New Zealand’s National Cyber Security Centre (NCSC) Cyber Security Framework[i] is tailored to integrate New Zealand’s specific security needs and cultural values into a comprehensive strategy that spans governance, risk management, and incident response. This strategic approach is critical as it aligns with global best practices while addressing local nuances.
However, like any robust system, there is always room for enhancement that could bolster its efficacy. In this analysis, we explore how the NCSC Framework measures up against global standards like the NIST Cybersecurity Framework to identify key areas where it excels and others where strategic enhancements could fortify New Zealand’s cyber defences.
Protecht’s cyber risk management eBook is a comprehensive guide that enables you to spearhead a proactive approach against ever-evolving digital threats. Download it now:
Overview of the NCSC Cyber Security Framework
The NCSC’s beta Cyber Security Framework is not just a set of guidelines but a robust structure aimed at enhancing the security posture of organisations within the public sector and beyond. It is structured around five core functions that represent the activities required to secure an organisation effectively:
- Guide and govern: This function emphasises the importance of governance in cybersecurity, highlighting the need for clear guidance and policies that direct security efforts across the organisation.
- Identify and understand: Focused on the identification of assets and understanding the environment in which these assets operate, this function is crucial for establishing the scope of the cybersecurity program.
- Prevent and protect: This proactive function addresses the necessity of implementing protective measures to mitigate identified risks and safeguard assets against potential threats.
- Detect and contain: Recognising that incidents will occur, this function ensures that there are processes in place to detect anomalies quickly and contain them effectively to minimise impact.
- Respond and recover: This function deals with the organisation's response to incidents and the recovery process to restore normal operations as swiftly and safely as possible.
These functions provide a strategic view of an agency’s management of cyber security risks and are designed to work concurrently and continuously.
Under the Protective Security Requirements, it is mandatory for every public service department in New Zealand to have a cyber security framework, with the NCSC’s framework serving as a model. Its versatile and flexible nature makes it also helpful for private companies, other government agencies, and not-for-profit organisations, regardless of their size or focus.
The NCSC encourages feedback on the framework, demonstrating a commitment to continuous improvement and adaptability based on user experience and evolving cyber threats. In particular, the organisation plans to integrate a cyber assessment and insights tool to help organisations gauge their cyber maturity, and also aims to better incorporate Māori perspectives and concepts into the cybersecurity domain.
International comparisons of cybersecurity frameworks
An international comparison for the NCSC Cyber Security Framework highlights the framework’s strengths and areas for potential enhancement, and also illustrates where New Zealand’s approach aligns with or diverges from international standards.
Table: Comparison of cybersecurity frameworks based on NIST CSF
|
NIST CSF Category |
Subcategory |
NZ |
AU[ii] |
UK[iii] |
EU[iv] |
USA[v] |
|
Identify |
Asset Management |
Y |
Y |
Y |
||
|
Business Environment |
|
|||||
|
Governance |
|
Y |
Y |
|||
|
Risk Assessment |
|
Y |
||||
|
Risk Management Strategy |
|
|||||
|
Supply Chain Risk |
|
Y |
||||
|
Protect |
Identity and Access Control |
Y |
Y |
Y |
Y |
Y |
|
Awareness and Training |
Y |
Y |
Y |
Y |
||
|
Data Security |
Y |
Y |
Y |
Y |
Y |
|
|
Information Protection |
|
Y |
||||
|
System Maintenance |
Y |
Y |
Y |
Y |
Y |
|
|
Protective Technology |
Y |
Y |
Y |
Y |
Y |
|
|
Detect |
Anomalies and Events |
Y |
||||
|
Security Continuous Monitoring |
Y |
Y |
||||
|
Detection Processes |
|
|||||
|
Respond |
Response Planning |
|
||||
|
Communications |
|
|||||
|
Analysis |
|
|||||
|
Mitigation |
|
|||||
|
Continuous Improvement |
|
|||||
|
Recover |
Recovery Planning |
Y |
Y |
Y |
||
|
Recovery Testing |
Y |
Y |
Y |
Y |
Y |
|
|
Improvements |
|
|||||
|
Communications |
|
Y |
Note: The highlighted subcategories in the table represent the Protecht priority areas that we will discuss below.
The NCSC Framework aligns with international practices, particularly in asset management, identity and access control, and data security. This alignment reflects a global consensus on the critical importance of these areas in establishing a robust cybersecurity posture.
The inclusion of continuous monitoring and structured response planning in the NCSC Framework is consistent with best practices observed in the USA and UK. However, there is a noticeable gap in detection processes, which could be an area for further development to ensure rapid threat identification and mitigation.
New Zealand’s emphasis on recovery planning and testing is well-matched with international standards, indicating a strong resilience orientation in the framework. The focus on communications during recovery is also noteworthy, as it ensures that stakeholders are well-informed during and after incident resolution.
A distinctive feature of New Zealand’s framework is the separation of 'Guide & Govern' from the Identify function, which underscores the importance New Zealand places on governance and organisational culture in cybersecurity.
