Skip to content.
|Networking government in New Zealand.
You are here: Home » Services » SEEMail » Draft Interim Guidelines for the use of Public Key Technology in Government » 4 Governance, standards, policies and guidelines

4 Governance, standards, policies and guidelines

  1. A governance framework, standards, policies and guidelines are critical to establishing trust in handling SENSITIVE information among agencies. There is currently no agency with a mandate to impose such policies and standards on other departments, and there are no formal policies directly addressing PKI other than those that can be inferred from the GCSB's INFOSEC guidelines, the e-government Policies and Standards, and the Security in Government Departments handbook.

  2. In the interim, it is proposed that the S.E.E. Project Team be considered an informal reference body for the use of PKT by government agencies.

  3. The recommendations made here should be interpreted as guidelines. These recommendations are based on our understanding of the issues to date, and these may change as we learn more and develop a formal PKI. These guidelines may become standards and policies in a formal PKI.

  4. If you feel that these guidelines are inappropriate for your implementation, please discuss these with the S.E.E. Project Team so that we can either explain ourselves better, or learn from your experience.

  5. Agencies making decisions based on this document should register their interest with the S.E.E. Project Team, who will keep interested parties abreast of developments.

2 Accreditation versus tendering

  1. The S.E.E. Project issued an RFI for Certification Authorities (CAs), Directory services and Audit services in December 1999. Since that time the S.E.E. Project Team has established a preference for accreditation over tendering.

  2. It is more likely that a S.E.E. Board will invite CAs to have themselves accredited than it is to tender for CA services. Individual agencies or groups of agencies may still tender for CA services from accredited suppliers.

  3. Similarly providers of Audit services may be accredited but it is less clear who would perform the accreditation.

  4. It is still likely that a S.E.E. Board will tender for the provision of a single Directory for storage and retrieval of agency certificates regardless of CA. This is expected to reduce the burden on PKT-enabled applications.

  5. We are not proposing an interim certificate policy, although these guidelines could be considered a simplistic voluntary certificate policy. In the interim, agencies need to satisfy themselves that a CA can perform services to an appropriate standard, and this document will help them with that process.


[ Previous | Next ]