1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to:

  • provide guidance on achieving a consistent and structured approach to determining personnel security management and controls in agency facilities
  • strengthen processes for reporting changes in circumstances
  • strengthen processes for the screening and evaluation of employees during the course of their employment
  • help to establish consistent terminology for personnel security across the New Zealand government
  • to give agencies and employees a better understanding of the security clearance vetting process.
Back to the top of page Print this subsection

1.2 Audience

The audience for these requirements is:

  • New Zealand government human resources and recruitment staff
  • New Zealand government security management staff
  • contractors to the New Zealand government providing protective security advice and services
  • any other body or person responsible for the security of New Zealand's people, information or assets.
Back to the top of page Print this subsection

1.3 Scope

These requirements cover:

  • identification of suitable staff
  • personnel security risk review
  • developing a security culture.

They support the Personnel Security Management Protocol.

They are part of a suite of documents that aid agencies to meet their personnel security management requirements.

These requirements are divided into four sections:

  • personnel security risk
  • principles of personnel security management
  • security clearance requirements
  • candidate and agency responsibilities.
Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist,
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements.

Back to the top of page Print this subsection

2 Personnel Security Risk

Print this section

2.1 Personnel Security Risk Assessment

The use of appropriate personnel security measures can prevent or deter a wide variety of insider attacks, from staff fraud through to the facilitation or conduct of a terrorist attack.

These measures can be labour-intensive and costly and may result in delays in business processes such as recruitment or staff movements. Therefore, it is important that they are implemented in a way that reflects the severity of the risks.

Agencies should base any decisions regarding personnel security on their personnel security risk assessment.

An agency’s personnel security risk assessment should be incorporated into the agency’s overarching protective security risk assessment or other agency risk assessment processes.

Back to the top of page Print this subsection

2.2 Importance of personnel security risk management

Personnel security is important in the protection of an agency’s people, information and assets because:

  • it identifies an agency’s vulnerability to a range of insider threats, which can be harmful, costly, embarrassing and disruptive
  • it delivers a level of assurance about the credentials and integrity of the agency’s workforce
  • an agency’s protection against threats is only as good as the weakest element of its protective security. The personnel security risk assessment may impact on, and should complement, information and physical security controls. 

The risk assessment will allow an agency to:

  • prioritise the insider risks
  • identify appropriate countermeasures to mitigate the risks
  • allocate resources in a way that is cost effective, commensurate with the level of risk and complements existing information and physical security controls
  • communicate the insider risks to senior management and secure their engagement in mitigating controls
  • continually monitor the effectiveness of mitigation controls.

Agencies should undertake personnel security risk reviews every two years in accordance with:

Back to the top of page Print this subsection

2.3 Personnel security risk assessment team

A better risk assessment will be achieved if the assessment team comprises members from all relevant areas of the agency, including representatives from:

  • senior management
  • the security section or Chief Security Officer (CSO)
  • human resources
  • the Information Technology (IT) section such as the CISO, IT manager or IT security adviser
  • staff.

Involving staff representatives early in the risk assessment process will increase staff uptake of any mitigations put in place, as well as create an inclusive security culture for the agency.

An agency may also consider using a specialist contracted risk manager to facilitate the process and/or give a fresh external viewpoint. 

Back to the top of page Print this subsection

2.4 Insider threat

One of the most significant risks is the ‘trusted insider’ who abuses a position of trust after being granted access to an agency’s information and assets.

It is not enough to want to cause harm to an agency, a person also needs access.

This is significantly easier for those staff or contractors with legitimate access to an organisation’s assets.

Various factors can motivate insiders, including political, ethical or religious views, a desire for revenge, status or financial gain or coercion.

Employees may attempt:

  • violence to other staff, clients or the public
  • unauthorised disclosure of information
  • physical or electronic sabotage
  • facilitation of third party access
  • financial or process corruption
  • theft.

For examples of insider threats see Annex A.

Back to the top of page Print this subsection

2.5 Levels of personnel security risks

There are three levels at which agencies should undertake personnel security risk assessments – agency, group and individual.

Agency-level risks

Agency level risks may affect the whole agency and could arise from personnel within the agency or from external contractors.

