• New Zealand Government Web Standards 2.0

• New Zealand Government Web Standards 1.0
  • » 1. Images
  • » 2. Colour
  • » 3. Site Markup
  • » 4. Special Purpose Documents
  • » 5. Writing Content
  • » 6. Site Content
  • » 7. Page Layout
  • » 8. Navigation
  • » 9. Style Sheets
  • » 10. Dynamic Content
  • » 11. Tables
  • » 12. Frames
  • » 13. Scripting and Applets
  • » 14. Page Refreshing
  • » 15. Site Behaviour
  • » 16. Site Layout
  • » 17. Archiving
  • » 18. Quality Assurance
  • » 19. Data Tracking
  • » 20. Authentication
  • » 21. Security
    • 21.1 Security requirements for internet exchange of personal information
    • 21.2 Compliance to PCI DSS for credit card details online
  • » 22. Online Forms
  • » 23. Tendering and Contracting
  • » 30. Site Delivery
  • » 31. Operational
  • » 32. Web Strategy

21.1 Security requirements for internet exchange of personal information

The Standard

21.1 For exchange of personal information between web site user and the environment hosting the agency web site(s), the hosting environment must as a minimum:

• Encrypt personal information using Secure Sockets Layer (SSLv3) or Transport Layer Security (TLS),
• Use certificates that have a trust chain that is available in commonly used browsers.

Guide to this standard

An example of personal information is credit card details when making online payments.

Rationale for this standard

This standard recognises the importance that government places upon the security of personal information. Agencies are required to implement Security in the Government Sector (SIGS), which includes a set of minimum internet security standards. (Department of the Prime Minister and Cabinet on 1 July 2002). Privacy Principle 5, Privacy Act 1993, states the responsibility an agency has of ensuring that security safeguards protect personal information.

A government agency must be confident of the security of personal information exchanged between a client and an agency web site.