21. Security
21.1 Security requirements for internet exchange of personal information
For exchange of personal information between web site user and the environment hosting the agency web site(s), the hosting environment must as a minimum:
- Encrypt personal information using Secure Sockets Layer (SSLv3) or Transport Layer Security (TLS),
- Use certificates that have a trust chain that is available in commonly used browsers.
Guide to this standard
An example of personal information is credit card details when making online payments.
Related Standard(s)
21.2 - Compliance to PCI DSS for Credit Card details online.
Rationale for this standard
This standard recognises the importance that government places upon the security of personal information. Agencies are required to implement Security in the Government Sector (SIGS), which includes a set of minimum internet security standards. (Department of the Prime Minister and Cabinet on 1 July 2002). Privacy Principle 5, Privacy Act 1993, states the responsibility an agency has of ensuring that security safeguards protect personal information.
A government agency must be confident of the security of personal information exchanged between a client and an agency web site.
21.2 Compliance to PCI DSS for Credit Card details online
Any capture of credit card details online must comply with the Payment Card Industry (PCI) Security Standards Council's Data Security Standards (DSS).
Guide to this Standard
Refer to Online payments - Card Industry (PCI) Security Standards Council's Data Security Standards, for further information.
Rationale of this Standard
This standard recognises the importance that government places upon the security of personal information. Agencies are required to comply with standards of non-government organisations when services of those organisations are utilised within NZ government agency web sites.
Related Standard(s)
21.1 - Security requirements for internet exchange of personal information.
[ Previous | Next ]
