The purpose of these requirements is to:
- support the New Zealand government’s development of a series of systems and processes intended to protect information from potential compromise through accidental or deliberate disclosure
- protect official information by ensuring New Zealand government employees are aware of the risk posed by foreign intelligence services and other threat groups in New Zealand and overseas, that are potentially collecting official information
- support the New Zealand Government Contact Reporting System, overseen by the New Zealand Security Intelligence Service (NZSIS), which records and analyses potential threats to information collection posed by foreign or domestic adversaries
- provide guidance on achieving a consistent approach to help agencies protect their people, information and assets
- provide assurance to other agencies when sharing information and assets
- provide the types of controls that are suitable to address contact reporting concerns
- help establish consistent terminology for personnel security across the New Zealand government.
The audience for these requirements is:
- New Zealand government security management staff
- contractors to the New Zealand government providing protective security advice and services
- any person or body with access to New Zealand's official or protectively marked information
- any other body or person responsible for the security of New Zealand government people, information or assets.
These requirements cover:
- the New Zealand contact reporting system
- potential contact threat sources, scenarios and indicators
- reporting criteria and procedures
- the implementation of the contact reporting process.
The requirements relate to personnel security measures where there is the potential for the compromise of official information, including protectively marked information, through accidental or deliberate disclosure within New Zealand government facilities, within facilities handling New Zealand government information and assets or where New Zealand government employees are located.
They support the implementation of the New Zealand Protective Security Requirements (PSR)
In particular, they support thePersonnel Security Management Protocol.
They are part of a suite of documents that aid agencies to meet their personnel security requirements.
Where legislative requirements are higher than controls identified in these requirements, legislative controls take precedence and must be applied.
Agencies should protect any information or assets provided by another government in accordance with international agreements.
Also refer to Safeguarding Foreign Government Information (under development).
1.4 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist,
- or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head. In particular an agency should pose the following questions:
- Is the agency willing to accept additional risk?
- Have any implications for All of Government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.
The PSR provides agencies with mandatory and best practice security measures.
The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.