1 Introduction

Print this section

1.1 Purpose

The purpose of the protocol is to:

  • provide guidance on achieving a consistent approach to physical security management
  • assist agencies to fulfil their security and management obligations and responsibilities.
Back to the top of page Print this subsection

1.2 Audience

This protocol applies to:

  • security employees such as Chief Security Officers (CSOs), security consultants and security practitioners within agencies who are responsible for:
    • assessing risks to agency people, information or assets
    • everyday physical security in the agency
    • specifying, designing, and building technical physical security controls at New Zealand government locations
    • developing agency-specific physical security policies and procedures used by agency employees.
  • managers to assist in meeting their governance responsibilities
  • staff responsible for promoting and assessing compliance with physical security in corporate functions such as internal audit, human resources, risk management, compliance, legal, and occupational health and safety
  • external parties such as business partners, external auditors and industry regulators to understand the New Zealand government’s overall physical security position and, where fitting, to evaluate or direct the operation of specific physical security controls to meet their contractual obligations.
Back to the top of page Print this subsection

1.3 Definition of physical security

Physical security is a combination of physical and procedural measures designed to prevent or mitigate threats or attacks against people, information and assets. Often a measure designed to meet one particular physical security goal may address others.

A physical security programme has the following aims.

  • Deter - these are measures that adversaries perceive as too difficult or needing special tools and training to defeat.
  • Detect - these are measures implemented to determine if an unauthorised action is occurring or has occurred.
  • Delay - these are measures implemented to:
    • impede an adversary during an attack
    • slow the progress of a detrimental event to allow a response before agency information or physical assets are compromised.
  • Respond - these are measures taken once an agency is aware of an attack or event to prevent, resist or mitigate the attack or event.
  • Recover - these are measures taken to restore operations to normal (as possible) following an incident.

Physical security is more than protection against national security threats. 

It should address all hazards an agency may face in the protection of people, information, functions and physical assets including:

  • civil disturbance, for example, riots, insurrections and protests
  • crime, including personal and property crimes
  • workplace violence such as assault, harassment and revenge attacks
  • terrorism, including bombing, extortion, white powder incidents and kidnapping
  • natural disasters such as flood, bush fire, earthquake and pandemics
  • industrial disasters, including explosions, building fires, structural collapse and other major accidents
  • other risks, for example, disturbed persons and traffic accidents.

Physical security measures complement personnel security, information handling, communications and computer security procedures.

Back to the top of page Print this subsection

1.4 Scope

The physical security management protocol and associated requirements detail the standards required to:

  • comply with core policies
  • meet the seven mandatory physical security requirements of the New Zealand Protective Security Requirements (PSR).
Back to the top of page Print this subsection

1.5 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements For Agencies.

Back to the top of page Print this subsection

1.6 Relevant standards

The standards relevant to this protocol are outlined in the New Zealand and International Standards, Handbooks and Codes listed in Annex A

Back to the top of page Print this subsection

1.7 Relevant requirements and legislation

This protocol should be read in conjunction with the following classified material. Please contact the PSR team for further information.

  • NZSIS Technical Note – Physical Security of Intruder Resistant Areas.
  • NZSIS Technical Note – Physical Security of Secure Areas.
  • NZSIS Technical Note – Physical Security of Zone 5 Areas.
  • other guidelines that give more advice on specific topics.
Back to the top of page Print this subsection

1.8 Policy context

This protocol is part of the third tier of the New Zealand government’s physical security policy hierarchy, as shown in Figure 1.

This protocol draws its authority from the Strategic Security Objectives, Core Policies and the Mandatory Requirements for Agencies and should be read in conjunction with:

Figure 1: Protective Security Requirements Framework

Protective Security Requirements Framework

Back to the top of page Print this subsection

1.9 Documents given authority by this protocol

The documents given authority by this protocol are:

  • New Zealand Government Physical Security Management Requirements:
  • New Zealand Security Intelligence Service (NZSIS) Technical Note - Physical Security of Secure Areas. This information is classified. Please contact the PSR team for further information.
  • NZSIS Physical Security of Zone 5 Areas (for TOP SECRET information and for areas with aggregations of information where the compromise, loss of integrity or unavailability thereof would result in a catastrophic business impact level)(under development)
  • NZSIS Physical Security of Intruder Resistant Areas. This information is classified. Please contact the PSR team for further information.
  • NZSIS Approved Products List (APL). This information is classified. Please contact the PSR team for further information.
  • NZSIS Technical Note - Class B Secure Room. This information is classified. Please contact the PSR team for further information.
  • NZSIS Technical Note - Class C Secure Room. This information is classified. Please contact the PSR team for further information.
  • other physical security requirements, technical notes, etc. published by the NZSIS and issued from time to time.

NZSIS technical notes and the APL are available on request to those with a genuine need-to-know.

Back to the top of page Print this subsection

1.10 Relationship to PSR structure

This protocol specifies physical security controls that are used to satisfy the mandatory requirements PHYSEC1 to PHYSEC7 of the Strategic Security Objectives, Core Policies and the Mandatory Requirements.

The standards and supporting requirements to this protocol amplify the protocol.

They detail how the controls should be implemented. Requirements include a mixture of mandatory and best practice physical security controls, and provide advice and supporting information.

