1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to:

  • provide guidance on achieving a consistent approach to determining physical security controls in agency facilities
  • provide a consistent and structured approach to determining the level of control required to meet the threat environment
  • give suitable protection to information, people and physical assets
  • provide assurance to other agencies for information sharing.

To achieve this, advice on specific controls suitable to varying situations is provided. The type and degree of physical protection control should be determined by a Business Impact Level (BIL) assessment that considers the impact, loss or compromise will have on an agency. 

Back to the top of page Print this subsection

1.2 Audience

The audience for these requirements is:

  • New Zealand government security management staff
  • contractors providing physical security advice and services to New Zealand government agencies
  • any other body or person responsible for the security of New Zealand government people, information or assets.
Back to the top of page Print this subsection

1.3 Scope

These requirements cover:

  • physical security measures within New Zealand government facilities
  • facilities handling New Zealand government information and physical assets or where New Zealand government employees are located
  • risk mitigation and assurance measures
  • the security zones methodology and requirements
  • details of individual control measures
  • a checklist for agencies reviewing physical security measures.

These requirements support the implementation of the Protective Security Requirements (PSR).

In particular, they support the Physical Security Management Protocol. They are part of a suite of documents that aid agencies to meet their physical security requirements.

Where legislative requirements are higher than controls identified in these requirements, the legislative controls take precedence and should be applied.

Agencies should protect any information or physical assets provided by another government in accordance with international agreements.

Also refer to Safeguarding Foreign Government Information (under development).

 

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements for Agencies.

Back to the top of page Print this subsection

1.5 Relevant standards

Other relevant standards, requirements and documents are:

Back to the top of page Print this subsection

2 Risk mitigation and assurance measures

Agencies must select physical security mitigation measures on the basis of their identified risks.

To provide assurance regarding information sharing arrangements, an agency is required to:

  • reduce residual risks to an acceptable level to the agency, or where this is not possible, lower the likelihood of compromise, loss of availability or loss of integrity to an acceptable level
  • apply minimum controls determined by the BIL of the compromise, loss of availability or loss of integrity of the information.
Print this section

2.1 The risk management process

When deciding which risk mitigation controls are required, agencies should undertake a full security risk assessment in accordance with:

Also refer to the Strategic Security Objectives, Core Policies and the Mandatory Requirements.

In particular, this relates to Protective Security Requirements GOV3 of the mandatory requirements.

Figure 1 summarises the steps used to identify and value assets (including information and people), and to determine and mitigate risks relating to the compromise, loss of integrity or unavailability of the assets.

The full risk management process is detailed in HB 167:2006 Security Risk Management.

Figure 1: Risk mitigation component of the risk assessment process

Risk mitigation component of the risk assessment process
 

Additional requirements to meet specific threats

Threat assessments are used to inform agency risk assessments.

Some threats increase the likelihood of harm to people or the compromise of information or physical assets. These will need additional or higher level controls to mitigate the threats.

Threats may affect the whole agency or be site or area specific. Specific threats to members of staff, clients and the public or individual assets should be considered.

For more information, refer to HB 167:2006 Security Risk Management, Section 4.

Agencies must assess threats using internal and, if appropriate, external sources.

Threat assessments must be obtained from the New Zealand Security Intelligence Service (NZSIS) for all facilities holding TOP SECRET or compartmented marking information.

Threat assessments may be sought for other facilities where there are national security risks.

When selecting sites, specialist advice should be sought about the risk of natural disasters and suitable mitigation strategies.

Agencies at risk from natural disasters should select security products that protect against these when hardening facilities against physical security risks.

Threats to facilities that may require additional physical controls

The following list identifies possible additional threats that may increase the likelihood of compromise of information or physical assets, or harm to people within agencies.

This list is indicative, not definitive.

