The purpose of these requirements is to:
- provide guidance to achieve a consistent approach to determining physical security controls for Information and Communications Technology (ICT) equipment, systems and facilities holding New Zealand government information
- provide a consistent and structured approach to determining the suitable type and level of control required to:
- meet the mitigation and associated assessed risk
- give suitable protection to information
- provide assurance to other agencies and foreign governments for information sharing.
The audience for these requirements is:
- New Zealand government security management staff, specifically New Zealand Government ICT security management staff
- contractors to New Zealand government agencies providing physical security advice and services
- providers of facilities for New Zealand government ICT services and functions
- any other body or person responsible for the security of New Zealand government people, information or assets.
These requirements cover physical security measures of ICT equipment, systems and facilities within New Zealand government agencies and departments or other entities handling New Zealand government official information.
These requirements recognise the predominant risks to electronic information (whether held in ICT equipment, systems or facilities) are from:
- the theft or loss of ICT equipment
- external cyber attack – the minimum mandatory logical controls to counter cyber attacks are detailed in the New Zealand Information Security Manual.
- trusted insiders – including, but not limited to, disgruntled or inexperienced users, contractors and administrators.
The controls identified in the New Zealand Information Security Manual are used to mitigate threats to the confidentiality, integrity and availability of information held on ICT equipment.
Physical security measures also mitigate these risks by restricting access to people with a genuine 'need to know'.
Agencies should develop procedures to minimise the risk of oversight of information on their ICT equipment.
These requirements support the implementation of the Protective Security Requirements (PSR).
They are part of a suite of documents that aid agencies to meet their physical security requirements.
Where legislative requirements prescribe higher controls than those identified in these requirements, the legislative controls take precedence and must be applied.
1.4 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist
- or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head. In particular an agency should pose the following questions:
- Is the agency willing to accept additional risk?
- Have any implications for All of Government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.
The PSR provides agencies with mandatory and best practice security measures.
The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.
1.5 Relevant standards
Other relevant requirements and documents are:
- ANSI/TIA-942 Telecommunications Infrastructure Standard for Data Centers
- AS/NZS ISO/IEC 27002:2006 Information Technology – Security Techniques – Code of Practice for Information Security Management
- New Zealand Government Information in Outsourced or Offshore ICT Arrangements
- Business Impact Levels
- Security Requirements of Outsourced Services and Functions
- New Zealand Information Security Manual
- Security Zones and Risk Mitigation Control Measures