These standards and requirements will evolve to reflect changes in technologies and the physical security risks. They are likely to change more often than the protocol.

The policy hierarchy is supported by various protective security management activities such as reporting and audit procedures, security awareness training and several compliance measures.

The protocol must be applied in conjunction with an agency’s other governance activities, strategies and business plans. The protocol, standards and requirements will inform the agency-specific physical security policy and procedures.

Back to the top of page Print this subsection

2 Agency physical security policies and procedures

Agencies must develop specific physical security policies and procedures to meet their business needs that:

  • are consistent with any controls in the protocol and requirements
  • complement and support other agency operational procedures.

Policies and procedures must take into account the risks created by the agency for others and the risks inherited from business partners.

Mandatory requirements

PHYSEC1: Agencies must provide clear direction on physical security through the development and implementation of an agency physical security policy and address agency physical security requirements as part of the overall agency security plan.

GOV6: Agencies must provide all staff, including contractors, with sufficient information and security awareness training to meet the obligations of the Protective Security Requirements (PSR).

Print this section

2.1 Employee awareness of physical security measures

The best agency protection comes from employees maintaining a high level of security awareness. 

Agencies must inform their employees of agency physical security policies and procedures covering:

  • measures operating in the agency’s work environment and how they provide security-in-depth
  • what functions and resources the measures are designed to protect
  • how the measures interact and support governance, personnel and information security measures
  • the security responsibilities of the people working in each work area and location
  • the requirement to report security issues or incidents in work areas
  • any consequences of failing to adhere to policies and procedures.

Agencies must inform employees of any changes to physical security arrangements following changes to the roles, risks or threat levels of agencies.

Agencies should, where possible, advise employees of the reasons for the changes.

Refer to Security Awareness Training for more information on implementing awareness measures.

Back to the top of page Print this subsection

3 Agency physical security risk management and planning

Risk management supports decision-making. It provides an interface between key functions, processes and infrastructure that are essential to achieving organisational objectives.

Security risk management is a basic part of an agency’s wider risk management activities.

The identification, assessment and mitigation of security risks will assist in the overall management of organisational risk.

In a fully integrated risk management system, security risk management should be linked at each stage with all other risk management activities being undertaken, for example, financial, safety and agency business operations and reputation risk management. 

Mandatory requirements

PHYSEC1: Agencies must provide clear direction on physical security through the development and implementation of an agency physical security policy and address agency physical security requirements as part of the overall agency security plan.

GOV3: Agencies must adopt a risk management approach to cover all areas of protective security activity across their organisation, in accordance with the New Zealand Standard AS/NZS ISO 31000:2009 Risk Management - Principles and Guidelines.

GOV4: Agencies must develop their own set of protective security policies, plans and protocols to meet their specific business needs. Policies and plans must be reviewed every two years or sooner if changes in risks or the agency’s operating environment dictate.

Print this section

3.1 Applying risk management and assurance levels in physical safety

Agencies must manage their physical security risks by reducing their residual risks to an acceptable level. 

Where this is not possible they must lower the likelihood of compromise, loss of availability, or loss of integrity to the lowest level possible.

Agencies must then give assurance in sharing arrangements by applying minimum controls determined by the business impact level or consequence of the compromise, loss of availability or loss of integrity of information or physical assets.

Refer to Figure 2 for a summary of the stages in applying risk management and assurance controls.

Figure 2: Summary of risk management and assurance controls

Summary of risk management and assurance controls
 

Security risk management

Agencies must apply the risk management approach detailed in NZS/AS ISO 31000:2009 Risk Management – Principles and Guidelines and should also consider HB 167:2006 Security Risk Management to assess their security risks. 

The Security Risk Management Handbook may be purchased online at Standards NZ.

Agencies must establish the scope of their security risk assessment by identifying the people, information, physical assets and functions to be protected. They should determine the threats within New Zealand and abroad. 

Agencies must make an assessment of the vulnerability and criticality (that is, consequences) of the compromise, loss of integrity or unavailability of their information, people or physical assets, using the Business Impact Levels

The Business Impact Levels (BILs) provide a method for determining the whole-of-government consequence of threats using predetermined criteria.

Agencies must use the identified risks to assess the likelihood and consequence of those risks occurring, based on the adequacy of existing controls and vulnerabilities.

Next, agencies must evaluate the risks in terms of their appetite for risk (tolerance) and the acceptability of the security risk.

Finally, agencies must put in place physical and procedural measures to appropriately minimise risks from man made and environmental hazards.

For further information refer to the Security Risk Management Protocol Process outlined in HB 167:2006 Security Risk Management available for purchase from Standards New Zealand. 

Based on the effectiveness of existing controls, an agency should ensure risk mitigation measures manage security risks and are consistent with achieving its business objectives.

An appropriate and integrated security regime supports agency functions.

Note: As part of its risk assessment an agency must ensure it complies with any common law requirements and relevant legislation.

Threat assessments

Threat assessments are used to inform an agency’s risk assessment.

Agencies must assess their threats using internal and, if appropriate, external sources such as local police and other authorities.

