Thread: NZ Information Security Manual

Relevant to the new Firearms Registry.
It is intended that the registry should meet this standard.
Here is a link to the 364 page 5MB pdf document:

https://www.nzism.gcsb.govt.nz/ism-document/

I'm considering doing an oia request to find out what security classification the registry will be

It should be "SENSITIVE".

Definition:
Compromise would likely cause harm to organisations, damage the interests of New Zealand, or endanger the safety or wellbeing of its citizens.

This is from the classification guidance at https://www.protectivesecurity.govt....w-to-classify/

An outline of the required handling of such information is:
SENSITIVE information should not generally be stored on systems accessible from the public Internet and must:

not be transmitted via email
use GCSB-encrypted access
when working off-site, use encryption on mobile devices communicating over public infrastructure, the Internet or non-agency-controlled networks
use RealMe login authentication.

source: https://www.digital.govt.nz/standard...y-information/

Originally Posted by Bagheera

An outline of the required handling of such information is:
SENSITIVE information should not generally be stored on systems accessible from the public Internet and must:

not be transmitted via email
use GCSB-encrypted access
when working off-site, use encryption on mobile devices communicating over public infrastructure, the Internet or non-agency-controlled networks
use RealMe login authentication.

source: https://www.digital.govt.nz/standard...y-information/

They could debate the finer points between IN-CONFIDENCE and SENSITIVE.

I also hate to tell you this, but some the information on that site is incorrect (and bad). For example email can be used for information up to RESTRICTED, this is what Seemail is for. There is no such thing as "GCSB-encrypted", GCSB encrypt jack shit for other organisations. And encryption is used on almost everything, and nobody in their right mind would use RealMe in the way they prescribe.

If you are looking at NZISM as a path to say the registry cannot exist (or be on the internet) you are barking up the wrong tree. I give you this advice as a person who works in this space.

Originally Posted by vulcannz

They could debate the finer points between IN-CONFIDENCE and SENSITIVE.

I also hate to tell you this, but some the information on that site is incorrect (and bad). For example email can be used for information up to RESTRICTED, this is what Seemail is for. There is no such thing as "GCSB-encrypted", GCSB encrypt jack shit for other organisations. And encryption is used on almost everything, and nobody in their right mind would use RealMe in the way they prescribe.

If you are looking at NZISM as a path to say the registry cannot exist (or be on the internet) you are barking up the wrong tree. I give you this advice as a person who works in this space.

Wot you said

Thanks @vulcannz.
I was hoping you'd educate us on this.
Too good to be true, eh ?

Happy to share, that stuff on digital.govt.nz is annoying. It creates great confusion.

Question I have, is who writes that manual if no Govt department is required to follow it? There isn't any way that you can keep the data that they are wanting to record secure in that format, been proven multiple times around the planet.

Originally Posted by No.3

Question I have, is who writes that manual if no Govt department is required to follow it? There isn't any way that you can keep the data that they are wanting to record secure in that format, been proven multiple times around the planet.

NZISM is released by the GCSB. Government departments use it as a standard, and will typically audit themselves against it annually. It is entirely possible to secure such a system.

Originally Posted by vulcannz

It is entirely possible to secure such a system.

Yes agreed, with the correct design, engineering, resourcing and staffing. Which is where they always fail...