Evaluating the NCSC framework’s performance against the priority subcategory areas identified by Protecht provides a focused lens to identify strengths and opportunities for enhancement:
- Asset management: The NCSC Framework recognises the importance of understanding and managing assets as part of its Identify & Understand function. It emphasises the need for a clear inventory and understanding of assets to apply appropriate security measures effectively. The depth of its implementation guidance could be expanded to match the detailed approaches seen in frameworks like NIST.
- Supply chain risk: Supply chain risk is not explicitly detailed in the NCSC Framework. The framework’s broader guidelines suggest an awareness of the issue but lack specific strategies for managing risks associated with third-party vendors and service providers. Incorporating specific guidance on assessing and mitigating supply chain vulnerabilities would strengthen the framework's comprehensiveness.
- Anomalies and events: The Detect & Contain function of the NCSC Framework adequately covers the detection of anomalies and events. It emphasises the necessity of security monitoring to identify abnormal activity promptly. Continuous improvement to incorporate advanced detection technologies and techniques could further enhance its effectiveness.
- Security continuous monitoring: Security continuous monitoring is a core component of the Detect & Contain function. The framework advocates for ongoing vigilance in monitoring security systems and networks. Implementation advice for best practices, tools, and specific metrics for monitoring effectiveness could be valuable additions.
- Response planning: The framework integrates response planning within its broader Respond & Recover function, focusing on preparing organisations to handle incidents effectively. Providing examples of response plans, roles, and responsibilities, as well as coordination with external agencies, could enhance its utility.
- Communications: Communications during and after an incident are part of the Respond & Recover function, highlighting the importance of managing information flow during crises. This could be expanded to include best practices for internal and external communications, templates for communication plans, and training for spokespersons.
Proposed enhancements to the NCSC framework
This section outlines the compelling reasons for expanding the NCSC Framework and the strategic benefits this expansion could deliver as cybersecurity threats evolve in complexity and scale:
- Technological advancements: As new technologies like artificial intelligence, machine learning, and the Internet of Things become integral to business operations, they also introduce new vulnerabilities. An expanded framework that addresses these technologies can provide organisations with the guidance needed to secure them effectively.
- Emerging threat landscapes: Cyber threats are becoming more sophisticated, with attackers leveraging complex strategies that can bypass traditional security measures. Enhancing the framework to address these evolving tactics is crucial for maintaining robust national cybersecurity.
- Protecting critical infrastructure: Expanding the framework to incorporate more detailed protections for sectors like energy, telecommunications, and finance can help safeguard these essential services from disruptive cyber attacks.
- Securing government assets: As government operations increasingly digitise, securing governmental data against breaches is paramount. An expanded framework can offer more specialised guidelines tailored to the unique needs of public sector agencies.
- Supporting business continuity: By providing comprehensive strategies for incident response and recovery, an expanded framework can help businesses minimise downtime and financial losses associated with cyber attacks.
- Enhancing consumer confidence: When businesses can demonstrate robust cybersecurity measures aligned with a national framework, it enhances consumer trust and confidence, which is vital for digital economy growth.
- Alignment with international frameworks: By ensuring the NCSC Framework is compatible with other major frameworks like NIST and ISO standards, New Zealand can more effectively participate in global cybersecurity initiatives.
- Sharing best practices: An expanded framework can incorporate lessons learned from international cybersecurity incidents and best practices, enhancing not only New Zealand’s defences but also contributing to global cybersecurity knowledge.
Conclusions and next steps for your organisation
We believe that expanding the NCSC framework as detailed above would align with global cybersecurity trends, support economic stability, and enhance national security. By incorporating detailed operational guidance, advanced detection technologies, and comprehensive strategies for incident management, the NCSC Framework can offer New Zealand a robust defence mechanism against evolving cyber threats.
In the meantime, here are our recommendations for stakeholders:
- Government and regulators: Consider revising cybersecurity policies to include these expanded areas.
- Organisations and enterprises: Adopt these broader measures pre-emptively, reinforcing their cybersecurity practices in anticipation of regulatory changes.
- Cybersecurity professionals: Stay ahead of these changes, integrating new strategies and technologies into their practices to stay ahead of threats.
To find out more about cyber risk management, Protecht’s Cyber risk management: The art of prevention, detection and correction is a comprehensive guide that addresses the complex and ever-present challenges of cyber risk in today's digital age. Equip yourself with an understanding of cyber risk management, enabling you to spearhead a proactive approach against ever-evolving digital threats:
[i] New Zealand Government - CERT NZ’s Critical Controls for Cyber Security: https://www.cert.govt.nz/it-specialists/critical-controls/
[ii] Australian Cyber Security Centre (ACSC) - Essential 8 Explainer and Maturity Model: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explainer
[iii] United Kingdom Government - National Cyber Security Centre (NCSC) Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials/overview
[iv] European Union Agency for Cybersecurity (ENISA) Cybersecurity Guide: https://www.enisa.europa.eu/
[v] United States - Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials Toolkit: https://www.cisa.gov/cyber-essentials