Agencies must use a threat assessment obtained from the NZSIS:

  • in their risk assessment of all facilities handling, storing, processing or discussing material classified TOP SECRET or which carries a compartmented marking
  • where the compromise, loss of integrity or unavailability of an aggregation of information could have a catastrophic impact on national security.

An agency may also seek an NZSIS threat assessment for other facilities where a national security risk may arise from the compromise or disruption to agency operations.

Physical security risk assessments

Once any business impact arising from the compromise, loss of integrity or loss of availability of agency people, information and physical assets has been determined, risk assessments should:

  • take into account the aggregation of information and physical assets and the concentration of people
  • take into account the specific circumstances of each agency unit and other business risks of those units
  • reflect the particular business activities undertaken at, and the features of, each site
  • evaluate threats to and from neighbours
  • tailor security measures for each site to reduce the level of identified risks to an acceptable level in a cost effective way.

Where several alternative effective measures exist that would reduce the identified risk, agencies should choose the measures that best fit their business operations.

Agencies should use physical security risk assessments to inform the physical security components of their overall agency security plan.

Agencies must develop specific site plans for each individual site. These site plans are a subordinate element of the physical security component of the overall agency security plan. 

Agencies must create and maintain security risk registers appropriate to their risk management processes. Refer to HB 167:2006 Security Risk Management for more information.

Review of risk assessments

Agencies must assess their physical security risks as part of an on-going cycle for reviewing security risk and when:

  • undertaking new functions or varying existing functions
  • moving a function to a new environment (for instance, a new location or the current location is refurbished)
  • identifying a new risk or threat
  • identifying a change to the level of an agency risk or threat.

Risks to people

In accordance with Health and Safety at Work Act 2015, agencies must:

  • take all reasonably practicable precautions to minimise the risk of harm to employees, clients and the public
  • ensure their physical security plans address the risk of harm to clients and the public.

Agencies must identify any risks to employees, clients and the public arising from measures or activities designed to protect information and physical assets and apply appropriate mitigation measures.

Risks to cultural holdings

Agencies with culturally significant holdings, for example, galleries and museums, may have to deal with security risks that are not present for other agencies.

In addition to conducting the risk assessment described previously (refer to the security risk management section), agencies should liaise with similar government and non-government organisations to check they have considered the full range of risks and control measures.

Back to the top of page Print this subsection

3.2 Assurance levels

Common, minimum controls apply to protecting New Zealand government protectively marked information.

They provide the levels of assurance agencies need in order to be confident the protectively marked information they share with other agencies will be protected in the same way and to the same level.

The minimum controls agencies must apply to protect the confidentiality, integrity and availability of protectively marked information are set out in this protocol and the following New Zealand Government Physical Security Management Requirements.

Where an agency’s risk assessment identifies the need for security control measures that exceed the minimum control measures for the level of protective marking applied to the information to be protected, stronger security control measures must be applied.

The minimum controls needed will depend on the business impact level of the compromise, loss of integrity or loss of availability of the information and physical assets.

Agencies should refer to the Business Impact Levels.

Back to the top of page Print this subsection

3.3 Security-in-depth

Security-in-depth is a multi-layered system in which security measures combine to support and complement each other, making it difficult for an external intruder or an employee to gain unauthorised access.

These can include physical, information, personnel or procedural measures. The range of measures are described in Security Zones and Risk Mitigation Control Measures.

Back to the top of page Print this subsection

3.4 Elements of physical security planning

A physical security plan documents an intended course of action to achieve specific security goals within a defined timeframe. It explains in detail what needs to be done, when, how and by whom.

Once agencies have completed their risk assessment, they must develop and implement physical security plans for all their facilities that treat the risks identified for each facility.

The planning should be a cyclic process to confirm ongoing suitability of the controls used. Refer to Figure 3.

Figure 3: Summary of the physical security planning cycle

Summary of the physical security planning cycle
 

Agency security plans must:

  • take into account the importance of people, information, assets and functions in achieving the strategic and operational objectives of the agency
  • take into account the aggregation of information and physical assets and concentration of people
  • include scalable measures to meet increased threat levels and be able to accommodate changes in the overall national threat level
  • include a system of controls and barriers designed to deter, detect, delay and respond to any threat, external or internal, that has an impact on the confidentiality, loss of integrity or unavailability of information, or puts at risk people, functions or physical assets. This system must:
    • be in keeping with the value of the resources being protected and the risk to them
    • at least attain any minimum standards established through this protocol and supporting standards and requirements
    • demonstrate the links between risk assessments, risk mitigation and physical security measures adopted.

Also refer to HB 327:2010 Communicating and Consulting About Risk.

Agencies should develop physical security plans in accordance with the Security Zones and Risk Mitigation Control Measures

Agencies can apply security-in-depth by placing zones within zones. This increases total delay times and creates additional barriers. Any unauthorised person trying to access the higher zones will meet increasing levels of controls.

Agency security plans must also address the risks associated with shared facilities and the security requirements for working away from the office.

Shared facilities

As well as addressing their own risks, agencies that share accommodation or facilities with other agencies must conduct a risk assessment and apply protective security measures collaboratively to address collective risks.

Agencies must evaluate the risks of co-tenancies in any shared facility when undertaking their risk assessment.

Agencies may need to consider the different threat profiles of separate business areas within their own agency when developing mitigations to another business area’s risks.

