIS) publishes their CIS Controls - 20 important cybersecurity recommendations. Now in version 7.0 (April 2019), the CIS Controls are a prioritised set of actions any organisation can follow to help improve their cybersecurity posture – see: https://www.cisecurity.org/blog/cis-controls-version-7-whats-old-whats-new/ Controls can be downloaded as an Excel or .pdf file.
Beazley: 2019 Breach Briefing
Symantecs: Cloud Security Threat Report 2019 https://www.symantec.com/security-center/cloud-security-threat-report
Sophos Whitepapers: Securing the public cloud: Seven Best Practices https://www.sophos.com/en-us/security-news-trends/whitepapers.aspx
Digital Shadows reports
Digital Risk: The C-Suite's Critical Missing Part of Overall Risk
A Practical Guide to Reducing Digital Risk: Tools and Approaches for Security, Intelligence, and Fraud Terms
GitHUB - An Open Source Information Security hub providing tools, techniques and reference material.