The purpose of the protocol is to:
- provide guidance on achieving a consistent approach to physical security management
- assist agencies to fulfil their security and management obligations and responsibilities.
This protocol applies to:
- security employees such as Chief Security Officers (CSOs), security consultants and security practitioners within agencies who are responsible for:
- assessing risks to agency people, information or assets
- everyday physical security in the agency
- specifying, designing, and building technical physical security controls at New Zealand government locations
- developing agency-specific physical security policies and procedures used by agency employees.
- managers to assist in meeting their governance responsibilities
- staff responsible for promoting and assessing compliance with physical security in corporate functions such as internal audit, human resources, risk management, compliance, legal, and occupational health and safety
- external parties such as business partners, external auditors and industry regulators to understand the New Zealand government’s overall physical security position and, where fitting, to evaluate or direct the operation of specific physical security controls to meet their contractual obligations.
1.3 Definition of physical security
Physical security is a combination of physical and procedural measures designed to prevent or mitigate threats or attacks against people, information and assets. Often a measure designed to meet one particular physical security goal may address others.
A physical security programme has the following aims.
- Deter - these are measures that adversaries perceive as too difficult or needing special tools and training to defeat.
- Detect - these are measures implemented to determine if an unauthorised action is occurring or has occurred.
- Delay - these are measures implemented to:
- impede an adversary during an attack
- slow the progress of a detrimental event to allow a response before agency information or physical assets are compromised.
- Respond - these are measures taken once an agency is aware of an attack or event to prevent, resist or mitigate the attack or event.
- Recover - these are measures taken to restore operations to normal (as possible) following an incident.
Physical security is more than protection against national security threats.
It should address all hazards an agency may face in the protection of people, information, functions and physical assets including:
- civil disturbance, for example, riots, insurrections and protests
- crime, including personal and property crimes
- workplace violence such as assault, harassment and revenge attacks
- terrorism, including bombing, extortion, white powder incidents and kidnapping
- natural disasters such as flood, bush fire, earthquake and pandemics
- industrial disasters, including explosions, building fires, structural collapse and other major accidents
- other risks, for example, disturbed persons and traffic accidents.
Physical security measures complement personnel security, information handling, communications and computer security procedures.
The physical security management protocol and associated requirements detail the standards required to:
- comply with core policies
- meet the seven mandatory physical security requirements of the New Zealand Protective Security Requirements (PSR).
1.5 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist
- or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head. In particular an agency should pose the following questions:
- Is the agency willing to accept additional risk?
- Have any implications for All of Government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.
The PSR provides agencies with mandatory and best practice security measures.
The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.
1.6 Relevant standards
The standards relevant to this protocol are outlined in the New Zealand and International Standards, Handbooks and Codes listed in Annex A.
1.7 Relevant requirements and legislation
This protocol should be read in conjunction with the following classified material. Please contact the PSR team for further information.
- NZSIS Technical Note – Physical Security of Intruder Resistant Areas.
- NZSIS Technical Note – Physical Security of Secure Areas.
- NZSIS Technical Note – Physical Security of Zone 5 Areas.
- other guidelines that give more advice on specific topics.
1.8 Policy context
This protocol is part of the third tier of the New Zealand government’s physical security policy hierarchy, as shown in Figure 1.
This protocol draws its authority from the Strategic Security Objectives, Core Policies and the Mandatory Requirements for Agencies and should be read in conjunction with:
- Introduction and Overview to the Protective Security Requirements
- Security Structure and Agency Responsibilities
- Personnel Security Protocol
- Information Security Management Protocol
- Business Impact Levels
- New Zealand Information Security Manual (NZISM) relating to the physical security of Information Communications Technology (ICT) systems and equipment
- any agency specific legislation.
Figure 1: Protective Security Requirements Framework
1.10 Relationship to PSR structure
This protocol specifies physical security controls that are used to satisfy the mandatory requirements PHYSEC1 to PHYSEC7 of the Strategic Security Objectives, Core Policies and the Mandatory Requirements.
The standards and supporting requirements to this protocol amplify the protocol.
They detail how the controls should be implemented. Requirements include a mixture of mandatory and best practice physical security controls, and provide advice and supporting information.
These standards and requirements will evolve to reflect changes in technologies and the physical security risks. They are likely to change more often than the protocol.
The policy hierarchy is supported by various protective security management activities such as reporting and audit procedures, security awareness training and several compliance measures.
The protocol must be applied in conjunction with an agency’s other governance activities, strategies and business plans. The protocol, standards and requirements will inform the agency-specific physical security policy and procedures.