Security when working away from the office

When developing remote working policies and procedures, agencies must take into account any increased security risks to staff, information and physical assets.

For more information refer to Working Away From the Office.

Back to the top of page Print this subsection

4 Physical security mitigations

Physical security measures to protect people, information, physical assets and functions should protect the resources from compromise, loss of integrity, unavailability, damage or harm.

Access is unauthorised if it is not based on a legitimate need-to-know or sanctioned by government policy or agency directive.

A physical security system:

  • protects against unauthorised access
  • maintains integrity and availability
  • provides evidence of access
  • depending on the degree of security required, has the capability to initiate an appropriate response to unauthorised access.

Physical security measures are capable of mitigating a range of risks. However, given enough time and determination, an adversary can compromise almost any physical security measure.

Where measures fail to deter, they need to detect unauthorised access. Therefore, agencies should evaluate protection on their ability to detect, and delay for an acceptable designated minimum period of time.

An important measure for evaluating detection and response measures is the time taken for an effective response. 

A response force should be capable of countering the anticipated activity of the intruder and should attend within a time commensurate with the delay measures.

Mandatory requirement

PHYSEC3: Agencies must ensure they fully integrate physical security early in the process of planning, selecting, designing and modifying their facilities.

Print this section

4.1 Site planning

Agencies must assess whether the physical security environment is acceptable as part of their regular security risk assessment.

Agencies must use their site-specific risk assessments to assist them in preparing a site-specific security plan and include security requirements within other site development plans. 

Since physical security measures may be more expensive and less effective if introduced at a later stage, agencies should evaluate security requirements in consultation with their CSOs at the earliest stages of planning new sites or buildings, or alterations to existing buildings.

This includes, where relevant, early consultation with NZSIS, the Government Communications Security Bureau (GCSB) and other specialist agencies.

Agencies must prepare a site security plan for:

  • a new agency site
  • a greenfield site
  • facilities under construction
  • facilities undergoing major refurbishment.

In site-specific security plans, agencies must ensure that:

  • the security control measures provide enough delay to allow the planned response to take effect
  • physical security measures meet their business needs and complement and support other agency operational procedures
  • audio security, speech privacy and technical security counter-measures are employed to mitigate any over-sighting, over-hearing or technical surveillance risks identified
  • physical security measures do not unreasonably interfere with the public.

Agencies should also consider:

  • protective security measures for new buildings as early as possible, preferably during the concept and design stages
  • the siting within a facility of agency functions that need security measures, so these locations can be constructed to provide appropriate protection.

A site security plan documents measures to counter identified risks to the agency’s functions and resources at the site.

For more information on site security plans, refer to the Security Zones and Risk Mitigation Control Measures

Agencies must assess the impact of the compromise, loss of integrity or unavailability of their site security plans to their security and operations and apply a suitable protective marking.

For more information, refer to the New Zealand Government Security Classification System and Handling Requirements for Protectively Marked Information and Equipment.

Agencies must include all relevant protective security mitigation measures or outcomes identified in the site security plan in building design briefs, requests for tender and contracts to ensure that they are included in the completed facility.

Site selection

Agencies should involve their CSO and other security personnel early in the site selection process to ensure the potential site can meet the agency’s security needs.

When determining the suitability of a site, agencies must evaluate the following factors.

  • Neighbourhood location - a number of neighbourhood-related issues may affect an agency’s decision to use a site and the protective security mitigation measures needed. These include local criminal activity, impact of the risks to/from neighbouring agencies and businesses, suitability of neighbours and over-sight of agency operations.
  • Standoff perimeter - a particular threat may dictate the need for a standoff distance to protect a building. It may not be possible in the urban environment to achieve an effective standoff distance for some threats. Agencies should evaluate risks from both pedestrian and vehicular threats.
  • Site access and parking - agencies should evaluate access through the standoff perimeter and into the facility for pedestrian traffic, delivery vehicles and cars. They may also need to control and monitor parking within their perimeter. While security measures aim to prevent or reduce the likelihood of events, their design still needs to accommodate normal business.
  • Building access points - agencies should ensure all building access points including entries, exits, air intakes and outlets, and service ducts can be secured.
  • Security Zones - agencies should evaluate the ability of the site to provide security zones required by the agency risk assessment and security in depth at the site.

Agencies may find it helpful to refer to The Site Security Design Guide published by the United States General Services Administration, Public Buildings Service.

Back to the top of page Print this subsection

4.2 Security zones

The site security plan is to identify those areas in the site that require physical security measures.

Additional security measures apply to areas that process, handle and store protectively marked information and other official or valuable resources.

This protocol categorises these areas as security zones according to the security controls they implement, based on the following business impact levels.

  • Zone One - unsecured areas including out-of-office working arrangements. It provides limited access controls to information and physical assets, the loss of which would result in a business impact of low to medium. It also provides limited protection to people.
  • Zone Two - low security area with some controls and access control for visitors. It provides access controls to information and physical assets, the loss of which would result in a business impact up to very high. It also provides some protection to people.
  • Zone Three - security area with high security controls, strict control of visitors on a needs basis and controlled employee access. It provides access controls to information and physical assets, the loss of which would result in a business impact up to extreme. It also provides protection of people.
  • Zone Four - security area with higher levels of security controls and strict control of visitors and employees on a needs basis. It provides access controls to information the loss of which would result in a business impact up to extreme, and physical assets the loss of which would result in a business impact up to catastrophic. It also provides protection of people.
  • Zone Five - security area with the highest level of security controls and strict control of visitors and employees on a needs basis. It provides access controls to information the loss of which would result in a business impact up to catastrophic.

