1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to:

  • provide guidance to achieve a consistent approach to determining physical security controls for Information and Communications Technology (ICT) equipment, systems and facilities holding New Zealand government information
  • provide a consistent and structured approach to determining the suitable type and level of control required to:

          -   meet the mitigation and associated assessed risk

          -   give suitable protection to information

          -   provide assurance to other agencies and foreign governments for information sharing. 

Back to the top of page Print this subsection

1.2 Audience

The audience for these requirements is:

  • New Zealand government security management staff, specifically New Zealand Government ICT security management staff
  • contractors to New Zealand government agencies providing physical security advice and services
  • providers of facilities for New Zealand government ICT services and functions
  • any other body or person responsible for the security of New Zealand government people, information or assets.
Back to the top of page Print this subsection

1.3 Scope

These requirements cover physical security measures of ICT equipment, systems and facilities within New Zealand government agencies and departments or other entities handling New Zealand government official information.

These requirements recognise the predominant risks to electronic information (whether held in ICT equipment, systems or facilities) are from:

  • the theft or loss of ICT equipment
  • external cyber attack – the minimum mandatory logical controls to counter cyber attacks are detailed in the New Zealand Information Security Manual.
  • trusted insiders – including, but not limited to, disgruntled or inexperienced users, contractors and administrators.

The controls identified in the New Zealand Information Security Manual are used to mitigate threats to the confidentiality, integrity and availability of information held on ICT equipment.

Physical security measures also mitigate these risks by restricting access to people with a genuine 'need to know'.

Agencies should develop procedures to minimise the risk of oversight of information on their ICT equipment.

These requirements support the implementation of the Protective Security Requirements (PSR).

They are part of a suite of documents that aid agencies to meet their physical security requirements.

Also refer to AS/NZS ISO/IEC 27002:2006 Information Technology – Security Techniques – Code of Practice for Information Security Management, Section 9 – Physical and Environmental Security.

Where legislative requirements prescribe higher controls than those identified in these requirements, the legislative controls take precedence and must be applied.

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements for Agencies.

Back to the top of page Print this subsection

2 Physical security of ICT equipment

The primary purpose of ICT equipment is to facilitate the processing, storage and communication of agency information electronically.

ICT equipment that requires protection includes any device that can store information electronically such as:

  • computers – desktop, laptop or tablet
  • photocopiers, multi-function devices (MFDs) and printers
  • fax machines
  • mobile telephones
  • digital cameras
  • personal electronic devices
  • storage media, for example, portable hard drives, USB sticks, CDs, DVDs, radio frequency identification (RFID) tags and systems
  • network equipment, for example, routers, switches
  • voice systems, for example, PABX.

The level of protection that should be given to ICT equipment should be based on the higher Business Impact Level (BIL) that would result from:

  • the compromise, loss of integrity or unavailability of the aggregate of electronic information held on the equipment, or
  • the loss or unavailability of the ICT equipment itself.

Also refer to the Business Impact Levels.

Print this section

2.1 Storage of ICT equipment when not in use

When ICT equipment is stored in dedicated ICT facilities the physical security controls should meet those detailed in Annex A.

Where ICT equipment is not stored in dedicated ICT facilities agencies should apply the physical security controls detailed in Security Zones and Risk Mitigation Control Measures.

The physical security controls should meet the requirements of Annex A or Security Zones and Risk Mitigation Control Measures and any additional controls required when justified by the agency security risk assessment.

Where agencies cannot meet the above requirement they should seek advice from the Government Communications Security Bureau (GCSB) on additional logical or technological solutions that may be available to lower the risks to electronic information when the equipment is not in use (see below).

Back to the top of page Print this subsection

2.2 Security of ICT equipment that cannot be kept in security containers or rooms when not in use

Agencies may not be able to secure some electronic equipment in security containers or rooms when not in use, for example, desktop computers, printers and MFDs.

In some circumstances, agencies may be able to fit removable non-volatile media (e.g. hard drives) that can then be secured in an appropriate security container when not in use.

In cases where the non-volatile media cannot be removed, agencies should determine the zone where the equipment can be kept based on the risks of obtaining information and the sensitivity of the information attainable from the equipment.

Agencies should seek further advice from GCSB on additional logical or technological solutions that may be available to lower the risks to electronic information.

Agencies should assess the risk when equipment cannot be secured when not in use, where its compromise could cause loss of integrity or availability of the information held by or accessible through that equipment.

Where the business impact of the compromise, loss of integrity or unavailability of the information is very high or extreme, the equipment should be stored in a Zone Three or above area, unless additional logical controls are applied to lower the risks when the equipment is not in use to a level acceptable to the agency.

