Set and communicate minimum security requirements for your suppliers

You should set minimum security requirements for suppliers which are justified, proportionate, and achievable. Consider your minimum requirements for:

• security governance
• personnel security
• information security
• physical security.

Make sure these requirements reflect your assessment of security risks. But also take account of how well established your suppliers’ security arrangements are. Consider their ability to meet your intended requirements.

Be specific. If you just include a general condition in the contract that the service provider must comply with the PSR, it’s unlikely to be appropriate or enforceable.

Identify circumstances where it might be disproportionate to expect suppliers to meet your minimum security requirements. For example, suppliers who only need ad hoc or occasional access to limited and specific data, or to your premises. Document these considerations.

Give the contractor guidance on the steps you plan to take to manage your security requirements. This guidance could reduce your workload and avoid additional, unnecessary work for contractors.

Confirming people’s suitability with pre-employment checks

Specify the minimum pre-employment checks you expect your suppliers to conduct for their employees. Align your minimum checks with the base pre-employment checks conducted by government organisations:

• confirm their identity
• confirm their nationality
• confirm their right to work in New Zealand
• check references with their former employer(s)
• conduct a criminal record check.

When you identify an increased security risk related to a specific role or the nature of the access your supplier has, additional checks could be necessary. For example, an IT administrator for a managed service provider may have broad access to your organisation’s information. You may require further checks to ensure they are trustworthy and identify factors in their life that may increase the risk of insider threat.

Get security clearance for any contractors who’ll handle protectively-marked information

Your organisation is responsible for sponsoring, arranging, and managing security clearances throughout the life of a contract.

If a contractor’s employees need to access protectively-marked information classified CONFIDENTIAL or above, you must ensure each person has a security clearance to the appropriate level. Check with the New Zealand Security Intelligence Service (NZSIS) to find out if any of the employees already hold a valid security clearance. 

Anyone who doesn’t hold the correct security clearance should not have unescorted access to anywhere that protectively-marked information is handled or stored.

Set security requirements case by case

Consider setting different security requirements for different types of contracts, based on their associated risks. Avoid forcing all your suppliers to deliver the same set of security requirements when it may not be proportionate or justified.

When you set security requirements, explain the rationale for them to your suppliers. And require your suppliers to pass these requirements down to any sub-contractors.

Include your minimum security requirements in your procurement documents and the contracts you have with suppliers.

If your organisation conducts character checks for your own people, consider whether to conduct the same checks for service providers’ employees.

If a contractor needs access to official information, they should sign a non-disclosure agreement.

Page last modified: 4/05/2022