Physical security management core policy

New Zealand government agencies hold significant resources on behalf of the Crown to fulfil government functions, for example, to develop policy, implement programmes and provide services to the public.

The government expects each of its agencies to create and maintain an appropriate physical security environment for the protection of these functions and associated resources.

The appropriate physical security environment should support the efficient and effective delivery of agency outputs, without compromising the application of protective security measures and while also taking into account occupational health and safety standards.

Risk management

Agencies should employ a risk management approach to physical security that conforms to the protective security principles.

Agencies should determine the appropriate level of physical protection for their functions, information, assets, employees and the public. 

These decisions require a rigorous analysis of security risk.

For more information, refer to the following New Zealand Standards:

Security-in-depth

Sensible management of security risk will involve finding appropriate and cost-effective ways to minimise risk through a combination of procedural, personnel and physical measures. 

This mix establishes a series of barriers that prevent or restrict unauthorised access or harm to resources. 

This is known as security-in-depth. It also establishes mechanisms to detect and respond to security breaches within an acceptable timeframe.

Agency physical security policy and planning

Mandatory requirement

PHYSEC1: Agencies must provide clear direction on physical security through the development and implementation of an agency physical security policy and address agency physical security requirements as part of the overall agency security plan.

The policy and plan should:

  • detail the objectives, scope and approach to the management of physical security issues and risks within the agency
  • be endorsed by the agency head
  • identify physical security roles and responsibilities
  • continuously review physical security measures to reflect changes in the threat environment and take advantage of new cost-effective technologies
  • be consistent with the requirements of the agency’s protective security plan and physical security risk assessment findings
  • explain the consequences for breaching the policy or circumventing any associated protective security measure
  • be communicated on an ongoing basis and be accessible to all agency employees.

For more information, refer to the New Zealand Government Physical Security Management Protocol and requirements.

Protection of employees

Agencies are responsible for the health and safety of employees at work. This responsibility extends to situations where employees are under threat of violence because of their duties or because of situations to which they are exposed. 

Such situations can include, but are not limited to, terrorism, threat letters or calls, the receipt of potentially dangerous substances (for example, white powder), stalking and assault.

Mandatory requirement

PHYSEC2: Agencies must have in place policies and protocols to:

  • identify, protect and support employees under threat of violence, based on a threat and risk assessment of specific situations. In certain cases, agencies may have to extend protection and support, for example, to family members
  • report incidents to management, human resources, security and law enforcement authorities, and/or Worksafe New Zealand as appropriate
  • provide information, training and counselling to employees
  • maintain thorough records and statements on reported incidents.

Physical security

Physical security involves the proper layout and design of facilities and the use of measures to delay and prevent unauthorised access to government assets. 

It includes measures to detect attempted or actual unauthorised access and activate an appropriate response.

Physical security also provides measures to safeguard employees from violence.

Mandatory requirement

PHYSEC3: Agencies must ensure they fully integrate protective security early in the process of planning, selecting, designing and modifying their facilities.

Agencies should:

  • select, design and modify their facilities to facilitate the control of access
  • determine restricted access areas and have the necessary entry barriers, security systems and equipment based on threat and risk assessments
  • include the necessary security specifications in planning, request for proposals and tender documentation
  • incorporate related costs in funding requirements.

Health and safety at work

Mandatory requirement

PHYSEC4: Agencies must ensure that any proposed physical security measure or activity is consistent with relevant health and safety obligations.

Agencies should:

  • conduct a risk assessment of any proposed physical security measure or activity and develop effective risk controls in line with a reasonably practicable approach
  • take into account the likelihood and consequence of an accident or injury arising as a result of a physical security measure or activity and put in place appropriate control measures.

Duty of care – third parties

Mandatory requirement

PHYSEC5: Agencies must show a duty of care for the physical safety of members of the public interacting directly with the New Zealand government. Where an agency’s function involves providing services, the agency must ensure that clients can transact with the New Zealand government with confidence about their physical wellbeing.

Agencies should:

  • take all reasonable precautions which could avoid or reduce the risk of harm to clients
  • choose the option which is least restrictive to the client where there are a number of effective physical security measures which would reduce the risk of harm
  • ensure the agency physical security plan addresses the risk of harm to clients
  • develop relevant requirements and procedures identifying the precautions to be taken to cover the identified risk factors.

For more information, refer to the Health and Safety at Work Act 2015.

Physical security of ICT equipment and information

Mandatory requirement

PHYSEC6: Agencies must implement a level of physical security measures that minimises or removes the risk of information assets being made inoperable or inaccessible, or improperly accessed or used.

Agencies should:

  • put in place appropriate building and entry control measures for areas used in the processing and storage of protectively marked information
  • put in place physical security protection (which matches the assessed security risk of the aggregated information holdings) for all agency premises, storage facilities and cabling infrastructure
  • locate ICT equipment, where practical, in areas with access control measures in place to restrict use to authorised personnel only and put in place other control methods where physical control measures are not possible
  • implement policies and processes to monitor and protect the use and/or maintenance of information, equipment, storage devices and media away from agency premises and, in situations where a risk assessment determines it is necessary, put in place additional control measures
  • implement policies and processes for the secure disposal and/or reuse of ICT equipment, storage devices and media (including delegation, approval, supervision, removal methods and training of employees) that match the assessed security risk of the information holdings stored on the asset
  • implement general control policies, including a clear desk and clear screen policy.

Physical security in emergency and increased threat situations

Mandatory requirement

PHYSEC7: Agencies must develop plans and protocols to move up to heightened security levels in case of emergency and increased threat. The New Zealand government may direct its agencies to implement heightened security levels.

Agencies should coordinate physical security plans and procedures with other emergency prevention and response plans, for example, fire, bomb threats, hazardous materials, power failures, evacuations and civil defence emergencies.