Where the business impact of the compromise, loss of integrity or unavailability of the information is catastrophic, the equipment should be stored in a Zone Five area, unless additional logical controls are applied to lower the risks when the equipment is not in use to a level acceptable to the information originator.

The logical controls described in the New Zealand Information Security Manual do not constitute sanitisation and reclassification of ICT media. Therefore, the media retains its protective marking for the purposes of reuse, reclassification, declassification, sanitisation, destruction and disposal as specified in the New Zealand Information Security Manual.

Equipment with solid state drives or hybrid hard drives

Solid state drives and hybrid hard drives cannot be made safe through normal wiping processes when switched off.

Agencies wishing to use equipment fitted with solid state drives or hybrid hard drives should seek advice from GCSB on other methods of securing these types of equipment, for example, encryption.

Back to the top of page Print this subsection

2.3 Auditing of ICT equipment

For asset control of ICT equipment, agencies should:

  • record the location and authorised custodian
  • periodically audit.

The period between audits should be based on the agency’s risk assessment, with higher risk items audited on a more regular basis.

Agencies should, based on their risk assessment, consider visually inspecting ICT equipment as part of their asset control audit to ensure non-approved devices have not been installed.

Agencies should have procedures for employees to report the loss of ICT equipment.

Tamper evident seals

Agencies may seal access to ICT equipment using New Zealand Security Intelligence Service- (NZSIS-) approved tamper evident wafer seals suitable for application to hard surfaces.

The use of seals may give a visual indication of unauthorised access into the equipment if the seals are removed or broken.

Refer to the Approved Products List (APL) (this information is classified, please contact the PSR team for further information) when selecting wafer seals.

Back to the top of page Print this subsection

3 Physical security of ICT system equipment

In addition to the ICT equipment mentioned in these requirements, ICT system equipment that needs physical security includes:

  • servers, including dedicated devices and laptops used as servers
  • other communications network devices, for example PABX
  • the supporting network infrastructure, for example cabling and patch panels
  • gateway devices, for example routers, network access devices.
Print this section

3.1 Physical security of servers and network devices

Servers and network devices must be located in security rooms and/or containers.

The level of room and/or container used should be determined by the business impact of the compromise, loss of integrity or unavailability of the aggregated information accessible from the servers and network devices.

Agencies should keep servers and communication network devices in dedicated ICT facilities.

For more information, refer to New Zealand Government Information in Outsourced or Offshore ICT Arrangements and the New Zealand Information Security Manual.

Agencies must apply the controls identified in the Security Zones and Risk Mitigation Control Measures to protect the information on servers and network devices not held in dedicated ICT facilities.

Back to the top of page Print this subsection

3.2 Network infrastructure

Agency information is communicated through network infrastructure.

Where GCSB-approved encryption is applied, the requirements for physical security of network infrastructure can be lowered. Agencies should protect network infrastructure using a mixture of physical security measures and encryption.

Agencies must use security zones suitable for the highest business impact of the compromise, loss of integrity or unavailability of information being communicated over the network infrastructure.

As it may not be possible to secure all network infrastructure in security containers and/or rooms, agencies should also meet any system encryption requirements in the New Zealand Information Security Manual.

Agencies should determine the level of container required for patch panels, fibre distribution panels and structured wiring enclosures based on:

  • the business impact of the information passing over the connections
  • any other controls in place to protect the information.

Panels should, at a minimum, be in locked containers and/or rooms to prevent tampering.

Agencies lose control of their information when it is communicated over unsecured public network infrastructure or over infrastructure in unsecured areas as they can have no assurance of the physical security of the infrastructure or logical security of the information.

Agencies must use the encryption standards identified in the New Zealand Information Security Manual for information transmitted over public network infrastructure when the compromise, loss of integrity or unavailability of the information would have a business impact of high or above.

The encryption will sufficiently protect the information to allow it to be transmitted on an unclassified network. Encryption is normally applied at an agency gateway.

Agencies must apply the encryption standards identified in the New Zealand Information Security Manual to protect information on their network infrastructure in unsecured areas.

Back to the top of page Print this subsection

3.3 Deployable ICT systems

Agencies may have difficulty in applying suitable physical security measures when using deployable ICT systems, particularly if deployed into high-risk environments.

Agencies that use deployable systems must seek advice from GCSB on suitable logical controls to help mitigate any risks the agency identifies.

Back to the top of page Print this subsection

3.4 ICT system gateway devices

In addition to the logical controls required in the New Zealand Information Security Manualagencies must use physical security measures for their ICT system gateway devices to mitigate the higher business impact from:

  • the loss of the devices
  • the compromise of the aggregated information arising from physical access to the devices.

Agencies using shared gateways must apply controls to the gateway appropriate to the highest level of information passing through the gateway.

