In June the GCSB released version 1.01 of the New Zealand Information Security Manual. However, they have not published a list of changes from v1.0.
I have analysed the differences between v1.0 and v1.01 and found that only two controls have been updated. There are a small number of minor corrections. The following provides a list of changes:
• A blank page has been inserted following the front page;
• The Foreword has been slightly reworded and signed by the new Director of GCSB;
• The table of contents no longer includes itself;
• p65 the double full-stop has been remove at the end of the control How to report a cyber security incident to GCSB;
• p129 the last bullet point in the Context section has been reworded from “another DSD approved evaluation” to “Australasian Information Security Evaluation Program (AISEP) approved evaluation”.
• p130 the first sentence for the Recognition arrangements statement in the Context section has been changed from “DSD has a number of recognition arrangements regarding evaluated products” to “The AISEP programme has a number of recognition arrangements regarding evaluated products”. In addition to this the not in the second sentence has been made bold.
• p222 the Area security and access control statement has been changed from “Areas in which cryptographic system material is used should be separated from other areas and designated as a cryptography controlled area” to “Areas in which cryptographic system material is used should be separated from other areas and designated as a controlled cryptography area”.
• p268 the last row of the table for the Firewall assurance levels statement has been changed so that agencies are required to use EAL4 not EAL2 firewalls to connect two networks classified at Top Secret in different security domains.