1. About information security 1.1. Understanding and using this Manual Objective 1.1.1. The New Zealand Information Security Manual details processes and controls essential for the protection of all New Zealand Government information and systems. Controls and processes representing good practice are also provided to enhance the baseline controls. Baseline controls are minimum acceptable levels of controls and are often described as “systems hygiene”. Context Scope 1.1.2. This manual is intended for use by New Zealand Government departments, agencies and organisations. Crown entities, local government and private sector organisations are also encouraged to use this manual. 1.1.3. This section provides information on how to interpret the content and the layout of content within this manual. 1.1.4. Information that is Official Information or protectively marked UNCLASSIFIED, IN-CONFIDENCE, SENSITIVE or RESTRICTED is subject to a single set of controls in this NZISM. These are essential or minimum acceptable levels of controls (baseline controls) and have been consolidated into a single set for simplicity, effectiveness and efficiency. 1.1.5. All baseline controls will apply to all government systems, related services and information. In addition, information classified CONFIDENTIAL, SECRET or TOP SECRET has further controls specified in this NZISM. 1.1.6. Where the category “All Classifications” is used to define the scope of rationale and controls in the Manual, it includes any information that is Official Information, UNCLASSIFIED, IN-CONFIDENCE, SENSITIVE, RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET or any endorsements, releasability markings or other qualifications appended to these categories and classifications. The purpose of this Manual 1.1.7. The purpose of this manual is to provide a set of essential or baseline controls and additional good and recommended practice controls for use by government agencies. The use or non-use of good practice controls MUST be based on an agency’s assessment and determination of residual risk related to information security. 1.1.8. This manual is updated regularly. It is therefore important that agencies ensure that they are using the latest version of this Manual. Target audience 1.1.9. The target audience for this manual is primarily security personnel and practitioners within, or contracted to, an agency. This includes, but is not limited to: security executives; security and information assurance practitioners; IT Security Managers; Departmental Security Officers; and service providers. Structure of this Manual 1.1.10. This manual seeks to present information in a consistent manner. There are a number of headings within each section, described below. Objective – the desired outcome when controls within a section are implemented. Context – the scope, applicability and any exceptions for a section. References – references to external sources of information that can assist in the interpretation or implementation of controls. Rationale & Controls Rationale – the reasoning behind controls and compliance requirements. Control – risk reduction measures with associated compliance requirements. 1.1.11. This section provides a summary of key structural elements of this manual. The detail of processes and controls is provided in subsequent chapters. It is important that reference is made to the detailed processes and controls in order to fully understand key risks and appropriate mitigations. The New Zealand Government Security Classification System 1.1.12. The requirements for classification of government documents and information are based on theCabinet Committee Minute EXG (00) M 20/7 and CAB (00) M42/4G(4). The Protective Security Requirements (PSR) INFOSEC2 require agencies to use the NZ Government Security Classification System and the NZISM for the classification, protective marking and handling of information assets. For more information on classification, protective marking and handling instructions, refer to the Protective Security Requirements, NZ Government Security Classification System. Key definitions Accreditation Authority 1 Version_3.5__January-2022

Select target paragraph3