These risks may affect, but are not limited to:

  • access to the agency Information and Communications Technology (ICT) network
  • the value of the agency’s assets
  • specific enabling legislative requirements
  • agency outputs
  • common personnel concerns such as:
    • citizenship
    • drug or alcohol misuse
    • violence against other employees, clients or the public
    • criminal activity.

The agency-level risk assessment will inform an agency’s human resources and security policies.

Mitigations for agency level personnel security risks are normally applied to all agency personnel.

Group-level risks

Group risks may affect a discrete group within the agency, including:

  • group or project outputs
  • physical locations
  • group assets
  • specialised or highly classified ICT networks.

The levels of group personnel security risk reviews will depend on the complexity of an agency’s operations and are more heavily focused on impediments to meeting outcomes.

Each group with identifiable specific risks should undergo a separate personnel security review.

As group-level personnel security risks are related to outputs, the personnel security risk review is better commenced as part of the operational planning risk assessment.

The threats identified in the agency-level personnel security risk review provide the starting point for the review.

The group-level assessment should identify employees who may have greater potential to cause harm due to their:

  • access to more or higher sensitive or protectively marked information
  • knowledge and skills
  • increased access to valuable assets.

Individual risks

Some positions may have specific risks that differ from other positions within the agency.

Where this is the case, the position should have its individual risks identified and managed.

Some individuals may be employed for specific roles even when they pose an increased risk to the agency such as from their:

  • personal conduct
  • allegiance
  • past criminal activity
  • alcohol or drug misuse
  • involvement in issue motivated groups.

These individuals will require individual personnel security risk management programmes.

Back to the top of page Print this subsection

3 Principles of Personnel Security Management

An effective personnel security management regime will:

  • reduce the risk of employing staff who are likely to present a security concern
  • minimise the likelihood of employees becoming a security concern
  • implement security measures in a way that is proportional to the risk
  • reduce the risk of insider activity, protect the organisation's assets and, where necessary, carry out investigations to resolve suspicions or to provide evidence for disciplinary procedures.

Pre-employment screening is important in reducing the risk of insider threat, but it is not a complete solution.

People and their attitudes change, either gradually or in response to specific events. Insider acts are often carried out by employees who had no malicious intent when joining the organisation but whose loyalties changed after recruitment.

Agencies must maintain a continuous commitment to minimise their vulnerability to insider threat.

A good personnel security regime will implement a range of measures complementary to the organisation's physical and IT security regimes to counter the unpredictable and diverse nature of insider threat.

For more information on effective personnel security please refer to the Personnel Security Guide.

 

 

Print this section

4 National security clearance requirements

Good personnel security regimes provide a level of assurance as to the honesty, trustworthiness and loyalty of people who have access to government resources.

Where employees and contractors will have regular and ongoing access to protectively marked information and resources at CONFIDENTIAL, SECRET or TOP SECRET level, higher levels of assurance are required.

Security vetting is the process by which NZSIS assesses an individual's loyalty to New Zealand, integrity and trustworthiness, and their suitability for access to national security information.

Agency heads may grant a national security clearance to an employee or contractor only after they have received a security vetting recommendation from NZSIS.

Print this section

4.1 Determining the need for a national security clearance

The government expects that the number of people who require national security clearances to perform their work will be kept to a minimum.

It is an agency’s decision as to which duties and tasks require a person to have ongoing access to information protectively marked CONFIDENTIAL or above and, therefore, to hold a national security clearance.

The NZSIS is responsible for the security vetting process and for making recommendations on security trustworthiness.

Agency heads are responsible for granting national security clearances and managing risk.

National security clearances are not required for access to information protectively marked SENSITIVE, IN CONFIDENCE or RESTRICTED.

Access to this and other official information is granted at the agency’s discretion based on standard preemployment checks.

The recommended base level for preemployment checks is:

  • identity verification
  • confirmation of citizenship
  • confirmation of right to work in New Zealand
  • criminal records check
  • confirmation of employment history
  • character references.

For more information about establishing someone’s identity during the recruitment process, visit the Department of Internal Affairs’ website. Go to: www.dia.govt.nz

Back to the top of page Print this subsection

4.2 National security clearance levels

The levels of vetting and the resulting national security clearance are on an escalating scale. For each step up the scale, there is an increase in:

  • the degree of intrusion into candidates' privacy
  • the breadth and depth of inquiries
  • the time required for completion of inquiries
  • the time required for assessments and recommendations
  • the degree of assurance of the individual's trustworthiness, honesty and loyalty to New Zealand.

