Welcome to the SecAware blog

I spy with my beady eye ...

8 Apr 2017

NBlog April 7 - NZISM

I spent the whole day slogging through the New Zealand Information Security Manual (NZISM), a typical government infosec policy: detailed, lengthy (over 600 pages!), explicit and frankly rather tedious and boring. Although we used to sell a similar type of policy manual based on ISO/IEC 27002 ("just" 100 pages though!), we've since changed over to a more reader-friendly suite of individual policies covering a range of information risk, security, privacy and related topics. Each of our policies includes a short background section explaining why it is needed, the idea being to inform and convince the reader that it is in their interest as well as the organization's for everyone to comply. Topic-based policies are easier to manage, too, since nobody is expected to slog their way through hundreds of pages: most are less than 5 pages, of which the actual policy statements are just a couple of sentences plus a page or so of supporting statements explaining how the policy is to be interpreted and applied in practice.

Most of the day involved incorporating NZISM terms and definitions from the embedded glossary into the NoticeBored information risk and security glossary - a repetitive process, formally quoting and citing each definition and thinking about how it relates to others, including terms defined in ISO/IEC 27000 and other standards. 

Most definitions are similar but not identical: figuring out whether the differences are material or merely different ways to express the same thing in the specific context of the NZISM requires concentration, especially as most definitions involve specialist terms that are defined elsewhere. [We make it easier for readers of our glossary by hyperlinking specialist terms in the definitions to their own explicit definitions - an approach that the NZ government might usefully adopt ... please!]

An example of the language issue is the term "exception". NZISM defines "exception" as:
"The formal acknowledgement that a requirement of the NZISM cannot be met and that a dispensation from the particular compliance requirement is granted by the Accreditation Authority. This exception is valid for the term of the Accreditation Certificate or some lesser time as determined by the Accreditation Authority."
The "Accreditation Authority" there refers to the formalized process of assessing and confirming compliance with NZISM and other applicable rules/laws/regulations and requirements (e.g. contractual obligations to third parties). [Technically, that process is more properly termed "certification", which the assessing and certifying party is separately accredited by an authority to do - but in the government/defense realm the process is commonly known as "accreditation".] 

The NB glossary defines "exception" as an unauthorized discrepancy between practice and policy, whereas an authorized discrepancy is called an "exemption" i.e. a management-approved relaxation of the rules for a legitimate business reason, often accompanied by the imposition of compensating controls. 

The NZISM doesn't define "exemption" but defines "waiver" as:
"The formal acknowledgement that a particular compliance requirement of the NZISM cannot currently be met and that a waiver is granted by the Accreditation Authority on the basis that full compliance with the NZISM is achieved or compensating controls are implemented within a time specified by the Accreditation Authority. Waivers are valid in the short term only and full accreditation cannot be granted until all conditions of the waiver have been met."
To push the point all the way home, the NZISM glossary includes a further entry on "Exceptions and Waivers":
"An exception is NOT the same as a waiver. An exception means that the requirement need not be followed. A waiver means that some alternative controls or conditions are implemented."
... and yet another on "Waivers and Exceptions": 
"A waiver means that some alternative controls or conditions are implemented. An exception means that the requirement need not be followed. An exception is NOT the same as a waiver."
OK, got it! Those are not really definitions as such but further explanations/caveats, presumbly included because users are confused over the terminology (gosh, what a surprise!). 

As far as I can tell, NZISM doesn't have an explicitly-defined equivalent to our "exception" (an unauthorized non-compliance), so I guess they call that a noncompliance, incident or something. Or perhaps they don't have any ...

The convoluted nature of the process explains why it took a whole day to consider and reference most of the ~150 NZISM definitions in the NB glossary, taking it up to 300 pages and ~1,800 hyperlinked definitions. It is a living document, updated every month to reflect the living language. We're always on the lookout for new infosec-related terms and evolving definitions - all part of the fun.


No comments:

Post a Comment