A unified set of policies and procedures for ICT security in government agencies will be finalised shortly – though the man responsible for its development will not pin himself down to a firm date.
There is no coherent apparatus for assessing that agencies have complied with the policy, and no clear picture of whose responsibility such compliance vetting might be.
The NZSIT 400 standard is being developed within the Government Communications Security Bureau (GCSB). There are standards in place at present, says the man in charge, Grant Streeter, but standards for different kinds of information have to date been in different documents.
NZSIT 400 will give agencies a single source for all guidelines. The document will eventually run to more than 200 pages.
Streeter says he has given deadlines for its completion before, “But every time I do that, it seems the Australians produce something new and I have to consider more changes to our standard.”
The New Zealand standard has much in common with the Australian ACSI-33 standard and the two will probably move closer to commonality in future, says Streeter, something he says is a logical development considerable co-operation between the two countries’ governments and public services.
“But the Australians have some different ends in mind and different means of achieving those ends,” so the two are unlikely ever to be identical.
NZSIT 400 is designed to be “a living document”, Streeter says, with updates provisionally scheduled for every quarter after the initial release. The Blackberry and similar advanced personal digital assistants with ever-increasing storage size are the bane of any organisation’s security policy, he says.
Similarly, digital storage in office equipment such as fax machines and photocopiers has been growing. Such machines typically sideline a document image onto an internal hard disk for convenience in generating multiple copies and that image could remain there vulnerable to illicit use if there is not a policy to say how it must be wiped.
The new security manual will also cover standards of encryption for information of different confidentiality classifications, and procedures for encrypting and decrypting. A separate standards document, NZSIT-401, will deal with additional procedures for information of secrecy classifications of “confidential” and above, but this document will itself be confidential.
As for who will audit compliance with the standard, this is still uncertain, says Streeter. It is unlikely to be the Audit Office, which normally has the job of monitoring good practice in government agencies. Sources suggest the vetting may have to go as high as the Department of Prime Minister and Cabinet, where it could lie with the Officials Committee for Domestic and External Security Coordination (ODESC).
“There is no definite mechanism prescribed at present,” says Streeter, but the matter will not be ignored. “There will be consequences for senior executives who fail to comply.”
The Australian federal government has an established programme known as I-RAP (Infosec-Registered Assessor Program) for training and certifying security auditors to vet projects for ACSI-33 compliance. I-RAP is administered by the Defence Signals Directorate.