The four security clearance levels are listed below.

CONFIDENTIAL Vetting (CV)

Vetting at the CONFIDENTIAL level is ‘negative’ in that inquiries are usually limited to checking records for adverse indicators.

If nothing negative is found, the national security clearance will usually be recommended.

Unless the requesting agency provides compelling reasons otherwise, the candidate’s background must be checkable back five years or to age 18.

SECRET Vetting (SV)

Vetting at the SECRET level is an ‘intermediate’ vetting involving more extensive enquiries than for a ‘negative vetting’.

The consideration not only assesses whether there is anything adverse known about the candidate, but it also needs to establish some positive assurance.

Unless the requesting agency provides compelling reasons otherwise, the candidate’s background must be checkable for ten years or to age 18.

Where concerns are identified, the assessor must be satisfied that these are manageable.

TOP SECRET Vetting (TSV)

For vetting at the TOP SECRET level, the security assessment must be ‘positive’.

This requires that the assessor be positively satisfied, on the basis of information gained from extensive inquiries, that the candidate is suitable to have access to the highest levels of protectively marked information.

The minimum age for a TOP SECRET Vetting is 20.

Unless the originating organisation provides compelling reasons otherwise, the candidate’s background must be checkable for ten years or to age 18.

A favourable assessment depends on the extensive inquiries providing sound reasons why the candidate should be considered trustworthy in the security context and suitable to have access to the highest levels of national security information.

If security concerns are identified, these must be rebutted or allayed, or there must be solid grounds to believe that any residual risk can be managed, before a favourable assessment can be made.

TOP SECRET SPECIAL Vetting

This level of security vetting is limited to members of the New Zealand Intelligence Community (NZIC), some groups and individuals within the Department of the Prime Minister and Cabinet (DPMC), New Zealand Customs Service, Ministry of Foreign Affairs and Trade (MFAT) and New Zealand Defence Force (NZDF) and some agency heads who will have frequent access to the highest levels of national security information and a wide need-to-know requirement.

More extensive inquiries are conducted in these instances.

For an initial clearance, identity and background of the candidate must be checkable for 15 years or to age 18.

The minimum age for a TOP SECRET SPECIAL Vetting is 20.

The assessment must be compellingly positive with no residual security concerns.

Back to the top of page Print this subsection

4.3 Recruiting for positions that require national security clearances

It is good practice to advise potential applicants at the time of advertising that the position requires a national security clearance and to outline the criteria for eligibility.

This may deter applicants who are ineligible or who are unwilling to undergo the security vetting process from applying for the position.

When recruiting for roles which involve the national security of New Zealand, agencies are exempt from certain legislation:

Section 19(3)(d)(i) of Criminal Records (Clean Slate Act) 2004 applies to people applying for employment in a position that involves the national security of New Zealand. Candidates for these roles must declare all previous convictions.

Section 25 of the Human Rights Act allows employers to consider certain factors which in other cases might amount to discrimination. This means that a candidate's religious or ethical beliefs , political opinion, disability, family status, national origin and age may be considered in the recruitment process.

National security clearance as a condition of employment

It is good practice to make the requirement to obtain and maintain a national security clearance a condition of employment.

Ideally agencies should notify potential applicants at the time of advertising, but notification should occur prior to making an offer of employment.

Eligibility for security vetting

Once the agency selects the preferred candidate for a position his or her eligibility to gain a national security clearance can be considered by NZSIS.

New Zealand citizens or holders of a Residence Class visa whose backgrounds can be checked for the requisite period of five years for CONFIDENTIAL level clearances, 10 years for SECRET and TOP SECRET level clearances and 15 years for TOP SECRET SPECIAL clearances are eligible for security vetting.

If a candidate has spent a considerable period of his or her adult life outside New Zealand, the case must be discussed with NZSIS before it is submitted.

If NZSIS is unable to make meaningful and reliable checks in the candidate’s country or countries of residence, it will be difficult to make an accurate and reliable vetting assessment and the vetting request may not be accepted.

Foreign nationals  

If agencies do grant a national security clearance to a foreign national, agencies should place a condition on the candidate's employment that they gain New Zealand citizenship by a specific date.

