2. Scope

The password requirements of this Standard have been developed for government services within the Low Risk Category that are delivered to agency customers through the interactive online channel. The Authentication Key Strengths Standard considers broader threats to authentication than those covered in this Standard. The requirements of the Authentication Key Strengths Standard must also be followed.

The Government Logon Service (see 3.2) is a centralised authentication service and not a service agency. Consequently, the requirements 6.1 and 6.2 of this Standard do not apply to the Government Logon Service.

The authentication standards are to be used for services that deliver information classified as UNCLASSIFIED, IN CONFIDENCE, or SENSITIVE only, as specified in the Government's Guidelines for Protection of Official Information.

Authentication is only one aspect of an agency’s security posture. Agencies are reminded that they are required to comply with the Government’s security policies and instructions as defined in:

• Security in the Government Sector (SIGS)
• New Zealand Government Information Technology Security Manual – NZSIT 400 (NZSIT 400).

2.1 Other online service risks

Agencies MUST undertake a risk assessment for those risks associated with the delivery of their services through an interactive online channel. Agencies SHOULD follow the Australian and New Zealand Standard AS/NZS 4360:2004 on risk management for their authentication systems. Further advice on the application of AS/NZS 4360:2004 is set out in SAA/SNZ HB 436:2004 and SAA/SNZ HB 231:2004. Agencies also need to ensure there is adequate business continuity planning for their online services.

Many authentication risks may be addressed by ensuring that the authentication system is properly protected. The NZ e-GIF authentication standards do not give general advice for securing authentication systems. Agencies should comply with SIGS, NZSIT 400, AS/NZS ISO/IEC 17799:2006 and AS/NZS ISO/IEC 27001:2006.

Risks also arise from the computing environments of customers. In general, these risks are beyond the scope of the NZ e-GIF authentication standards and any recommendations are limited in their enforcement. Agencies need to consider these risks when they perform the risk assessment for an online service. Agencies should inform potential online service customers of the related risks and provide access to material concerning customer responsibilities and security education (see Appendix A for further advice).

Additionally, the NZ e-GIF authentication standards only consider the identity-related risk of a service. Other risks to government services should also be analysed and addressed as appropriate.