  • Public knowledge of facility uses, ranging from no public knowledge to full public knowledge of contentious programmes undertaken at the facility.
  • Level of neighbourhood crime, ranging from occasional minor crime to regular major or organised crime.
  • Client violence, ranging from occasional non-confrontational contact with clients to regular client contact which may lead to violence.
  • Public violence, ranging from little to no public contact to regular public protests that may be violent.
  • Terrorism, which may lead to violence against personnel or facilities, or covert access to sensitive information.
  • Shared facilities, ranging from single-use facilities to co-tenancies with private high-risk tenants. (Work areas within an agency with diverse programmes may also be considered as sharing facilities.)
  • Attractiveness of information and physical assets, ranging from those of little value to those that are high value and are attractive to groups of security concern, including foreign intelligence services, issue motivated groups and trusted insiders.
Back to the top of page Print this subsection

2.2 Assurance required for information and physical asset sharing

To encourage information and physical asset sharing, agencies need to have a high level of assurance that other agencies will suitably protect their information and assets.

Agencies must determine the business impact of the compromise, loss of integrity or unavailability of their information and assets as part of the security risk assessment to determine the assurance they require.

An agency’s risk assessment may identify the need for security control measures that exceed the minimum control measures for security of protectively marked information.

Refer to Table 1.

For more information, refer to the Business Impact Levels.

Table 1: Business Impact Levels (BILs)

MeasureSpecific risks addressed
Low Could be expected to impede government agency operations, commercial entities or members of the public
Medium Could be expected to cause limited damage to national security, government agency operations, commercial entities or members of the public
High Could be expected to adversely affect government agency operations, commercial entities or members of the public
Very high Could be expected to significantly damage national security
Extreme Could be expected to seriously damage national security
Catastrophic Could be expected to cause exceptionally grave damage to national security.

Assurance for protectively marked physical assets

An agency holding protectively marked physical assets, that is, assets that are protectively marked in their own right, not because of any information held on them, should determine the physical controls required on a case-by-case basis based on whichever is greater:

  • any requirements imposed by the asset owner
  • the agency’s risk assessment and the consequences of the asset’s compromise, loss or damage. 
Back to the top of page Print this subsection

2.3 Site security plans

Agencies must evaluate each of their sites separately. These may be further subdivided into separate work areas where there is considerable variation in risks to each work area.

A site security plan documents measures to counter identified risks to an agency’s functions, information, people and physical assets at a designated site.

Agencies must evaluate the different risks to their facilities, people, information functions and physical assets during business hours and out of hours.

Controls needed during operating hours should take into account the increased risks from public and client contact as well as insider threats. While these risks still exist out of hours, there may be a higher risk from external sources such as through someone breaking and entering.

Agencies must assess the impact of the compromise, loss of integrity or unavailability of their site security plans to their security and operations and apply suitable protective markings.

Also refer to New Zealand Government Security Classification System.

A site security plan should include:

  • measures that are scalable to meet increases in threat levels
  • the location and nature of the site
  • whether the agency has sole or shared ownership or tenancy of the site
  • whether members of the public or other non-agency personnel have a right of entry to the site
  • what protectively marked information is to be stored, handled, processed or otherwise used in each part of the site
  • information and communications technology (ICT) assets, including, but not limited to, data, software, hardware, workstations, servers, frames and cabling, portable devices such as laptops and tablets any other resources that will be on the site
  • an indication of whether every part of the site is intended to have the same level of security
  • what protective measures will be required for:
    • the site as a whole
    • particular areas within the site (for example part of a floor that will hold information of a higher classification than the rest of the site)
  • what measures will be required for:
    • storage, handling and processing of protectively marked information
    • protectively marked or otherwise sensitive discussions and meetings.

Critical path

The effectiveness of security controls is measured by the probability of detection at the point where there is enough time for a response team to interrupt an adversary. The critical path is the adversary path with the lowest probability of interruption.

An adversary path is an ordered sequence of actions against an asset that could result in it being compromised. Adversaries could normally be expected to take the easiest and most direct route.

Early detection of unauthorised access enables a quicker response. Ideally, interception should occur before access to the asset, but this depends on the asset and the security objectives.

Refer to Figure 2.

Figure 2: Relationship between detecting, delaying and responding to a perimeter

The effectiveness of security elements will influence:

  • probability of detection; the cumulative probability of detecting an adversary
  • cumulative delay; the combined minimum delay time along the adversary path
  • response; the time for a response to reach a point of detection
  • interruption; occurs when the response time is less than the delay provided, measured from the first point of detection.