Agencies must prevent unauthorised access to gateway devices. It is recommended that these devices be located in dedicated ICT facilities.

Back to the top of page Print this subsection

4 Physical security of ICT facilities

Agencies should have dedicated ICT facilities to house ICT systems, components of their ICT systems or ICT equipment. These facilities include, but are not limited to:

  • server and gateway rooms
  • datacentres
  • back-up repositories
  • storage areas for ICT equipment that hold official information
  • communications and patch rooms.

Agencies should pay particular attention to the security of any access points to an ICT facility, for example, cabling and ducting.

Print this section

4.1 Accreditation of ICT facilities

ICT facilities must be within accredited security zones (as detailed in Security Zones and Risk Mitigation Control Measures) and appropriate for the aggregation of the information held.

Also, agencies should house ICT facilities in security zones dedicated to these ICT facilities, separate to other agency functions.

Where an agency outsources its ICT facilities, or uses shared facilities, the agency must ensure its information is held in a security zone appropriate for the aggregation of information.

Also refer to the section on outsourced ICT facilities.

Containers used to house ICT equipment in an ICT facility may be at a lower level when the ICT facility is a separate security zone within an existing security zone that is suitable for the aggregation of the information held.

Refer to Annex A.

TOP SECRET or compartmented marking information ICT facilities

All TOP SECRET or compartmented marking information ICT facilities must be within a separate Zone Five within a Zone Five work area, both of which must be certified by NZSIS.

TOP SECRET ICT facilities must have either a separate zone on the agency’s electronic access control system (EACS) or have their own NZSIS-approved type B security alarm system (SAS).

In addition, agencies must have GCSB certify all TOP SECRET ICT systems.

Back to the top of page Print this subsection

4.2 Access control to ICT facilities and equipment within ICT facilities

Agencies must control access to ICT facilities in accordance with the Security Zones and Risk Mitigation Control Measures.

Access to agency ICT facilities holding information, the compromise, loss of integrity or unavailability of which has a lower than catastrophic business impact level, should be controlled by:

  • a dedicated section of the SAS or EACS, where used
  • a person provided with a list of people with a need to know or need to go into the ICT facility.

Agencies must keep ICT facilities, and security containers within ICT facilities holding ICT equipment, secured when the facilities are not occupied.

Technical surveillance countermeasures

Agencies must have a technical surveillance countermeasures (TSCM) inspection undertaken for all TOP SECRET and compartmented marking ICT facilities where regular discussions at a TOP SECRET level are held within the facility.

A TSCM inspection may also be required to provide a high level of assurance that hardware and cabling infrastructure within an ICT facility has not been compromised.

Where an agency does not require its ICT facilities to handle TOP SECRET information, the requirement for a TSCM inspection, and the interval between inspections, should be based on the agency’s risk assessment.

Refer to the Security Zones and Risk Mitigation Control Measures.

Further advice on TCSM inspections can be provided by GCSB.

Back to the top of page Print this subsection

4.3 Outsourced ICT facilities

Agencies must ensure outsourced ICT facilities meet any controls identified in these requirements for the protection of the aggregation of information held in the facilities.

Information on the inclusion of security requirements in contracts for outsourced functions is available in Security Requirements of Outsourced Services and Functions.

Datacentres

Agencies must seek NZSIS advice on the certification requirements of the physical security measures of commercial datacentres holding New Zealand government official information where the compromise of the confidentiality, loss of integrity or unavailability of the information will have a catastrophic business impact level, before the datacentres are used operationally.

Agencies using datacentres should assess the aggregation of all official information that is held in the datacentre.

Agencies employing a shared datacentre arrangement should, where possible liaise with all other agencies using the same datacentre to assess the business impact of the loss of integrity or unavailability of the aggregate of the combined information before the datacentre is used operationally.

Data storage devices must be given protection commensurate with the business impact of the compromise of the aggregate of the information stored on the devices.

Datacentres are selected not only for their ability to provide security of information but also for their ability to provide continuous availability of information. ANSI/TIA-942 Telecommunications Infrastructure Standard for Data Centers provides four tiers of availability in datacentres. 

For more information, refer to New Zealand Government Information in Outsourced or Offshore ICT Arrangements.

Back to the top of page Print this subsection

5 Protection of information and ICT equipment against environmental or man-made threats

Agencies should determine the availability requirements for their information as part of their disaster recovery and business continuity plans.

The impact of the information not being available will influence the measures taken to protect ICT equipment against environmental and man-made threats.

For more information, refer to SAI Global – HB 292-2006 A Practitioner’s Guide to Business Continuity Management, section 4.7.

Print this section

5.1 Preservation of ICT equipment

ICT equipment may require a controlled atmosphere to ensure the integrity of the information held on the equipment.