Agencies must not allow foreign nationals granted a national security clearance to access protectively marked material originating from a third country unless that country has specifically approved the release.

The consequences of exposing New Zealand and allied agencies’ information to compromise are such that foreign nationals are not permitted to access protectively marked material which carries the endorsement marking NEW ZEALAND EYES ONLY (NZEO).

For further information, refer to New Zealand Government Security Classification System.

Back to the top of page Print this subsection

4.4 Requesting a security vetting from NZSIS

Agencies must authorise all requests to NZSIS for security vettings. Requests must be made using the Online Vetting Request (OVR) system.

Agencies must have trust and confidence in the candidate and his or her ability to gain a favourable recommendation for a national security clearance before submitting a security vetting request to the NZSIS.

Urgent vetting requests

Urgent vetting requests will be given priority by NZSIS. Agencies should contact NZSIS to discuss these cases prior to sending requests.

When requests for priority handling are lodged, agencies must include:

  • a brief description of the circumstances that make the case urgent
  • the date by which a response is required.

Agencies should only request urgent handling in circumstances where there is a critical requirement for rapid resolution of the security vetting.

Examples of such circumstances may include, but are not limited to, short-notice security vetting for:

  • overseas postings or deployments
  • involvement in security-related court cases
  • attendance at courses for which a clearance is required.

Requests for urgent priority processing on the basis of the age of the case, requirement of position or other non time-specific issues will not be given urgent status unless there are exceptional circumstances.

Agencies must not grant ‘waivers’, ‘interim’ or ‘temporary’ security clearances while waiting for a recommendation from the NZSIS.

Emergency access to protectively marked information

In an operational emergency, agency heads or managers with delegated authority may authorise staff supervised access to protectively marked material one level above their current national security clearance level if the circumstances demand.

‘Emergency access’ is defined as access:

  • where an urgent and critical operational need for access to particular material is established and there is insufficient time to complete vetting inquiries and grant a clearance
  • only to specified material required for the particular emergency
  • for no longer than the duration of the emergency
  • governed by very strict application of the need-to-know rule.

Where emergency access to protectively marked material is required such access must be authorised in writing and the appropriate brief given and acknowledgement in writing of that brief obtained, prior to access being granted.

Staff granted such clearances should be debriefed at the conclusion of the emergency.

Agencies must not use these arrangements to allow access to protectively marked material that carries an endorsement or compartmented marking.

Emergency access must not be used for administrative or management purposes to facilitate entry or appointment into a position, or on reassignment of duties, while awaiting completion of a full security clearance.

Back to the top of page Print this subsection

4.5 Actions on receipt of an NZSIS vetting recommendation

NZSIS will advise the CSO when a security vetting is completed. The recommendation will usually be a formal letter or by email correspondence.

The clearance may be recommended:

  • at the level requested
  • at a lower level
  • with specific security clearance management provisions (‘qualifications’)

CSOs must advise NZSIS of their decision.

Action when clearance is recommended at the requested level

Agencies must provide the candidate with:

  • a briefing on his or her responsibilities in relation to information handling
  • details of action in case of a change in circumstance
  • details of the agency’s security awareness training programme.

Action when the clearance is not granted, or granted at a lower level

The agency must withdraw any access to protectively marked information or resources above the level of the clearance recommended, if any, until such time as any reviews or appeals are finalised.

If the NZSIS has concerns that may lead to a recommendation other than a security clearance at the requested level, early advice to withdraw access will be provided by the NZSIS when the concerns are identified if it is thought appropriate.

The CSO should advise the human resources manager of the outcome if the clearance was a condition of employment.

The agency can then:

  • confirm the employment condition is met
  • take appropriate action to withdraw the offer of engagement, redeploy the employee, or terminate the employment.

Agencies should wait until the conclusion of any appeals or reviews requested by the candidate against the recommendation and seek legal advice before the decision to continue with or withdraw of an offer of employment, redeploy or to terminate the employment of the candidate.

The CSO should inform the candidate’s manager of the outcome. The manager should not be given details of any qualifications to the clearance other than what is necessary for the management of the employee.

Specific security risk management recommendations

Agencies should observe any specific security risk management recommendations ('qualifications') that are made by NZSIS.