Crime prevention through environmental design (CPTED)

CPTED should be an integral part of facility planning. The approach emphasises the importance of identifying which aspects of the physical environment could affect the behaviour of people and uses these aspects to minimise crime.

Many publications (such as the two referenced below) deal with CPTED in the domain of private housing and public areas, but they are equally applicable in government agencies.

CPTED principles may identify different mitigations to those identified for other security needs, for example, counter terrorism. The mitigations used should be based on an agency’s risk assessment.

More information on CPTED can be found at:

Further information on applying CPTED is available in Crime Prevention through Environmental Design (3rd edition; 2013) by Timothy Crowe M.S. Criminology – Florida State University, revised by Lawrence Fennelly.

Back to the top of page Print this subsection

3 Security zones

Security zones provide a framework for mitigating physical security risk based on a security risk assessment.

The zone methodology is used as a guide to developing a physical security plan for facilities, buildings and rooms.

Application of requirements, based on the business impact level of any compromise, loss of integrity or unavailability of information and physical assets within zones, gives assurance in information and asset sharing arrangements.

The zones methodology should give a scalable level of protection from:

  • unauthorised or covert access
  • forcible attack.

Physical security measures in higher level zones should include tamper evidence and also be:

  • highly resistant to covert attack to protect information
  • highly resistant to forcible attack to protect assets.

Table 2 provides broad descriptions of the functions agencies can undertake in the security zones, the information and assets they can handle and store in the zones and examples of security zones.

 

Table 2: Security zones

Also refer to:

Layering of zones (security in depth)

Agencies should layer the zones working in from Zone One (public access areas) and increasing the protection with each new zone.

Multiple layers will give agencies a greater delay to allow for a response to any unauthorised entry.

Zones should give greater periods of delay as levels increase. By layering zones within zones the delay is cumulative, giving the agency greater time to respond before unauthorised access to the inner zone.

Refer to Figure 3.

In some instances it is not possible for higher zones to be located fully within lower zones. Agencies should consider additionally strengthening external walls of the higher zones.

Zone One should include perimeter protection measures, for example blast mitigation, counter-terrorism protection and so on. As zone levels increase, protective security measures should progressively change to protect information and physical assets.

The number of zones individual agencies need depends on the different levels of assurance and segregation required.

Agencies should determine the minimum and maximum zones required in facilities, for example agencies with:

  • low-to-medium BILs may only need Zone One or Zone Two
  • up to, and including, high to very high BILs may need Zone One and Zone Two
  • up to, and including, extreme BILs may need Zones One to Four
  • up to, and including, catastrophic BILs may need Zones One to Five.

Refer to the Business Impact Levels.

Agencies holding information or physical assets of which the compromise, loss of integrity or loss of availability would have an extreme business impact must use Zones Three or Four for all their general staff access areas rather than Zone Two.

Agencies with information of which the compromise, loss of integrity or loss of availability would have a catastrophic business impact must use Zone Four for all their general staff access.

Figure 3: Indicative layering of zones

 

Zone requirements

Agencies must use controls to treat their identified risks. Agencies should use Table 3 to identify the controls necessary for each zone.

Zone requirements provide a level of assurance against:

  • the compromise, loss of integrity or unavailability of information
  • the compromise, loss or damage of physical assets.

These objectives may not encapsulate all types of protection required for people, information and physical assets. Agencies should determine additional mitigations based on their risk assessments.

Refer to Table 3.

 

Table 3: Zone requirements

Further details on each type of control can be found in section 5 (by following the links in control components below).

Table 3: Zone requirements

Notes:

1.   Agencies should use sectionalised alarm and access control systems when there are Zones Three and above in a facility. The alarm and access control systems should meet the needs of the highest zone in the facility. Alternatively, agencies should separate alarm and access control systems for different zones.

2.   Out-of-hours guards performing regular information container and physical asset inspections and patrols of facilities may be a suitable replacement for an alarm system in Zones One to Three. Response time for off-site guards should be less than the delay given by the total of other controls.

3.   Interoperability of the alarm system and electronic access control systems (EACS) should meet the highest requirement for all zones covered by the alarm system and EACS. Where NZSIS-approved Type B security alarm systems are used, any integration with building management systems should be in accordance with the Type B SAS for New Zealand Government – Integration specification (under development).