ICT equipment holding information may also require a controlled environment to prevent failure of the equipment and potential loss of information.

This may include, but is not limited to, controlling:

  • temperature
  • humidity
  • air quality, for example, smoke and dust
  • water
  • light.

Agencies should apply controls to meet any ICT equipment manufacturer’s identified requirements.

Advice on preserving electronic information for the future is available online from Archives New Zealand website www.archives.govt.nz

Uninterruptible and auxiliary power supplies

Agencies may lose information if ICT systems are unexpectedly shutdown. An uninterruptible power supply (UPS) may allow the agency to turn off systems in a controlled manner or provide power until power to the ICT system is restored.

Any UPS used by an agency should provide at least enough power to allow:

  • the controlled shutdown of ICT systems
  • the start up of an auxiliary power supply.

ICT equipment also needs protection from power surges (relatively lengthy increases in voltage), and power sags and spikes (short, very large increases in voltage). Most UPSs also give some protection from surges and sags.

As most environmental systems rely on mains electricity, an auxiliary power supply may assist in maintaining environmental controls. Auxiliary power supplies should be maintained in accordance with the manufacturer’s directions.

Back to the top of page Print this subsection

5.2 Protection from environmental or man-made disasters

Agencies should identify any threats from environmental or man-made disasters to their ICT equipment in their security risk assessment.

As ICT systems may be more sensitive to environmental factors, additional risk mitigation measures, over and above those used to protect people and physical assets from harm, may be needed.

Flooding

Water is one of the major threats to any system that uses electricity, including ICT systems.

Agencies should site server rooms so that they are protected from flooding. Flooding may be from external sources (for example, swollen rivers) or internal sources (for example, burst pipes).

Agencies considering locating server rooms in basements should assess the risk of flooding from internal or external sources.

Fire

Agencies should also protect ICT equipment from fire. ICT equipment can be damaged either through direct exposure to flames or from the effects of smoke (poor air quality) and increases in temperature in the general environment.

An additional concern to ICT equipment during building fires is the potential for flooding during fire-fighting operations. An agency may be able to use alternatives to water-based sprinkler systems, such as CO2, or other gaseous agents in critical ICT facilities. An agency’s decision to use alternatives should be based on the agency’s own risk assessment.

Back to the top of page Print this subsection

5.3 Back-up ICT systems

Back-up ICT systems can provide an agency with a recovery point if its primary ICT systems fail, which can form part of an agency’s business continuity and disaster recovery plans.

Any back-up systems should be, as far as possible, fully independent of the supporting infrastructure used for the primary system so that, in case of a failure of the primary ICT system, the secondary ICT system does not also fail.

Back-up ICT systems should be regularly tested to ensure their continued operation.

Agencies may use off-site or commercial back-up facilities. Agencies should consider dual redundancy, that is, using two back-up facilities for business-critical information and ICT systems.

Agencies should ensure that any commercial ICT facilities they use meet all the security requirements of the PSR and New Zealand Information Security Manual to protect New Zealand government information.

An agency that uses a commercial back-up facility should consider the aggregation of information held in the facility, not just the agency’s own information, when determining the levels of physical and logical security needed at the facility.

Information on the inclusion of security requirements in contracts for outsourced functions is available in Security Requirements of Outsourced Service and Functions.

Back to the top of page Print this subsection

This content refers to the following glossary terms:

Business Impact Level (BIL) Electronic Access Control System (EACS) Government Communications Security Bureau (GCSB) Information and Communications Technology (ICT) Network infrastructure New Zealand Security Intelligence Service (NZSIS) Security Alarm System (SAS) Security container or room Technical Surveillance Countermeasures (TSCM)

Tagged with the terms:

security room container ICT facilities cabling should be loss encryption top secret compartmented marking servers datacentres security zones aggregated information ICT equipment ICT systems Zone Five aggregation PABX routers environmental or man-made threats server and gateway rooms tampering backup ICT systems integrity backup repositories flooding fax machines public network computers, desktop, laptop or tablet unclassified network storage area for ICT equipment deployable fire communications and patch rooms compromise access control hardware loss of integrity SAS business impact level earthquake security concern preservation of ICT equipment EACS ducting flood accredited accreditation threat patch panels non-volatile media (hard drives) MFDs printers electronic information Zone Three Protective Marking ICT media desktop computers digital cameras USB sticks radio DVD personal electronic devices switches security containers voice systems reclassification declassification network access devices communication network devices laptop gateway CDs mobile telephones network devices devices Physical security of ICT system equipment destruction sanitisation disposal auditing tamper evident seals audited network infrastructure

About

Physical security measures also mitigate these risks by restricting access to people with a genuine need to know.

Agencies should develop procedures to minimise the risk of oversight of information on their ICT equipment.

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information