Agencies must follow the detailed guidance in Security Zones and Risk Mitigation Control Measures to determine how they should apply the security zone categories to treat their risks and integrate their security control measures.

The risk mitigation control measures for security zones are the minimum prescriptions. Where agencies face increased threats, for example, terrorism, foreign interference, politically motivated violence, criminal activity or cyber-attack, they should use their risk assessment to determine additional prescriptions above the minimum for any zone.

Back to the top of page Print this subsection

4.3 Accreditation of security zones

To encourage information sharing, agencies need to be confident that other agencies to which they provide information can adequately protect their information.

To achieve the consistent security zone standards, agencies must apply the control measures, control components and individual elements detailed in tables 3 and 4 in Security Zones and Risk Mitigation Control Measures

Agencies must certify the application of these measures and accredit the security zones as detailed in this protocol.

Agencies are responsible for accrediting security zones used to store information and physical assets the loss of which would have a business impact level up to and including extreme such as:

  • valuable physical assets
  • attractive, but not necessarily valuable physical assets
  • culturally significant physical assets irrespective of monetary value
  • official information.

Agencies are responsible for accrediting Zone Five security areas.

Zone Five security areas used to access compartmented marking material such as Sensitive Compartmented Information (SCI) or codeword information must also be accredited by the GCSB.

Before accreditation, agencies must obtain NZSIS certification for security zone security areas used to handle material with the security classification TOP SECRET, SCI, or aggregations of information, the compromise, loss of integrity or unavailability of which could cause a catastrophic impact on national security.

These certifications may be time-limited and may require recertification from time to time as advised by the NZSIS. CSOs can get advice on these certification requirements from NZSIS.

Minimum requirements for protecting protectively marked information

Agencies must comply with the security requirements for security Zones Three to Five set out in Security Zones and Risk Mitigation Control Measures for protecting protectively marked information, valuable physical assets, or the aggregation of information and physical assets, where the compromise, loss of availability, or loss of integrity of that material would cause extreme or catastrophic impact to national security.

Agencies must also comply with NZSIS Technical Note - Physical Security of Zone 5 Areas (This information is classified. Please contact the PSR team for further information.) when constructing security areas to store TOP SECRET information or aggregated information, the compromise, loss of integrity or unavailability of which may cause a catastrophic impact.

If for any reason an agency cannot meet these requirements, it must obtain approval for each site from the originator of the material to hold any TOP SECRET information or aggregation of information, the compromise, loss of integrity or unavailability of which would cause a catastrophic impact.

When constructing Zone Three or Four Areas to store protectively marked  information, agencies must comply with NZSIS Technical Note - Physical Security of Secure Areas. This information is classified. Please contact the PSR team for further information.

Back to the top of page Print this subsection

4.4 Measures to control access to facilities, information and physical assets

Agencies must control access to their facilities, information and physical assets. This is achieved through a mixture of physical security measures including, but not limited to,

  • psychological barriers
  • building construction techniques
  • security containers
  • perimeter fences
  • vehicle barriers
  • receptionists and reception areas
  • front counters and interview or meeting rooms
  • monitored alarm systems
  • closed circuit television (CCTV)
  • access control systems
  • locks and keying
  • guards and patrols
  • audio security, speech privacy and technical security counter-measures.

Details of these measures are in Security Zones and Risk Mitigation Control Measures.

To ensure security-in-depth, agencies must:

  • use a combination of measures to protect and control access to their people, information, physical assets, and premises
  • select physical security products appropriate to the level of protection required as determined by their risk assessment.

Use of NZSIS-approved products

NZSIS tests and approves security products that primarily focus on safeguarding protectively marked information where compromise, loss of integrity or unavailability would result in a business impact level of high or above, products that prevent widespread loss of life, and other security products that require specialist testing.  These approved items are listed in the NZSIS Approved Products List (APL).

Agencies must use NZSIS-approved equipment for the protection of people, official information and physical assets as identified in Security Zones and Risk Mitigation Control Measures.

Where not required by the Security Zones and Risk Mitigation Control Measures, an agency may use NZSIS-approved security equipment or use suitable commercial equipment that complies with identified security-related New Zealand or international standards for the protection of people, information or physical assets.

The NZSIS can provide advice to CSOs on selecting products for lower level security applications on request.

Many of the access control measures that can be used by agencies are complex and agencies may need specialist advice to assist in their design.

Back to the top of page Print this subsection

5 Protection of people

Mandatory requirements

PHYSEC2: Agencies must have in place policies and protocols to:

  • identify, protect and support employees under threat of violence, based on a threat and risk assessment of specific situations. In certain cases, agencies may have to extend protection and support, for example to family members
  • report incidents to management, human resources, security and law enforcement authorities, and/or Worksafe New Zealand as appropriate
  • provide information, training and counselling to employees
  • maintain thorough records and statements on reported incidents.