4.   Agencies should ensure they use lighting that at least meets the minimum requirements for any closed-circuit television systems used.

 

Accreditation of zones

A Chief Security Officer (CSO) may accredit agency facilities as Zone One to Zone Four, when the controls meet the requirements of Table 4.

Refer to the Physical Security Management Protocol for further information on accreditation requirements for zones holding information carrying a TOP SECRET security classification, certain compartmented marking information or aggregations of information where the compromise, loss of integrity or unavailability of the information would have a catastrophic business impact.

All employees with on-going access to protectively marked information in Zones Four or Five must hold a security clearance at the highest level of the information held in the Zone.

Also refer to the Personnel Security Management Protocol.

Table 4: Summary of certification requirements

Table 4: Summary of certification requirements

Table 4: Summary of certification requirements 

Notes:  

1. Inclusion of an alarm system in Zone One and Zone Two is at the agency’s discretion.
2. If out-of-hours guarding patrols and/or commercial alarm systems are not used instead.
3. See Table 7: Additional controls to address specific risks.

 

 

 

Print this section

4 Individual control elements

This section provides requirements on selecting control measures identified in Table 6.

Agencies may select extra controls not identified in this section in accordance with their risk assessment. Some indicative additional controls are in Table 7.

Print this section

4.1 Use of NZSIS-approved products

The NZSIS has approved a number of security control measures. It is recommended agencies use the NZSIS-approved products when selecting security products to provide a greater level of security assurance.

NZSIS tests and approves security products that primarily focus on protecting protectively marked information of which the compromise, loss of integrity or unavailability would result in a BIL of high or above (see Table 1).

These approved items are listed in the Approved Products List (APL). This information is classified. Please contact the PSR team for further information.

Even where not required, an agency may still use NZSIS-approved security equipment, or suitable commercial equipment that complies with identified security-related New Zealand or international standards for the protection of people, information or physical assets.

NZSIS is developing the APL and Equipment Selection Guidelines (This information is classified. Please contact the PSR team for further information), which will progressively replace some of the current items in the APL.

Refer to Annex B.

Back to the top of page Print this subsection

4.2 Building construction

Construction of buildings

Agencies should assess the suitability of construction methods and materials to give the protection needed before leasing or constructing premises. Increasing the level of building security, that is, the level of delay provided, afterwards may be expensive or not possible.

Typically, buildings are constructed to the New Zealand Building Code. Some older buildings may not meet this code.

Buildings are normally considered as domestic or commercial.

Domestic construction provides little protection from unauthorised access, however intrusion is normally evident as the most common unauthorised access is for theft. Skilled covert access is normally very hard to detect in domestic situations.

Standard commercial office premises normally provide an increased level of perimeter protection over domestic buildings.

However, in normal office accommodation, internal walls, false ceilings and other normal building techniques reduce the ability of agencies to protect their information and physical assets.

Most commercial office spaces provide protection suitable for assets and information where compromise, loss of integrity or unavailability would have a business impact of medium or below.

Agencies should include additional building elements to address any specific risks identified in their risk assessment where building hardening may provide some level of mitigation.

For example:

  • blast mitigation measures
  • forcible attack and ballistic resistance
  • road and public access paths
  • lighting (in addition to security lighting)
  • hostile vehicle mitigation
  • elements of crime prevention through environmental design CPTED.

Related New Zealand standards:

  • AS 3555.1:2003 Building Elements – Testing and Rating for Intruder Resistance – Intruder-resistant Panels (this standard provides guidance on very high grade intruder resistance such as for high-security vaults)
  • AS/NZS 2343:1997 Bullet-resistant Panels and Elements.

Slab-to-slab construction

The use of slab-to-slab construction, that is, the walls are joined directly to the floor and bottom of the next floor or the roof structure, prevents access through false ceilings.

Agencies must use slab-to-slab construction at the perimeter of zones including all access points.

The NZSIS Technical Note – Physical Security of Intruder Resistant Areas (this information is classified; please contact the PSR team for further information) provides details on methods to achieve slab-to-slab construction.

As structural changes may have an impact on the integrity of buildings, agencies should seek structural engineering advice before implementing slab-to-slab construction.

