Security policy and guidance for the New Zealand government is led by the Government Chief Information Security Officer and provided by a range of specialist organisations. Specialist guidance from these government organisations that is relevant to remote working is highlighted here.

Cyber security for offsite working

When staff work from remote locations and use cloud services to support this, there are new cyber security risks that must be assessed and managed. The National Cyber Security Centre (NCSC) has information to help organisations think about these. They have provided a series of guidance documents that can be used as a starting point in addressing these risks.

Working from home and cloud security — NCSC 

Assess the risk of every cloud-based service

Cloud services and applications offer great benefits to organisations, and the New Zealand government has a Cloud-First policy in place.

The need to maintain a productive and operational workforce needs to be weighed against security risks. Before a cloud-based service or application is adopted, organisations must consider the business context and complete a risk assessment. This is particularly important if cloud services will be used for private information or information that is classified as sensitive or restricted, for example, budget information. 

Cloud services often include online security tutorials, benchmarks and security scoring systems to guide good security decisions. Use them, and seek to implement robust security settings wherever possible.

• Risk assessment of cloud services — DIA Digital Public Services Branch 
• Working remotely: Getting started on cloud security — NCSC

Physical and information security

Working from home, in the field, from hotels or conference venues, visiting client offices, and working while on public transport are just a few ways that people work remotely, using portable devices. Loss or theft of devices or information, confidentiality and malware are some of the new risks to consider.

Protective Security Requirements (PSR) outlines the government’s expectations for managing personnel, physical and information security. 

The PSR website has guidance on:

• assessing risks as part of approving remote working and
• reducing risks when working off site using portable devices.

Mobile and remote working — PSR

Device security

Portable devices, such as laptops and mobile phones, make remote working possible, but they come with their own security considerations.

The ‘Devices for remote working’ page has more information about:

• plans to manage portable devices
• use of personal devices
• supplying devices and hardware
• managing devices, updates and patches
• limiting access to devices
• people and device security.

Devices for remote working

Making it work for people will boost security

If it’s not easy for people to do their work remotely, they may be less likely to follow the security procedures and requirements. For example, a person may have trouble joining a video conference on their work laptop, so they may use their personal phone instead. This creates information and cybersecurity risks.

A user-centred approach can help find solutions that will meet the needs of an organisation as well as workers. The solution is often not just about finding the right technology. For example, the solution could extend to boosting workers’ technical literacy and skills, providing technical support over extended hours, and ensuring that people know their responsibilities for working securely.

Active monitoring and incident management is an important defence

Organisations are required to ensure that your information security remains fit for purpose by monitoring for security events and responding to them, keeping up to date with evolving threats and vulnerabilities, and maintaining appropriate access to information.

As remote working becomes more common, it’s even more important for organisations to have good, wide-spread monitoring of their network and systems for remote working. Logs support monitoring and are a key part of understanding how an incident occurred and when it started. With that information, you can resolve incidents quicker, and get back to business as usual. To support monitoring, organisations can also configure and automate alerts to notify when key events happen.

Centralised logging — CERT NZ

An incident response and management plan outlines how an organisation will detect, respond to, and recover from a security incident. A multi-disciplinary team that meets regularly, even daily or hourly if needed, can help streamline incident assessment and recovery.

Incident management: Be resilient, be prepared — NCSC

Managing incidents remotely

It pays to think ahead about how the incident team might meet virtually if meeting in person is not possible. Will the incident management plan work if the security team, communications team, system administrators, and affected worker with a compromised device are all working remotely?

Assess risks regularly and put enough resources into assurance

During COVID-19, the rapid pace of adaption and change meant that a deeply pragmatic approach was required. Agencies may have raised their tolerance for some risks, so the work of public service staff could continue during the pandemic response.

‘Eight months in six weeks’ became the agenda and the timeframe as we accelerated the delivery of a digital workplace.

Security leaders highlight that agencies must now go back and review their security settings to assure they’re fit for current purposes.

Moving forward, organisations will increasingly rely on digital channels and networks. Remote working may also increase. New risks or issues may emerge as a result, or the consequences of known digital risks will be greater. Cyber security incidents and information and privacy breeches all undermine the social licence for a digitally enabled public service. It’s important that roles and responsibilities for risk management are clear, and resourcing levels to mitigate those risks are adequate.

Zero trust architecture has benefits for remote working

Zero trust is a type of architecture that assumes no trust of an individual, device or network. Trust is continuously earned based on factors, such as identity, context and activity. The system adapts in real time, and grants or restricts access. It offers significant benefits in terms of mobility, resilience and security.

Some government organisations have used zero trust architecture as a basis for their infrastructure. Implementing zero trust architecture, though, can be a significant technical and infrastructural shift in the way an organisation is designed, which can present challenges for adoption.

Some ways that organisations can make some shifts are to:

• factor zero trust principles into the organisation’s digital roadmap
• ask the supplier if they’re zero trust ready when investing in an IT solution
• talk to current suppliers or internal teams about how they might start adopting a zero trust philosophy.

Find out more about zero trust architecture:

• Zero trust principles — beta release — National Cyber Security Centre UK
• Zero trust Cybersecurity: ‘Never Trust, Always Verify’ — National Institute of Standards and Technology USA

Ready for remote following an incident

A key insight from COVID-19 is that agencies that had already implemented security systems,  and practices and protocols to allow staff to work securely from home or while travelling for work (for instance, hard drive encryption on laptops and two-factor authentication on devices), could be more confident in their ability to manage security risks for remote workers when physical distancing requirements were in place.

Other agencies had to adapt much more and establish new or reconfigured security protocols and settings to reduce cyber and information security risks for these staff.

For most organisations, secure communication, document and data sharing, new cloud services, and people’s behaviours and the environment’s and places they were working from, were new risks to assess and manage.

Given the new cybersecurity and information risks that emerged from the rapid shift to remote working, security agencies advise that agencies should review and refresh their cybersecurity settings and policies to ensure they’re fit for off-site, cloud-enabled operations.

Specialist help is available

Telecommunications as a Service (TaaS) makes it easier for government organisations to easily and securely connect with each other and their customers. The development of TaaS was based on the current trends of increasingly mobile workers, cloud-based applications and the use of a wide range of devices.

Marketplace facilitates the New Zealand government's procurement process by linking businesses that offer services and sell products with government agencies that wish to buy them. Marketplace includes Information Security Professional Services.

The ICT Security and Related Services Panel (SRS Panel) are a group of industry experts contracted to provide government organisations with ICT services and advice on a range of security and privacy practices. It is active until October 2021. From that date the Panel will be superseded by Pae Hokohoko Marketplace.

• TaaS providers
• Pae Hokohoko Marketplace
• ICT Security and Related Services Panel

More information

• Charting Your Course: Cyber Security Governance — NCSC 
• Current cyber security threats in New Zealand and what to do about them — CERT NZ
• New Zealand Information Security Manual (NZISM)
• Information security — PSR
• Physical security — PSR
• The role of the Government Chief Information Security Officer — Government Communications Security Bureau