PHYSEC4: Agencies must ensure that any proposed physical security measure or activity is consistent with relevant health and safety obligations.

PHYSEC5: Agencies must show a duty of care for the physical safety of members of the public interacting directly with the New Zealand government. Where an agency’s function involves providing services, the agency must ensure that clients can transact with the New Zealand government with confidence about their physical wellbeing.

Print this section

5.1 Health and safety considerations in physical security

Agencies should determine the safety hazards arising from any security measures put in place and need to manage those safety hazards in accordance with the Health and Safety at Work Act 2015 and any other legislation which imposes safety obligations.

CSOs should be aware of any legislative requirements designed to protect agency employees, clients and the public. 

They should liaise with agency safety personnel in determining:

  • any security measures needed to ensure safety
  • safety concerns arising from any security measures.

Agency security measures should be integrated with other agency safety measures to ensure the safety and security of agency personnel, clients and the public.

Employees

An agency’s employees are central to its ability to function and need protecting. Agencies may not in all instances be able to guarantee the safety of their employees. However, agencies must take all reasonably practicable measures to mitigate possible security risks that could compromise staff safety.

Agencies must use their risk assessments to determine when increased protection of staff is required. In some instances agencies may need to extend protection to family members and others.

Agencies must take all reasonable steps to ensure the personal security of agency employees when working away from the office.

For more information, refer to Working Away from the Office.

Agencies must advise all employees of any security risks that may affect their personal safety or security. 

Agencies must:

  • advise employees of protective security measures and procedures
  • inform employees about the purpose of security procedures and employee responsibilities in implementing these procedures
  • advise employees that in responding to a security incident they do not take any actions that would unreasonably jeopardise their personal safety
  • inform employees about security incident reporting requirements.

More information can be found in Security Awareness Training and Reporting Incidents and Conducting Investigating Security Incidents.

Clients and the public

Under the Health and Safety at Work Act 2015 agencies must protect clients and the public from injury arising from agency activities.

Agencies must take reasonably practicable measures to protect all people within, and in the immediate vicinity of, their premises, and any person who may be at risk because of agency-related activities.

The security measures in place to protect the safety of employees may also provide safety measures to protect clients and the public.

Agency safety and emergency response managers should seek input from agency security staff when designing safety measures and ensure they complement the agency’s security needs and vice-versa.

Back to the top of page Print this subsection

5.2 Emergency procedures

Physical security procedures should complement agency emergency procedures.

Agencies should provide each employee with a summary of emergency and security procedures that are designed to ensure their safety including, but not limited to,:

  • contact details for agency security and emergency response staff
  • contact details for general public emergency response organisations such as
    • 111: police, ambulance and fire
    • 0800 764 766: poisons information centre
  • evacuation procedures for earthquake, fire, bomb, chemical or biological hazards
  • any agency-specific security procedures in emergencies such as
    • bomb threat reporting procedures
    • suspect parcel/mail procedures
    • lock-down procedures for securing information and physical assets
  • any agency specific safety procedures such as
    • handling aggressive people
    • interview procedures
    • vehicle safety.

For more information, refer to AS/NZS 4801:2001 Occupational Health and Safety Management Systems and The New Zealand Building Code.

Back to the top of page Print this subsection

6 Physical security of information and ICT equipment

Agencies must ensure their facilities containing official information provide a level of protection in keeping with the assessed business impact of the compromise, loss of integrity, or unavailability of the information, both during and outside working hours.

Agencies should assess the risk of surreptitious, covert and forced attack when protecting against unauthorised access to information.

Mandatory requirement

PHYSEC6: Agencies must implement a level of physical security measures that minimises or removes the risk of information assets being made inoperable or inaccessible, or improperly accessed or used.

Print this section

6.1 Single items or limited amounts of information

Agencies must provide physical protection of hardcopy and electronic information in accordance with the business impact resulting from the compromise, loss of integrity or unavailability of the information. 

Table A summarises the likely links between protective markings and business impact levels of individual documents or limited amounts of information.

A limited amount of information is a grouping of information where the compromise, loss of integrity or unavailability does not increase the business impact level of the aggregation above the business impact of the protective marking of the information.

Table 1: Business Impact Levels (BILs) of individual documents or limited amounts of information

Individual document markingBusiness impact level
Unclassified (may not be marked) 1 Low
IN CONFIDENCE 2 Medium
SENSITIVE or RESTRICTED 3 High
CONFIDENTIAL 4 Very High
SECRET 5 Extreme
TOP SECRET 6 Catastrophic

 

Notes:

  1. Agencies are required to protect individual documents in accordance with the Information Security Management Protocol and requirements.
  2. Material with a compartmented marking such as a codeword or SCI may attract additional mandatory security controls.
  3. Information is also required to be protectively marked in accordance with the New Zealand Government Security Classification System.

Agencies must exceed the measures detailed for security zones where:

  • risk assessments indicate that greater levels of protective security are necessary
  • the New Zealand public could reasonably expect the government to apply a higher level of protection
  • there is a legislative requirement for the higher level of protection.

Agencies must review the effectiveness of physical security measures applied to protect information holdings as part of their risk reviews.