The access points for Zone One and Zone Two may vary between business hours and after hours, for example from internal points (such as controlled office entry points) during business hours to the perimeter of the building or premise after hours (such as the main door).

Agencies may use access points for Zone Two during business hours without slab-to-slab construction when the out-of-hours access point has slab-to-slab construction.

Alternatively agencies may install an intruder-resistant layer in the ceiling, such as metal mesh, to address the problem of removable false ceiling panels where they require intrusion delay for specific rooms.

These measures do not give any protection from over-hearing and must not to be used where speech security is needed.

Agencies may also use tamper-evident building techniques to provide some indication of unauthorised access.

Construction of Zone Three and Zone Four perimeters

For information on constructing Zone Three and Zone Four areas to store protectively marked information or aggregations of information of which the compromise, loss of integrity or loss of availability may cause very high damage, refer to NZSIS Technical Note – Physical Security of Secure Areas (this is a protectively marked document issued by NZSIS).

Construction of Zone Five perimeter

For further information on constructing Zone Five areas to store TOP SECRET information or aggregation of information of which the compromise, loss of integrity or loss of availability may cause catastrophic damage, refer to NZSIS Technical Note – Physical Security of Zone 5 Areas (this is a protectively marked document issued by NZSIS).

Back to the top of page Print this subsection

4.3 Alarm systems

Alarm systems

Alarm systems can provide early warning of unauthorised access to agency facilities.

An alarm system is only of value in conjunction with other measures designed to detect, delay and respond. All alarm systems must be monitored and linked to a predetermined response.

Alarm systems may be single sector or sectionalised to give coverage to specific areas of risk. Sectionalised alarm systems allow greater flexibility because highly sensitive areas can remain secured when not in use and other parts of the facility are open.

Each different security zone is required to be a separate alarm section (area) or a separate alarm system.

Agencies should, where possible, configure alarm systems to continuously monitor detection devices in high-risk areas, for example irregularly accessed areas, roof spaces, inspection hatches and under-floor cavities.

Each agency must have direct management and control of alarm systems in Zone Three and above. Agencies should have direct management and administration of other alarm systems.

Each agency must use appropriately cleared and trained agency staff as privileged alarm system operators and users in Zone Three and above. Agencies should only use appropriately cleared and trained agency staff as privileged operators and users of other alarm systems.

However, operation functions such as monitoring and maintenance may be outsourced.

Agencies should ensure all alarm system arming and disarming personal identification numbers (PINs) are:

  • uniquely identifiable to an individual
  • not recorded by the individual
  • regularly changed in accordance with the agency’s risk assessment.

Employees must advise the CSO of any suspected compromise of PINs as soon as the suspected compromise is identified. The CSO must disable the PIN and investigate any potential security breach.

For more information, refer to Reporting Incidents and Conducting Security Investigations.

Agencies must have the default/engineering/installer user codes removed from alarm systems at commissioning.

For Zones 3 and above, the engineering/installer codes must only be known to appropriately cleared personnel who have access to the zone.

Where the code is required by others for maintenance purposes, the codes must be changed immediately following the completion of the maintenance.

Agencies should develop appropriate testing and maintenance procedures to ensure the alarm system is continually operational.

Alarm systems can be broadly divided into two types:

  • a perimeter (or external) intrusion detection system (PIDS) or alarm
  • an internal security alarm system (SAS).

Agencies may use out-of-hours guard patrols instead of an alarm system in all zones up to and including Zone Three.

Refer to Out-of-hours guarding.

External alarms

PIDS may be of value to agencies that have facilities enclosed in a perimeter fence. PIDS provide early warning of unauthorised breaches of a facility perimeter.

Agencies should seek specialist advice when designing and installing PIDS.

Security alarm systems

Security alarm systems are used to protect information and assets. When selecting the appropriate SAS, agencies should consider the level of zone being protected, the zone’s layout complexity and the level of information or asset being protected.

Also refer to Table 3.

