The purpose of these requirements is to:
- assist in achieving a consistent approach to determining personnel security controls in agency facilities and the screening and evaluation of employees
- identify good practice related to decision-making principles and procedural fairness throughout the security vetting process
- help to establish consistent terminology for personnel security across the New Zealand government
- help agencies to better understand the security vetting process.
This audience for these requirements is:
- New Zealand government security and human resource management staff, security clearance holders and security vetting candidates
- contractors to the New Zealand government providing protective security advice and services
- any other individual or entity responsible for the security of New Zealand government people, information or assets.
These requirements cover:
- the procedural fairness guidelines used in the security vetting process
- candidates’ rights in regard to procedural fairness
- information for candidates who are adversely affected by a security vetting recommendation.
They support the Personnel Security Protocol and the wider New Zealand Protective Security Requirements (PSR).
These requirements are part of a suite of documents that help agencies meet their personnel security management requirements.
Natural justice/procedural fairness is a fundamentally important element of any personnel security regime.
1.4 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist,
- or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head. In particular an agency should pose the following questions:
- Is the agency willing to accept additional risk?
- Have any implications for All of Government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.
The PSR provides agencies with mandatory and best practice security measures.
The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.
Also refer to the Strategic Security Objectives, Core Policies and the Mandatory Requirements.