Back to the top of page Print this subsection

6.2 Aggregations of information

Aggregation is a term used to describe compilations of protectively marked or unclassified official information that may require a higher level of protection than their component parts. 

This is because the combination generates a greater value and the consequence of compromise, loss of integrity or unavailability creates an increase in the business impact level.

Aggregation is particularly relevant to collections of electronic information.

Agencies must implement physical security measures to mitigate the risks associated with the impact of loss, compromise or unavailability of the aggregation of information. 

For more information, refer to Business Impact Levels.

TOP SECRET information or an aggregation of information that could cause catastrophic damage to New Zealand’s national security

Agencies holding TOP SECRET information or an aggregation of information, the loss of which could cause catastrophic damage to national security, must only store such information in areas certified by NZSIS as suitable before first use and after any modifications to the areas.

Agencies may arrange for another agency to hold their TOP SECRET information where they do not have the facilities to do so and the cost of establishing the necessary facilities is not justifiable. 

The agency owning the information is to provide and control access into any security containers used to hold its information.

Back to the top of page Print this subsection

6.3 ICT systems

As ICT systems are especially vulnerable to attack and misuse of information stored on them, they require particular care. 

For this reason they are protected by a combination of physical and logical controls. The logical controls are detailed in the New Zealand Information Security Manual.

In some cases logical controls provide an increased level of protection that may enable an agency to reduce the physical controls as detailed in this protocol.

Agencies must meet the physical security requirements for ICT systems set out in the Physical Security of ICT Equipment, Systems and Facilities

In some cases the physical controls for ICT systems may vary from the controls used for hard copy information detailed in this protocol and associated requirements. 

The logical controls, used together with the physical controls, give an acceptable level of protection.

ICT systems that do not apply the logical controls identified in the New Zealand Information Security Manual must meet or exceed, based on their risk assessment, the controls identified in the Security Zones and Risk Mitigation Control Measures.

In addition agencies should:

  • ensure the CSO is involved in the ICT systems planning processes so that the physical security requirements are suitable for the ICT equipment and operations
  • restrict access to ICT equipment used to store or process official information to authorised personnel with a need-to-know
  • provide physical security to all components of their ICT systems, including cabling, taking into account the level of protection given by any encryption. Refer to the New Zealand Information Security Manual for more information.

Agency business continuity plans and other disaster response and recovery plans should include reference to the security requirements for ICT systems and electronic information.

Agencies may need to consult the GCSB before installing ICT systems.

ICT facility security

ICT facilities include, but are not limited to:

  • server rooms
  • datacentres
  • backup repositories
  • storage areas for ICT equipment that hold official information, etc.

Agencies must use the appropriate security zone to protect facilities housing ICT systems. 

Agencies must determine the zone required using Physical Security of ICT Equipment, Systems and Facilities.

Alternatively, they should select the security zone based on their risk assessment or Security Zones and Risk Mitigation Control Measures (whichever is higher). 

Agencies must ensure that any outsourced ICT facilities meet any identified requirement for the protection of aggregated information.

Refer to Management of Aggregated Information for more information.

Agencies using datacentres should liaise with other agencies also using the datacentre to assess the aggregation of all official information held by the datacentre.

Physical entry control

Agencies must use suitable entry controls to restrict entry to authorised employees to security zones holding ICT assets.

Protecting against external and environmental threats

Agencies should consider manmade and environmental threats to ICT systems in their security risk review and apply controls that minimise the risks in accordance with the security zones methodology described in Security Zones and Risk Mitigation Control Measures.

Security clearances for staff working in areas containing ICT servers

Agencies must ensure all staff who can access ICT servers, or who work in areas that contain ICT servers or store ICT assets, are appropriately security cleared. 

The level of security clearance required will depend on the business impact resulting from the compromise of the aggregate information stored on the servers or ICT assets. 

Refer to the Personnel Security Management Protocol.

Agencies should supervise access to ICT servers, restricting access to a need-to-know basis.

Back to the top of page Print this subsection

6.4 ICT equipment security

ICT equipment that requires protection includes any device that can store data such as:

  • computers, desktop or laptop and servers
  • photocopiers, multi-function devices, printers
  • fax machines
  • mobile telephones
  • digital cameras
  • personal electronic devices
  • electronic storage media such as USB sticks, CDs, DVDs, radio-frequency identification (RFID) tags and systems.

ICT equipment is normally supported by utilities and cabling that may also require protection.

ICT equipment location

Agencies should locate ICT equipment in a security zone suitable for protecting either the aggregate of information stored on the equipment, or the value of the equipment, whichever requires the greater protection. 

Refer to Physical Security of ICT Equipment, Systems and Facilities and Security Zones and Risk Mitigation Control Measures.

Supporting utilities

Agencies should protect ICT equipment from power failures and other disruptions to supporting utilities.

They should have an uninterrupted power supply to ICT systems, particularly servers, that allows them to at least close down systems and preferably to continue operating.

Cabling security

Agencies must apply the cabling security controls in the New Zealand Information Security Manual - Communications Security.

Equipment maintenance

Agencies should maintain equipment in accordance with the manufacturer’s directions in order to ensure availability and integrity.

Removal of ICT equipment from agency premises

Agencies must have a policy on removing ICT equipment from their facilities that prohibits employees from doing so without prior authorisation. 