There are five classes of SAS defined in AS/NZS 2201.1:2007 Intruder Alarm Systems – Client’s Premises – Design, Installation, Commissioning and Maintenance

  • Class 1 and 2, base-level systems only suitable for domestic use
  • Class 3, mid-level systems suitable for the protection of normal business operations in most agencies
  • Class 4, mid-level systems suitable for the protection of normal business operations in most agencies. When used with appropriated detection devices and other controls, these are suitable for the protection of all information and physical assets unless compromise, loss of integrity or unavailability would cause catastrophic damage
  • Class 5, not yet readily available in New Zealand, although most Class 4 panels are capable of some additional features available in the Class 5 SAS.

Alarm systems that do not comply with AS/NZS 2201.1:2007 Intruder Alarm Systems – Client’s Premises – Design, Installation, Commissioning and Maintenance should not be used.

NZSIS-approved alarm systems must be used for Zones Four and Five.

Also refer to Annex B.

Where an NZSIS-approved SAS is not mandatory, agencies should determine:

  • whether a commercial SAS is required at their facilities, including any temporary sites, as part of their risk mitigation strategies
  • the specifications for any such system
  • whether alternative security methods such as guard patrols are required as part of their risk mitigation strategies.

Agencies should consider if guard patrols are required in addition to an SAS to satisfactorily mitigate their risk.

If agencies use a commercial SAS in Zone Two it should meet AS/NZS 2201.1:2007 Intruder Alarm Systems – Client’s Premises – Design, Installation, Commissioning and Maintenance Class 3 or better.

If agencies use a commercial SAS in Zone Three it should meet AS/NZS 2201.1:2007  Intruder Alarm Systems – Client’s Premises – Design, Installation, Commissioning and Maintenance Class 4 or better. A SAS in a Zone Three must be separate from all other systems including access control and building management systems.

Agencies must develop procedures to support the use, management, monitoring and response arrangements of an alarm system. Where possible, agencies should adopt the administration and management principles set out in the NZSIS Type B SAS Implementation and operation guide (under development).

Any contractors employed to maintain a SAS should be cleared to a level appropriate to the information to which they could reasonably be expected to have incidental access in the zones covered by the alarm system.

Agencies should use a suitably qualified designer or installer to design and commission any selected commercial alarm systems.

Related New Zealand standards:



Back to the top of page Print this subsection

4.4 Individual alarm options

The use of building alarm systems, electronic access control systems (EACS) or other facility-wide measures may not be ideal in some situations.

This includes, but is not limited to, working away from the office, areas with a high potential for personal violence and protection from the compromise of physical assets in public areas.

There are a number of individual alarm options that may be suitable in some situations, including:

  • duress alarms
  • individual item alarms or alarm circuits
  • vehicle alarms.

Duress alarms

Duress alarms enable employees to call for assistance in response to a threatening incident.

Agencies may be required to use duress alarms activated by dual action duress buttons, that is, depressing two separate buttons to trigger the alarm to reduce the occurrence of false alarms.

Hidden and/or fixed duress alarm

Fixed duress alarms are a type of remotely monitored individual duress alarm. They are normally hard wired and fixed to a location.

Agencies should consider equipping public contact areas, including the reception area, counters and interview rooms, with duress alarms where the risk assessment has identified a potential problem.

Hidden duress alarms should:

  • enable employees to raise an alarm discreetly
  • be augmented by procedures that provide an appropriate response.

Agencies should ensure:

Individual duress alarm

Individual or mobile duress alarms provide some deterrence to violence when employees are outside the office or circulating in public areas.

Personal duress alarms fall into two broad categories:

  • remotely monitored duress alarms
  • alarms that produce loud noise on activation.

Remotely monitored alarms are suitable for use within facilities where there is a dedicated monitoring and response force. The alarms consist of a personal alarm transmitter linked to the facility or a separate alarm system.

Noise-producing duress alarms rely on response by bystanders. They are more suited for applications external to agency facilities than monitored duress alarms where there could be considerable delay in response to the alarm.

Agencies may use these alarms within a facility where they desire immediate notice of an incident by the people in the immediate area.

Individual item alarm and/or alarm circuit

Valuable items, particularly when in public areas such as exhibitions, may not be able to be protected by normal alarm systems.

An option is to install individual item alarm circuits or a separate alarm system to monitor individual items. Some possible alarm sensor types that may be suitable are:

  • pressure switches
  • motion sensors
  • closed-circuit television (CCTV) activated alarms
  • radio frequency identification (RFID) tag systems.

