February 2024 New Zealand Information Security Manual v3.7 Release

Updates

The version 3.7 release of the NZISM comprises one policy change being an update to section 17.9 Key management, and editorial changes to the introductory content in sections 1.2 Applicability, authority, and compliance, and 2.1 Government engagement. There are also a small number of minor and editorial changes.
These changes are driven by threats and risks identified through enquiries from agencies, our own research, information security policy gaps highlighted by changes in the way government agencies work, and changes to the international security frameworks and standards that the NZISM is based on. We also continue to engage with our Five Eyes partners and develop our policy and standards in line with theirs.
Our new content on Bluetooth that we planned to release in v3.7 requires further work and consultation as we move it into a separate section that focusses solely on Bluetooth communication. It will now be published later this year.

The policy changes in this version are described below:

Change area	Key management (section 17.9)
Rationale	Section had not been revised in a few years. Opportunity to make section more accessible and easier to understand.
Change description	New content including diagrams were added to make understanding of key management concepts easier. The revised content has been tailored to be more reflective of current key management operating practises, including cloud. One control has been deleted [CID 3016]. One new control has been added, one control has been amended.
Expected outcome	Agencies have a clearer understanding of protecting cryptographic keying material through key management procedures.

Change area	Applicability, authority, and compliance - GCISO (section 1.2)
Rationale	The GCISO role was established in 2018. In July 2022, the Public Service Commissioner formally appointed the GCISO as System Lead for Information Security.
Change description	The new content in section 1.2 outlines the role of the GCSIO under its new system lead mandate.
Expected outcome	The GCISO mandate is introduced into the NZISM. The NZISM applies to the same agencies mandated under the Protective Security Requirements.

Change area	Information security services within government (section 2.1)
Rationale	This section had not been updated in quite some time. The rapidly changing landscape of cyber security has seen changes in GCSB’s mission. NCSC has grown exponentially, and CERT NZ has also become part of the NCSC.
Change description	Originally this section gave a very brief description of the role of the GCSB and touched on other agencies. We have updated content on the GCSB, included information on the NCSC and provided information on System Leads such as GCISO, GCDO, GCDS, GCSL and GCPO. One control [199] has been changed from SHOULD to MUST: Security personnel MUST familiarise themselves with the information security roles and services provided by New Zealand Government organisations.
Expected outcome	That this section provides an overview of the GCSB, NCSC and other government organisations providing information security advice to agencies.