Advice to NZSIS

Agencies must advise NZSIS whenever they grant, downgrade, suspend or cancel a security clearance.

Record of clearances granted

Agencies must maintain a register of all personnel and contractors who have been granted security clearances.

Complaints

Vetting candidates have a statutory right of complaint to the Inspector-General of Intelligence and Security if they consider they have been adversely affected by any act, omission, practice, policy or procedure of NZSIS.

CSOs must advise candidates of this right.

Complaints must be made in writing and addressed to:

Inspector General of Intelligence and Security

c/- The Registrar of the High Court of New Zealand

DX SX 11199

Wellington

More information is available at www.igis.govt.nz.

 

Back to the top of page Print this subsection

5 Ongoing personnel security clearance management

Print this section

5.1 Management of national security clearance holders

Managers must advise their CSO of:

  • any changes in personal circumstances of employees or contractors holding a national  security clearance
  • any concerns about the continued suitability to hold a national security clearance they may have about their staff.

Changes in personal circumstances

Agencies must advise all national security clearance holders of their responsibility to report any changes of personal circumstances.

Refer to Reporting Changes in Personal Circumstances.

CSOs should seek advice from NZSIS if they are unsure of the significance of changes in personal circumstances.

Back to the top of page Print this subsection

5.2 Recording of security breaches

Agencies should maintain records of all:

  • security infringements, including breaches of agency policy and procedures that do not lead to compromise of the national interest
  • security breaches such as an accidental or unintentional failure to observe the requirements for handling protectively marked material
  • security violations, including a deliberate action that leads, or could lead, to the compromise of protectively marked material.

Agencies have specific reporting requirements for breaches and violations.

For more information, refer to Reporting Incidents and Conducting Security Investigations.

Agencies should provide NZSIS with details of infringements and breaches where a clearance holder has a history of regular infringements or breaches.

Agencies must inform NZSIS of any security violations attributable to a clearance holder.

In most instances a security violation will require NZSIS to conduct a review for cause. The agency should also provide NZSIS with the details of any investigation that may be in progress (where privacy concerns allow).

Agencies should suspend access to protectively marked information or resources by a clearance holder following a violation until the investigation and/or review for cause are complete.

Back to the top of page Print this subsection

5.3 Contact and incident reporting

Clearance holders should report any notifiable contacts or requests to access agency assets or protectively marked information or resources.

Also refer to Contact Reporting.

Agencies should assess the reported contacts to determine whether there is any need to:

Back to the top of page Print this subsection

5.4 Lapses and transfers of security clearances

Unless NZSIS has recommended an early review, a national security clearance will expire after five years or when the holder leaves the employing organisation.

If an employee with a current national security clearance leaves an organisation for another government agency, the clearance can be transferred, that is, the agency head of the receiving department may immediately grant a new clearance, provided that the following conditions are met:

  • the original clearance must be less than four years old
  • the duties and level of access to protectively marked material in the old and new roles must be broadly similar
  • the transferred national security clearance must be at the same level or at a lower level than that originally granted
  • the holder of the national security clearance must move directly from one government department to another without an intervening period without security oversight, for example, overseas residence or extensive travel
  • the agency head of the receiving department must obtain from the releasing department:
    • a copy of the NZSIS vetting recommendation as it may contain important security risk management advice
    • written assurance of the clearance holder’s continuing suitability to hold a national security clearance
    • notification of any relevant changes in personal circumstance that have occurred post-assessment and confirmation that they have been notified to NZSIS.

When a security clearance transfer has occurred, NZSIS must be advised. The transferred national security clearance will lapse five years from the date of the original recommendation, or when the clearance was granted by the original agency head.

Back to the top of page Print this subsection

5.5 Actions where a clearance holder leaves an agency

Depending on the level of the clearance held, the actions when a clearance holder leaves an agency should involve debriefs for any access to compartmented information, exit appraisals and post-separation contact between the clearance subject and the employing agency.

Exiting staff must be reminded of the need for continued discretion and their lifelong obligation to protect protectively marked information.

An agency should advise NZSIS when clearance holders leave their employment.

Back to the top of page Print this subsection

About

The use of appropriate personnel security measures can prevent or deter a wide variety of insider attacks, from staff fraud through to the facilitation or conduct of a terrorist attack.

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information