Implementing a risk-based approach to protective security
Understand how to develop policies, plans and processes for protective security, using a consistent, structured approach.
GOV2 - Take a risk-based approach
Adopt a risk management approach that covers every area of protective security across your organisation, in accordance with the New Zealand standard ISO 31000:2018 Risk Management – Guidelines. Develop and maintain security policies and plans that meet your organisation’s specific business needs. Make sure you address security requirements in all areas: governance, information, personnel, and physical.
These guidelines will help your organisation to:
- manage security risks
- meet security threats
- protect people, information, and assets
- give assurance to other organisations you work with.
How to develop policies, plans and processes — an overview
First, set up a policy framework based on your organisation’s operational needs.
Then identify which assets you need to protect — the assets required for your organisation’s ongoing operations, or for the national interest. Include personnel, information, physical assets, and services.
Next, conduct a risk assessment. Use the Business Impact Levels (BILs) to help you assess risk. BILs enable consistent assessment of the impact if assets are compromised or lost.
Use your risk assessment to inform your policies, plans, and processes — to tell you which security measures you need to implement, how, and when.
Remember to consider other operational policies and outcomes that could be affected by your policies, plans, and processes.
Record your policies, plans and processes in a single document or separate documents. If you choose to use separate documents, make sure you coordinate their development.
Ensure your whole organisation is aware of your security policy, plans and processes. Consider publishing them on your intranet and promoting them. Security Awareness Training has more information.
Review them regularly to identify gaps and keep up with changes to risk factors — at least every 2 years.
Diagram 1: Components of organisation protective security
Diagram 1 shows how your policies, plans and processes interlink and are informed by your risk assessment.
Create security policy that covers governance, personnel, information, and assets
Your protective security policy gives a mandate for your organisation’s protective security plan and processes. It should meet the PSR mandatory requirements.
Your chief executive/agency head, or their delegate, should approve your protective security policy and support its enforcement. Your Chief Security Officer (CSO) should actively monitor the policy.
Protective security policies must cover four key areas –governance, personnel, information, and physical.
Each policy should say why the policy is necessary and who has authorised it.
Governance arrangements cover how protective security relates to other components of operational governance, including:
- employee and public safety
- security requirements in contracts
- assigning security management roles
- Business Impact Levels (BILs)
- audit and compliance reporting
- fraud risk management
- sourcing and handling foreign government information
- processes for policy exceptions
- review and amendment processes.
Personnel security policy
Make sure your personnel security policy covers:
- security checks for employees and contractors
- security clearance requirements, including managing security clearances
- emergency access to protectively-marked material
- how you will investigate and manage security incidents.
Information security policy
Your information security policy should cover:
- protective marking of documents
- access to ICT and storage
- email and internet use
- remote working and mobile computing
- removal of information from your organisation’s premises
- control of your organisation’s information held by commercial entities
- control of personal and commercial information held by organisations on behalf of other parties.
Creating a policy for protective marking of documents gives you detailed guidance on this aspect of your information security policy.
You should use the following sources as your primary guidance when developing information security policy:
- Management protocol for information security
- New Zealand Information Security Manual
- New Zealand Government Security Classification System
- Handling Requirements for Protectively Marked Information and Equipment
- AS/NZS ISO/IEC 27002:2013 Information Technology - Security Techniques - Code of Practice for Information Security Management, section 5.
Physical security policy
Your physical security policy should address:
- access to your facilities by your people, visitors, and children — you might need site-specific policies if different facilities have different roles or risks
- the security and safety of your people – ensure your security policy fits with your other safety policies
- working away from your office
- the physical security of your information.
Develop your security plan and processes
Your organisation’s protective security plan and processes must mitigate security risks while allowing secure information sharing.
Protective security processes may form part of your security plan, or be standalone advice to employees.
Your plan should be comprehensive and detailed. Achieve this by:
- consulting with people from every section of your organisation
- involving staff who directly manage security or related work (for example your Chief Security Officer, Chief Information Security Officer, Health &Safety Manager, Information Technology Security Manager, Privacy Officer, property managers and security manager / advisors) when you develop and review the plan.
Also involve senior management and get their support to ensure the plan’s success.
The objectives of a security plan should be to:
- use risk assessments to identify areas of security risk
- outline practical steps to minimise risks.
Develop separate site security plans for each of your individual sites.
Consider carefully how you classify and protect the security plan, and the business impact if the plan’s confidentiality is compromised. Classify individual elements of the plan as appropriate.
Your security plan must cover four key areas – security of governance, personnel, information, and physical assets.
Governance arrangements should include:
- roles and responsibilities for security
- contract service providers and third-party security
- business continuity and disaster recovery planning
- measures to increase security if threats to your organisation increase
- reporting incidents and conducting security investigations
- audit and compliance reporting
- fraud risk management
- review and amendment.
If governance arrangements are standalone plans managed by other sections of your organisation, consult your security management personnel as you develop the individual plans.
Personnel security arrangements
Personnel security arrangements should include:
- personnel security provisions in the recruitment process, working with your human resource management team
- national security vetting and clearance lists
- contact reporting
- security clearance management
- ongoing security awareness training.
Information security arrangements
Information security arrangements should include:
- information handling within the organisation, in transit, and out of the office
- protectively-marked information archives, working with your records management
- ICT access and storage
- ICT network security
- remote working and mobile computing
- hardcopy information storage and handling.
Physical security arrangements
Physical security arrangements should include:
- site security plans
- physical security of your people, visitors and the public, along with safety plans
- physical security of information
- protection of physical assets
- access control systems
- security alarm systems
- security of disaster recovery or alternative sites, along with business continuity plans
- physical security for remote working and working away from the office.
A suggested format for a security plan
Here are suggested headings and sections for your organisation’s security plan.
Foreword from the chief executive/agency head
State the importance of security planning, endorse the plan, and outline the need for effective security risk management.
Statement of purpose and objectives
Link the security plan to the security policy. Set out the role and responsibility of the organisation and the security practices needed to minimise disruption to its operation and resources.
Assessment of existing security measures
Evaluate the organisation’s current protective security arrangements and describe current exposure and potential threats. This may be a formal threat assessment.
Split the main section into at least four parts. These parts can be separate documents or a single file.
Actions and strategies: Outline how to meet the objectives and treat the security risks identified in the threat assessments.
Resources and responsibilities: Describe the resources needed and who is responsible for implementing the strategies.
Desired outcomes and performance indicators: State your outcomes and how you will measure whether the objectives have been met. Examples of a performance indicator could be:
- a reduction in risk levels to physical premises
- a reduction in fraud, theft, or losses to resources or assets.
Related processes: Include the processes that support the plan. The processes may be attachments or standalone documents for your people.
Other attachments may include:
- your security risk assessment
- site plans
- policy documents
- a compliance tracking or mapping spreadsheet
- links to the operational and compliance plans of other agencies.
Page last modified: 4/05/2022