Refer to New Zealand Information Security Manual - Working Off-Site and Working Away from the Office for more information.

Security of equipment when not on agency premises

Agencies must apply physical security measures to off-site equipment that address the risks to the equipment and the information it holds.

Agencies must apply the logical controls detailed in the New Zealand Information Security Manual - Working Off-Site.

Secure disposal or reuse of ICT equipment

Agencies must sanitise or destroy all ICT equipment and media before disposal in accordance with the New Zealand Information Security Manual - Product Security and Media Security.

Agencies may re-use ICT equipment if it has been sanitised in accordance with the New Zealand Information Security Manual - Product Security and Media Security.

Additional information

For further guidance on ICT systems security refer to the following documents.

Back to the top of page Print this subsection

7 Physical security in emergency and increased threat situations

Mandatory requirements

PHYSEC7: Agencies must develop plans and protocols to move up to heightened security levels in case of emergency and increased threat. The New Zealand Government may direct its agencies to implement heightened security levels.

GOV10: Agencies must establish a business continuity management (BCM) programme to provide for the continued availability of critical services and assets and of other services and assets when warranted by a security threat or risk assessment.

Print this section

7.1 Physical security in disaster management plans

As part of their security risk management process, and in collaboration with other responsibilities such as emergency management and business continuity management arrangements, agencies should evaluate their agency-specific disaster management plans that cover, but are not limited to, the following situations:

  • bombs and bomb threats
  • armed attack
  • hazardous substances or hoaxes
  • failure of essential services
  • fire and explosions
  • major accidents
  • natural disasters
  • social unrest
  • threatening telephone calls and letters
  • suspect packages.

Agencies must develop procedures to ensure the security of people, information and physical assets during incidents.

These procedures may include:

  • lock-down arrangements
  • after hours alarms responses
  • physical security procedures when using business continuity plans.
Back to the top of page Print this subsection

7.2 Scalable security to meet increases in threat levels

Agency security plans must include security controls and procedures that are scalable to meet increases in risk as a consequence of a change in threat to the agency, staff or clients. 

As implementing control measures can be time consuming, agencies should integrate higher-level mitigations early if warranted.

Agencies must have the capability to quickly deploy security measures in an increased threat environment, with the aim to reduce the likelihood or consequences of a risk being realised. 

Agencies should tailor security measures to treat specific risks.

Agencies should consider making formal arrangements, in advance, to quickly acquire and deploy security measures if required. For example, security measures to treat foreign interference may differ to those used against hostile vehicle mitigation.

Back to the top of page Print this subsection

7.3 Involving CSOs in emergency response and recovery management

Agencies should consider physical security when developing their emergency response plans, Disaster Recovery Plans (DRPs) and Business Continuity Plans (BCPs). 

CSOs should be involved in the development of emergency response plans, DRPs and BCPs.

Agencies should consider exercising their emergency response plans with external agencies such as, but not limited to, co-tenants, police and fire service.

Back to the top of page Print this subsection

This content refers to the following glossary terms:

Accreditation Business Continuity Planning (BCP) Chief Security Officer (CSO) Disaster Recovery Plan (DRP) Government Communications Security Bureau (GCSB) New Zealand Security Intelligence Service (NZSIS) Physical Security (PHYSEC) Risk management Risk mitigation Security incident Security-in-depth or defence-in-depth Sensitive Compartmented Information (SCI) Technical Surveillance Countermeasures (TSCM)

Tagged with the terms:

loss of integrity security zones compromise CSO protectively marked aggregation security-in-depth emergency risk assessment business impact level need-to-know Zone Five ICT systems top secret loss of integrity or unavailability electronic information SCI Zone Three official information loss of availability ICT facilities ICT servers security clearance security risk threats ICT equipment security fax machines photocopiers, multi-function devices, printers computers, desktop or laptop and servers aggregated information control treat server rooms GCSB ICT datacentres backup repositories mobile telephones zone storage areas for ICT equipment that hold official information, etc zone based digital cameras major accidents disaster management plans threat natural disasters risk management fire and explosions hazardous substances or hoaxes armed attack bombs and bomb threats emergency management social unrest secure disposal or reuse of ICT equipment cabling security controls security zone electronic storage media such as USB sticks, CDs, DVDs, radio-frequency identification (RFID) tags and systems personal electronic devices threat level alarms ICT equipment threatening telephone calls and letters suspect packages failure of essential services incident reporting Zone Four Zone Two Zone One Building access point criminal activity cyber-attack Zone Three or Four Areas accreditation Sensitive Compartmented Information (SCI) physical assets site access perimeter unauthorised access security mitigation unavailability of information confidentiality integrity access neighbourhood site security mitigation measures site planning building construction techniques security containers safety security incident assessment Employees emergency response Emergency procedures aggregation of information impact of loss Protective Marking attack Use of NZSIS-approved products audio security, speech privacy and technical security counter-measures front counters and interview or meeting rooms receptionists and reception areas vehicle barriers perimeter fences monitored alarm systems closed circuit television (CCTV) guards and patrols locks and keying access control system must only

About

Physical security is a combination of physical and procedural measures designed to prevent or mitigate threats or attacks against people, information and assets. Often a measure designed to meet one particular physical security goal may address others. 

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information