As we head into the holiday season – that season of poorly timed RFPs – some government agency will trot out these dreaded words again: “Must comply with the NZISM”.
If you are not familiar with it (lucky you) the NZISM is the New Zealand Information Security Manual – a document which describes how government agencies should manage information security. Maintained by the GCSB, it is mandatory for the core ministries and departments and recommended for the rest of the public sector.
To the uninitiated seeing “Must comply with the NZISM” in a government tender might seem straightforward. Government agencies must comply with it, so shouldn’t their vendors? Well it isn’t that simple (I’ll let you into a secret – it rarely is with cybersecurity). Here’s a few reasons why:
- The NZISM is designed for agencies. Much of it is irrelevant or just makes no sense for suppliers. For example, it contains lots of requirements on how agencies should run security governance that just aren’t necessary for the private sector.
- There are lots of requirements that could apply to a particular system, but lots that might not. How is a vendor to know whether particular requirements matter in this RFP? Does the agency really care about cable colour? Or can the vendor safely ignore that requirement?
- The NZISM requires agencies to make a bunch of choices, create policies and choose positions. How is a vendor going to know what an agency has chosen? For example, agencies need to create a privileged access management policy, and manage all privileged accounts in accordance with that policy. From reading the NZISM vendors can’t know what that policy is and what they need to do.
- There are 1200 requirements that apply to all systems. How long would it take a vendor to demonstrate compliance to all of them? And how long will it take an agency to evaluate them? Is that the best use of everyone’s time?
My experience is that agencies put that phrase in their tender documents because they don’t know what else to do. Non-security people think that they have to comply with the NZISM, but don’t know what that means. They struggle to get someone who can help them…and so this is the best they can come up with. And, let’s face it, no one in the project team cares about security – they are just desperately trying to get this work done on time. So they think “let’s put those words in to tick the box, and we will sort it out later” And then vendors do the mirror image. “We don’t know what this means, we don’t have the time to read it all and then decide what we do and don’t comply with, and we know that no-one will actually ever check, so let’s just say that we comply”.
This is all a colossal waste of time and does nothing to improve anyone’s security.
But it’s not all futile. If you are writing an RFP, you can use the NZISM in a sensible way. Here’s what I suggest: Decide which security controls are really important (or fundamental) to you. Keep that list focused. Then just list them, saying which NZISM requirements apply. It’s simple, it’s straight forward and it can tick the “NZISM” box if that’s important too.
Here’s a couple of examples:
- Encryption of data at rest. Ensure that data at rest is encrypted in accordance with the guidance in section 17.2 of the NZISM.
- Event logging. Ensure that system events are logged in accordance with the guidance in section 16.6 of the NZISM. Specifically, the events that are logged should comply with requirements 16.6.10.C.01 and 16.6.10.C.02, the information logged for each event should comply with requirement 16.6.11.C.01 and logs should be protected in accordance with 16.6.12.C.01
This isn’t that hard. You will need a little bit of security help, but not too much. It’s more useful to vendors, easier for teams to evaluate, and easier to test later on. And it will get you better security than just asking a vendor to comply with the NZISM.
So, can we please retire that phrase forever?
And if you need help putting some sensible requirements into that RFP, please get in touch!