Closed indygriffiths closed 4 years ago
TLDR In "Confidence" does NOT equal "Confidential".
Had a quick discussion with our in-house security expert.
John 1:35 PM Not exactly.... C/R/S/TS are above In-Confidence. Unless equivalencies are expressley stated, they are what they are. (edited) Maxime 1:39 PM So "Confidential" is a step above "in confidence" and the requirements that an administrator specifically unlocks a locked out account (as opposed to letting the timeout expire) doesn't apply to CWP? John 1:41 PM C.01 is for the higher classifications wheres C.02 is for all other classifications. You have to pull apart what the word SHOULD means. In the Control Language at the beginning of the NZISM, you will find that definition. As far as assuming or guessing what one classifications means over another - avoid it. Unless it is stated as an equivalency, use what it in front of you.
https://www.nzism.gcsb.govt.nz/pdf/index/1802
As part of Suspension of Access,
16.1.29.C.01.
state that agencies musthave a system administrator reset locked accounts;
which conflicts with the automatic lock out expiry time set bylock_out_delay_mins
. Reading NZISM and it would seem that once an account is locked, only an administrator can unlock it, rather than the system automatically unlocking it.This control applies to systems
Confidential, Secret, Top Secret; Compliance
which I would assume includes CWP given it's rated to In Confidence (equals Confidential?)Related PR