About the PSR
ABOUT007
Security governance
The PSR contains eight governance requirements which work together to ensure effective oversight and management of all security areas.
Establishing your governance structure
To implement protective security requirements, your organisation must clearly:
- identify your security governance structure
- define who is responsible for security governance.
GOV1 - Establish and maintain the right governance
Establish and maintain a governance structure that ensures the successful leadership and oversight of protective security risk. Appoint members of the senior team as:
- Chief Security Officer (CSO), responsible for your organisation’s overall protective security policy and oversight of protective security practices.
- Chief Information Security Officer (CISO), responsible for your organisation’s information security.
Develop a governance structure that enables you to effectively identify and manage security risks.
Your organisation head is responsible for reviewing and endorsing your proposed security risk management structures, assurance mechanisms, and resource allocations.
More information:
Managing risks, and establishing policies and plans
The right risk-management approach will vary from organisation to organisation, but your process should be transparent and justifiable. Risk avoidance is not risk management.
GOV2 - Take a risk-based approach
Adopt a risk management approach that covers every area of protective security across your organisation, in accordance with the New Zealand standard ISO 31000:2018 Risk Management – Guidelines. Develop and maintain security policies and plans that meet your organisation’s specific business needs. Make sure you address security requirements in all areas: governance, information, personnel, and physical.
Your organisation’s process for managing security risks should aim to:
- identify risks specific to your people, information, and assets
- assess the likelihood and impact of risks occurring
- assess risks against vulnerabilities and the adequacy of existing safeguards
- specify your level of risk tolerance
- determine which protective measures are likely to reduce or eliminate risks
- identify and accept responsibility for residual risks
- implement security measures to reduce risks to acceptable levels.
Communicate about risk management to raise awareness
Common messages for managing security risks well are:
- everyone who works for your organisation is responsible for managing security risks (including contractors)
- risk management, including security risk management, is part of day-to-day business
- the process for managing security risks is logical, systematic, and part of your organisation's standard management processes
- changes in your organisation’s threat environment should be continuously monitored and adjusted when necessary to maintain an acceptable level of risk and a good balance between operational needs and security.
Develop effective policies and plans
Your policies and plans for protective security should:
- detail the objectives, scope, and approach to managing your security issues and risks
- be endorsed by your organisation’s head
- identify security roles and responsibilities
- be reviewed when there are changes to your business or changes to your security risks
- be consistent with your security risk assessment findings
- explain the consequences for breaching policies or circumventing protective security measures
- be communicated regularly.
More information:
- Implementing a risk-based approach to protective security
- ISO 31000:2018 Risk management - Guidelines
- HB 167:2006 Security risk management
- HB 327:2010 Communicating and consulting about risk
Preparing for business continuity
Critical services and associated assets need to remain available to assure the health, safety, security and economic wellbeing of New Zealanders, and the effective functioning of government.
GOV3 - Prepare for business continuity Maintain a business continuity management programme, so that your organisation’s critical functions can continue to the fullest extent possible during a disruption. Ensure you plan for continuity of the resources that support your critical functions.
A business continuity management (BCM) programme should be part of your organisation's overall approach to effective risk management.
BCM planning sets out the processes you should follow in the event of a disruption to business. A key risk for organisations is being unable to remain operational in the event of a crisis or other disruption.
Set up a robust programme
Carry out the following activities to ensure your BCM programme is effective.
- In your governance arrangements, establish who oversees and takes responsibility for your BCM programme, and for developing and approving business continuity plans.
- As part of your asset identification process, carry out impact analyses to identify and prioritise your organisation's critical services, assets, and information. Include any information exchanges with other organisations and external parties.
- Develop plans, security measures, and arrangements to ensure your critical services and assets continue to be available. Include any other service or asset when warranted by a threat or risk assessment.
- Monitor your organisation's overall level of preparedness for a disruptive event.
- Ensure you continuously review, test and audit your business continuity plans.
- ISO 22301:2019 Societal security - Business continuity management systems - Requirements
- Business Continuity Institute - Good Practice Guidelines (2018 edition)
Building security awareness
To successfully deliver the PSR, everyone who works for your organisation needs to know and follow your security policies and processes.