Agencies should seek specialist advice when designing alarm systems for individual items.

Vehicle alarm

Agencies that have field workers often require these employees to work from vehicles that can contain large quantities of valuable equipment.

Most vehicle alarms rely on noise and have a similar deterrent value to noise-producing personal duress alarms. However they rely on a response from bystanders if the employee is outside hearing range.

Agencies should consider fitting remotely monitored vehicle alarms where the Business Impact Level of loss of the information or physical assets in the vehicle, or the vehicle itself, is high or above. Remote vehicle alarms may also be linked to remote vehicle tracking and immobilisation systems.

Back to the top of page Print this subsection

4.5 Access control systems

An access control system is a measure or group of measures designed to allow authorised personnel, vehicles and equipment to pass through protective barriers, while preventing unauthorised access.

Such systems limit access through openings in barriers, such as walls, and give authorised access to information and physical assets being protected.

Access control can be achieved in several ways with the most common being:

  • psychological or symbolic barriers, for example, CPTED
  • security staff physically located at entry and exit points
  • security staff located at central points who monitor and control entry and exit points using intercoms, videophones, CCTV cameras and similar devices
  • mechanical locking devices operated by keys or codes
  • EACS.

Access control systems should provide identity validation by using authentication factors of:

  • what you have – keys, identity (ID) cards, passes
  • what you know – PINs
  • who you are – visual recognition, biometrics and so on.

Dual authentication

Dual authentication requires the use of two of the factors of access control systems.

Agencies must use dual authentication to control access to Zone Five areas.

Agencies should use dual authentication in other circumstances where their risk assessment identifies a significant risk of unauthorised access.

Electronic access control systems

Agencies must use EACS where there are no other suitable identity verification and access control measures in place. Electronic access control may be used in conjunction with other personnel and vehicle access control measures.

Agencies may use sectionalised EACS in a facility to control access to specific areas. EACS sections would normally be the same as sections of agencies’ alarm systems, but may also have additional operational access control points not covered by individual alarm sections.

Where EACS and/or other access control measures are implemented to cover a whole facility, agencies should design them to meet the highest perceived threat and risk level.

Where agencies use multiple EACS and/or other access control measures, the design of each system must meet the highest perceived threat and risk level in the areas covered by the system.

When used, EACS should typically commence at Zone Two perimeters, but may be used in Zone One, for example, to control access to car parking.

Agencies should:

  • seek specialist advice when selecting EACS
  • use a designer or installer recommended by the manufacturer to design and commission them.

Agencies must verify the identity of all people who are issued with access cards for their EACS at the time of issue.

Agencies must regularly audit EACS. Audits should occur in accordance with the agency’s risk assessment to determine whether people with access have a continued need to access the system and that any access for people who have left has been disabled or removed.

Anti-pass back

Agencies should consider utilising anti-pass back in high secure environments. Anti-pass back is designed to prevent misuse of access control systems. Anti-pass back establishes a specific sequence in which access cards have to be used for the system to grant access.

Anti-pass back controls may also be achieved by linking access control to various other access systems such as information systems and other physical access controls.

Two-person access system

Some EACS can be enabled to only allow access to areas when two people are present and will activate an alarm if one leaves the area. This is known as a no-lone-zone. It requires two authorised people to access and exit a designated area.

Agencies should consider using a two-person access system when they require a very high level of assurance against compromise or loss of highly protectively marked information or extremely valuable physical assets.

Further information

There are currently no New Zealand standards that provide guidance on designing or installing EACS. The US FIPS 201 and Canadian CAN/ULC-S319 - Electronic Access Control Systems standards may provide some guidance.

Identity cards

Identity (ID) cards allow for speedy recognition of employees in agency facilities. Agencies must use ID cards in Zones Three to Five. They should be used in all facilities.

Agencies should issue ID cards to all people who have regular access to their facilities, subject to meeting any personnel security requirements.

Agencies must verify the identity of all people who are issued with ID cards. A secure robust enrolment process must be a prerequisite to building an identity system of high integrity. Accordingly it is necessary that sufficient high-quality processes are put in place to register, enrol and issue key proof of identity credentials to individuals and for these processes to be embraced and applied consistently by relevant credential-issuing agencies.

