About the PSR

ABOUT010

Physical security

Every New Zealand Government organisation must have physical security measures in place to protect people, information, and assets.

Physical security is multi-faceted and complements your security measures in other areas.

Good physical security supports health and safety standards, and helps your organisation to operate more efficiently and effectively.

Take a risk-management approach to working out the right levels of physical protection for your organisation’s people, information, and assets.

Understanding what you need to protect

Knowing where your vulnerabilities are is the first step towards robust physical security. You may need to protect:

  • your people, information, and assets
  • the public and customers
  • cultural holdings.

Once you identify your risks, you must evaluate the likelihood and impact of each risk. Assessing your risks helps you understand where you need to take further action.

PHYSEC1 - Understand what you need to protect

Identify the people, information, and assets that your organisation needs to protect, and where they are. Assess the security risks (threats and vulnerabilities) and the business impact of loss or harm to people, information, or assets. Use your understanding to: • protect your people from threats of violence, and support them if they experience a harmful event • protect members of the public who interact with your organisation • put physical security measures in place to minimise or remove risks to your information assets.

Under the Health and Safety at Work Act 2015, your organisation must:

  • identify risks to your people and act to reduce them
  • protect clients and the public from harm.

For your facilities, you need to consider how they’ll be used, who will use them, and what will be stored in them.

Other areas to to think about are:

  • arrangements for people working away from the office
  • co-location arrangements with other parties
  • plans for new sites or buildings, and plans for alterations
  • ICT equipment and information
  • your supply chain.

More information:

Designing physical security early

To reduce costs and improve effectiveness, consider your physical security measures early in any process for:

  • planning new sites or buildings
  • selecting new sites
  • planning alterations to existing buildings.

You also need to assess physical security risks for people working away from the office, and for any shared facilities you use.

PHYSEC2 - Design your physical security

Consider physical security early in the process of planning, selecting, designing, and modifying facilities. Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with relevant health and safety obligations.

Evaluate risks and prepare plans

You must evaluate physical security risks before you select sites. Then prepare site security plans which detail the security measures you need to mitigate the risks.

Comply with security zone requirements

Use the right security zones and their associated measures for protectively-marked information and assets. Security zones may also help to protect other valuable information and resources. Each zone comes with minimum requirements you must implement.

Apply good practice for physical security design

Good practice includes:

  • following the ‘Deter, Detect, Delay, Respond, Recover’ model
  • using multiple layers of security — ‘security in depth’
  • using NZSIS-approved security products when required
  • addressing all points where your physical security could be breached
  • knowing and complying with all relevant laws and standards
  • applying ‘Crime prevention through environmental design’ (CPTED)
  • adding physical security requirements to your business continuity and disaster recovery plans.

Get your physical security design accepted

Your chief security officer (CSO) must accept that the proposed security design is fit for purpose and will address your organisation’s specific requirements.

Implement your physical security measures

Implementing your agreed physical security measures includes rolling out related policies and processes, and any technical measures you need.

Include physical security in your business dealings

Build physical security into your contracts, business relationships, and partnerships. Ensure everyone is aware of your physical security requirements and check for compliance.

Manage your planning and building processes

Make sure your physical security measures are implemented when there are new builds, refurbishments, or assets shifted from one workplace or area to another.

More information:

Validating your security measures

Your chief security officer is responsible for validating your measures. They need to decide whether your organisation’s:

  • physical security measures are well managed
  • risks have been properly identified and mitigated
  • physical security measures allow governance responsibilities to be met.

PHYSEC3 - Validate your security measures

Confirm that your physical security measures have been correctly implemented and are fit for purpose. Complete the certification and accreditation process to ensure that security zones have approval to operate.

Following the certification and accreditation processes for security zones will ensure your physical security measures provide the right levels of protection and are implemented correctly.

Keeping your security up to date

Your threats and vulnerabilities are likely to change over time. New technology, processes, arrangements, and objectives can all mean that your physical security needs to change. You must be alert to changes and take action to keep your security up to date.

PHYSEC4 - Keep your security up to date

Ensure that you keep up to date with evolving threats and vulnerabilities, and respond appropriately. Ensure that your physical security measures are maintained effectively so they remain fit for purpose.

Your people need to know about changes that affect them and any new policies you bring in. You should also encourage them to report any risks they encounter or are concerned about.

To stay on top of your threat environment:

  • monitor systems, assets, and people
  • observe events and processes so you can detect threats
  • assess your measures regularly to see if changes are necessary
  • analyse and report on risks
  • apply and track fixes.

When security incidents happen, ensure you learn from what happened, including how well your organisation responds to and manages incidents.

Assessing your capability

Assess your physical security measures to find out what needs to be improved or changed to better protect your people, information, and assets.

GOV8 - Assess your capability

Use an annual evidence-based assessment process to provide assurance that your organisation’s security capability is fit-for-purpose. Provide an assurance report to Government through the Protective Security Requirements team if requested. Review your policies and plans every 2 years, or sooner if changes in the threat or operating environment make it necessary.


 
Use a combination of methods, such as monitoring and reporting, reviewing, and auditing to help you find out if:

  • your physical security policies are being followed (including policies for retiring or destroying information and assets securely)
  • your physical security controls are working as planned
  • any new threats or business practices have emerged.

Page last modified: 30/11/2018