Azure-based compliance initiative provides standardised, automated processes for agencies to meet Government Information Security Manual requirements on secure IT use and data protection
Microsoft has released a new Azure Policy initiative to help New Zealand government agencies speed up adoption of cloud, dramatically simplifying compliance with government requirements around cybersecurity, privacy and data management.
The New Zealand Information Security Manual (NZISM) sets out security and governance requirements all public sector organisations must adhere to. Spanning more than 1,000 pages, the guidelines must be checked whenever a government agency is considering new software and technologies, and on an ongoing basis.
In 2021, Azure introduced policies designed to assist New Zealand government agencies in meeting specific compliance requirements, marking a pioneering move for a major tech company. Despite this, the multi-step implementation process proved challenging for many agencies that were new to cloud technology.
With enhancements to the management tools and new functionalities added to Microsoft Defender for Cloud, Microsoft has simplified the end-to-end process for public sector customers. Deploying the updated NZISM solution in Azure allows agencies to perform a more efficient compliance review of their infrastructure, speeding up decisions and reducing the need to navigate through lengthy documents.
Mark Anderson, Chief Security Officer at Microsoft Australia & New Zealand, said the automation initiative addresses a long-standing challenge for many agencies, especially those that are smaller with less internal resource to monitor tech compliance.
“Automating the process with this solution not only accelerates the path to NZISM alignment and compliance but empowers agencies with actionable, automated insights that allow them to confidently adopt new technology without the manual overhead of compliance checklists that have historically slowed progress,” he said.
Microsoft Copilot capabilities will soon be added to enable internal compliance officers to ask the tool questions and receive tailored recommendations aligned with compliance and regulatory standards.
The automated system also offers real-time assessments of organisations’ regulatory compliance, reporting non-compliant configurations, settings and systems.
“Beyond the cost and time savings of having a streamlined process, the upgraded NZISM policy enables agencies of any size to deploy and innovate with new tools that improve services and access for New Zealand citizens, which is a win for everyone,” Anderson said.
The National Cyber Security Centre, NCSC, works with Microsoft to support government agencies consuming Azure. Both Microsoft and NCSC contribute to the Azure Policy Initiative to ensure that agencies are deploying services that meet many NZISM controls by default.
“While agencies should always check that their services have the necessary controls implemented, offerings like this simplify the compliance overhead associated with moving workloads to cloud platforms,” said John Doyle, Director Regulatory and Advisory, NCSC.