GOV4 - Build security awareness Provide regular information, security awareness training, and support for everyone in your organisation, so they can meet the Protective Security Requirements and uphold your organisation’s security policies.
Educate everyone about your security requirements
To improve awareness of and compliance with your security measures, your organisation should:
- ensure people who have specific security duties receive appropriate and up-to-date training
- communicate your security polices to everyone who works for you, including contractors
- make sure your security policies are easy to understand and access
- run an ongoing security awareness programme to regularly remind people of security responsibilities, issues, and concerns
- brief national security clearance holders on the conditions attached to their clearance level when they gain or renew a clearance, and when required in the clearance renewal cycle.
Uphold legislation for protecting official information
Provide everyone who works for you with guidance on the relevant sections of legislation covering the unauthorised disclosure of official information, including the:
- Official Information Act 1982 — sections 6, 9, 27 and 31
- Privacy Act 2020 — Information Privacy Principles, section 6
- Crimes Act 1961 — sections 78, 78A, 78B, 78C and 79
- Summary Offences Act 1981 — section 20A.
The combined effect of the Crimes Act 1961 and the Summary Offences Act 1981 is that the unauthorised disclosure of information held by the New Zealand Government is subject to the sanction of criminal law. Your people need to be aware of whether and how such legislation applies to their role.
More information
Managing risks when working with others
The PSR applies as much to service providers and outsourced services as it does to your internal operations.
GOV5 - Manage risks when working with others Identify and manage the risks to your people, information, and assets before you begin working with others who may become part of your supply chain.
When you outsource services or functions, your organisation should:
- apply personnel security procedures to private sector organisations and individuals who have access to New Zealand Government assets
- ensure government assets, including ICT systems, are safeguarded through specifying security requirements in contract terms and conditions, and visiting providers to assess compliance.
More information
Managing security incidents
The purpose of a security investigation is to establish the cause and extent of an incident that has, or could have, compromised your organisation or the New Zealand Government.
The process of investigating and reporting security incidents also helps you to understand your vulnerabilities and reduce the risk of future incidents.
GOV6 - Manage security incidents Make sure every security incident is identified, reported, responded to, investigated, and recovered from as quickly as possible. Ensure any appropriate corrective action is taken.
Be fair and just when you investigate
A security investigation should protect both the interests of the New Zealand Government and the rights of affected individuals.
Your organisation must apply the principles of natural justice and procedural fairness to all security investigations.
Your procedures should give due regard to ensuring the integrity of any other current or future investigation by your organisation or that of another.
Report serious security incidents to the right authorities
If an incident is potentially serious, you must consult with the:
- New Zealand Police
- New Zealand Security Intelligence Service (NZSIS)
- Government Communications Security Bureau (GCSB) or the Government Chief Digital Officer (GCDO), or both.
More information
Reporting incidents and conducting security investigations
Responding to increased threat levels
Your organisation must be ready to respond to emergency and increased threat situations.
GOV7 - Be able to respond to increased threat levels
Develop plans and be prepared to implement heightened security levels in emergencies or situations where there is an increased threat to your people, information, or assets.
Your plans for moving up to heightened security levels should integrate and coordinate with other emergency prevention and response plans. For example, plans for responding in case of a fire, bomb threat, hazardous chemical spill, power failure, evacuation, or civil defence emergency.
Assessing your security capability
An annual self-assessment helps your organisation to know if your security measures are right, and to improve security if you need to.
GOV8 - Assess your capability
Use an annual evidence-based assessment process to provide assurance that your organisation’s security capability is fit-for-purpose. Provide an assurance report to Government through the Protective Security Requirements team if requested. Review your policies and plans every 2 years, or sooner if changes in the threat or operating environment make it necessary.
The assessment and reporting process aims to help your organisation check how well you’re ensuring that:
- your people are safe
- your essential resources are retaining their confidentiality, integrity, and availability.
The process comprises internal self-assessment and reporting, and in some cases external reporting to lead security organisations.
Page last modified: 6/05/2022