Information Security Roadmap Initiatives

Identity and manage assets, risks and environments

I.1 Knowing our business v0

The Ministry has a clear understanding of how its business operates and the context it operates in and this flows down into the data we collect, the assets we protect, our understanding of risks to our clients and business and what our roles and responsibilities are to the people of New Zealand. Includes:

• Documenting critical business processes including dependencies on systems, sites and external partners
• ICT and Organisational Resilience requirements are understood
• Critical systems and processes are identified

The Ministry’s objectives are fed into all IT initiatives

I.2 Risk management v0

The Ministry reviews and understands the risks of the environment its operating in and actively assesses and responds to the changes in security risks.

The Ministry understands and manages its security risks. Security risks are fed into operational decisions and prioritisation.  

This horizon includes embedding Assurance Framework (INF-108)

I.3 IT Asset Inventory and Lifecycle v0

The Ministry knows and automatically tracks the state of all its technology so that we can be sure that we use our assets responsibly and ensure that our assets are ready and have appropriate protection to hold our client’s information and ensure its is available for staff and clients.

• Inventory of servers, applications, user devices
• Auto discovery of assets
• Cloud and external systems inventory
• Classification of technology assets based on classification, criticality and value
• Cyber security roles clarified for staff and 3rd parties

I.4 Knowing our business v1

Ongoing improvements to improve understanding and knowing our business

• The organization’s role in the supply chain is identified and communicated
• The organization’s place in critical infrastructure and its industry sector is identified and communicated

I.5 Risk Management v1

Further improvements including Threat Intelligence and Threat Information Sharing.

I.6 Risk Management v3

Further improvements in risk management include:

• The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
• Security risks and controls are centrally managed
• Security risks and controls are fed into enterprise risk assessments

Protect information and systems through process, procedures, access control, training and technology

P.1 Identity and Access Management v0

The Ministry can manage identity and use it as the front-line protection of information and systems, providing enforcement of access across devices, environments and applications.

Includes:

• Privileged Access Management
• Multi-factor Authentication rollout for front line applications
• IGA rollout
• Access Control for APIs
• Client Identity and Access Management
• Partner Lifecycle Management and Governance
• Workforce Capability Rollout and Onboarding Authentication
• Maturing the Identity Capability
• Decentralised Identity
• Strengthen Key Management Processes

P.2 Data Protection v0

The Ministry can protect information on any device anywhere by establishing trust and applying automated, risk-based controls. Includes:

• Corporate Web Proxy
• Data Loss Prevention for M365 and Exchange Online

P.3 IT Maintenance v0

The Ministry maintain and repairs its IT systems inline with policies. Includes:

• Patch Management (INF-120)

P.4 Identity and Access Management v1

Completion of all epics initiated in Horizon 0  (Identity & Access Management v0)

P.5 Information Protection Processes v1

The Ministry has an information protection processes and procedures in place across all IT and business capabilities including change, configuration and system deployment. Includes improvements to establishing a Secure SDLC.

P.6 Data Protection v1

Further improvement to Data protection including:

• Data Loss Prevention Endpoint
• Data Loss Prevention Network
• Extend BYOD access to existing service
• Extended BYOD to include android devices

P.7IT Maintenance v1

Further improvement to IT Maintenance including:

• Configuration Management
• Microsoft Defender for Servers 

P.8 Data Protection v2

Further improvement to Data protection including:

• Application Proxy for business-critical applications

P.9Identity and Access Management v2

Further IdAM improvements including:

• Application Access Control and Entitlement Enforcement

P.10 Data Protection v3

Further improvement to Data protection including:

• Anywhere, any device

Detect anomalies and events and continuously monitor systems and devices

D.1 Detection, Monitoring and Events v0

The Ministry has tools in place to detect security incidents and assess the potential impacts to information and systems. Ministry assets are actively and automatically scanned and monitored for vulnerabilities. Centralised device and network telemetry

Includes:

• Security Information and Event Management (SIEM) (INF-98)
• Vulnerability Scanning (INF-97)

D.2 Detection, Monitoring and Events v1

Further improvements for detection monitoring and events, include:

• Security Orchestration Automation and Response (SOAR) to define incident analysis and response procedures in a digital workflow format.
• Risk based alerts
• Cloud Access Broker (CASB) - Possible move to V0
• Vulnerability identification on servers
• Network vulnerability scanning
• Centralised device and network telemetry

D.3 Detection, Monitoring and Events v2

Further improvements for detection monitoring and events, include:

• Centralised device and network telemetry

D.4 Detection, Monitoring and Events v3

Further improvements for detection monitoring and events, include:

• Threat Hunting
• Attack simulation
• AI/ML based Anomaly Detection

Respond to events using playbooks, event analysis, mitigations and continuous improvement. Recover from events.

R.1 Response & Recover v0

The Ministry has processes in place to respond to security incidents. These processes are regularly tested against risk-based scenarios and are maintained.

The Ministry has business and technology recovery plans in place to recover from incidents. These recovery plans are regularly tested against risk-based scenarios and are maintained.

Includes:

• Security Incident Management improvements (INF-126)
• BCP Framework
• DR for core functions
• Establish a Data Bunker
• BCP Communications Framework

R.2 Response & Recover v1

Further improvements include:

• Baselined BCPs
• "Alternate IT" solution
• Embed Resilience NFRs in solution designs

IT Security Enablers

IT Investments that contribute to the maturity improvements in the previously listed capabilities.

Previous page |