1 July 2024
45 Pipitea Street, Wellington 6011
Phone +64 4 495 7200
dia.govt.nz
J Dough
fyi-request-26780-
[email address]
Tēnā koe J Dough
OIA request 23/24 1037 Request for information related to the RealMe security requirements
Thank you for your Official Information Act (Act) request received by the New Zealand Police
(NZ Police) on 14 May 2024.
You requested –
Can the NZ Police confirm that the security of all communications aligns with the security
requirements and guidance provided by the NZ Government Communications Security
Bureau, especially, but not limited to, the following sections:
* 16.1.40.R.03 * 16.1.40.R.04 * 16.1.40.C.02 * 16.1.41.R.01
As previously advised in an email on 30 May 2024, this part of your request was transferred to
us, the Department of Internal Affairs (the Department), under section 14(b)(i) of the Act.
Section 14(b)(i) provides that the information, or some of the information, to which the request
relates is not held by the department or venture or Minister of the Crown or organisation but is
believed by the person dealing with the request to be held by another department.
In response to your request, I can provide you with the following information.
I can advise that RealMe does not “store, communicate or transmit” any NZ Police firearms
data. RealMe only provides authentication access to the service (username/ password / second
factor authentication).
Regarding
Section 16 – Access Control and Passwords from th
e New Zealand Information
Security Manual (NZISM), I can advise of the following.
In relation to meeting NZISM requirements they are the noted rationale (reference containing
R) for certain controls (reference containing a C):
* 16.1.40.
R.03 (Rationale outlining four principal methods of attacking passwords)
* 16.1.40.
R.04 (Rationale for Password controls)
* 16.1.40.
C.02 – Password Policy - Agencies SHOULD implement a password policy enforcing
either:
• a minimum password length of 16 characters with no complexity requirement; or
• a minimum password length of ten characters, consisting of at least three of the
following character sets:
▪ lowercase characters (a-z);
▪ uppercase characters (A-Z);
▪ digits (0-9); and
▪ punctuation and special characters
* 16.1.41.
R.01 – (Rationale for changing Passwords every 90 days)
The references above has only one reference to a control (16.1.40.C.02) for the RealMe
authentication (Login) service.
Underpinning controls relating to Password Policy and Password Management NZISM indicates
we SHOULD implement. It is MUST for systems classified as Secret, Top Secret and Confidential.
A control with a “SHOULD” or “SHOULD NOT” requirement indicates that use, or non-use, of the
control is considered good and recommended practice. Valid reasons for not implementing a
control could exist.
In accordance with RealMe’s classification, RealMe continues to review its Password policy
settings to balance security and usability. Too strict a password policy means more forgotten
password calls to the helpdesk and frustration by users, the same with forcing a password
change.
RealMe follows the Microsoft Password Policy, which meets the character set however is
allowed to be between 8 - 64 characters, so we do not enforce a minimum of 10, it is a
minimum of eight. This means the Department are currently at a setting not far from the
recommendation, but not meeting it exactly. RealMe maintains certification/accreditation and is
due for recertification/reaccreditation in July/August 2024.
For further reference, the current Privacy Impact Assessment (PIA) for RealMe,
Privacy Impact
Assessment for RealMe – June 2013 is available on the Department’s website:
www.dia.govt.nz/diawebsite.nsf/wpg_URL/Resource-material-Identity-Verification-Service-
Identity-Verification-Service-Privacy-Impact-Assessment?OpenDocument
As this information may be of interest to other members of the public, the Department has
decided to proactively release a copy of this response on the DIA website. All requestor data,
including your name and contact details, will be removed prior to release. The released
response will be made available here:
https://www.dia.govt.nz/Official-Information-Act-
Requests-2.
Page 3 of 3
You have the right to seek an investigation and review by the Ombudsman of this decision.
Information about how to make a complaint is available at www.ombudsman.parliament.nz or
freephone 0800 802 602.
Ngā mihi
Tim Waldron
Manager Business and Market Development
Partners and Products
Page 3 of 3