As a minimum, in verifying a person’s identity before issuing identity credentials, agencies should sight:

  • government-issued credentials embodying photographic or biometric identity features and a signature
  • evidence of other identity verification documentation
  • evidence of residential address.

Examples of each form of evidence can be found in Annex C.

Where the credentials will grant access to areas requiring a security clearance, or indicate the holder of the credential has a security clearance, the issuing agency must independently verify those details (including expiry or revalidation date) prior to the credential being issued.

A credential-issuing agency should bind the applicant to the identity recorded on the credentials  issued by taking a photograph or a biometric of the applicant. This will ensure the agency can subsequently check to whom the credential was issued.

Where an agency already possesses information that suitably verifies a person’s identity, the process may be streamlined. However the potential identity card holder should be required to provide government-issued credentials embodying photographic identity features and a signature.

ID cards should be:

  • worn by employees and clearly displayed at all times in agency premises
  • uniquely identifiable
  • audited regularly in accordance with the agency’s risk assessment.

Agencies should discourage employees from wearing ID cards outside agency premises.

ID cards should include a return address for lost cards and should not identify the facility to which the card gives access. Agencies may include other information on ID cards to improve control of access, such as names, photographs and colours.

EACS access cards can be used as ID cards, although this is not a recommended practice, particularly in high security or high-risk areas.

Agencies should ensure the protection of all:

  • card making equipment
  • spare, blank or returned cards

within a Zone Two or higher area.

Back to the top of page Print this subsection

4.6 Interoperability of alarm system and other building management systems

The development of interoperability between SAS and external integrated systems (EISs) such as Building Management Systems (BMSs), CCTV and EACS can lead to increased threat to unauthorised system access and penetration.

Where systems are interconnected an agency should ensure the SAS cannot be controlled or disabled by interconnected systems.

SASs suitable for Zone One and Zone Two applications may include fully integrated EACSs as a single system.

For Zone 3 and higher, the SAS and other EISs must be separate and independent from each other. Any interoperability must not allow the SAS to be controlled or disabled by the EIS.

Designers of EIS or sub-systems should be aware of the need to secure the EIS to prevent unauthorised access or manipulation, especially when interconnected with an SAS. EISs should be designed with appropriate logical and physical controls.

Back to the top of page Print this subsection

4.7 Visitor control

Visitor control is normally an administrative process, however this can be augmented by use of an EACS.

Visitors can be issued with EACS access cards specifically enabled for the areas they may access.

In more advanced EACSs it is possible to require validation at all EACS access points from the escorting officer.

Regardless of the entry control method used, people should only be given unescorted entry if they:

  • are able to show a suitable form of identification
  • have a legitimate need for unescorted entry to the area
  • have the appropriate security clearance. Also refer to the Personnel Security Management Protocol.

Agencies should consider anyone who is not an employee in a facility or area, or who has otherwise been granted normal access to the facility or area, as a visitor. This may include employees from other areas of the agency.

Agencies must issue visitors accessing Zones Three to Five areas with visitor passes. Agencies should also issue visitors to Zone Two with visitor passes when other controls to limit access are not in place.

Passes must be:

  • worn at all times
  • collected at the end of the visit
  • disabled on return if the passes give access to any agency access control systems
  • checked at the end of the day and, where the passes are reusable, action taken to disable and recover any not returned.

Agencies must record details of all visitors to Zones Three to Five areas. Agencies should also record visitor access to Zone Two areas if other control measures are not in place. An agency employee or authorised person should escort visitors.

Agencies may, based on their risk assessment, record visitor details at the:

  • facility reception areas
  • entry to individual security zones.

Visitor registers

Visitor registrations should be utilised by agencies.

The register should include:

  • the name of the visitor and signature
  • the visitor’s agency or firm or, in the case of private individuals, their private address
  • the name of the employee to be visited
  • the times of the visitor’s arrival and departure
  • the reason for visit.

The visitor register would normally be located at the facility reception desk, unless the desk is unmanned, in which case it should be held by a designated employee within the facility.

Where agencies manage the control into specific areas at the entry to the area, those areas should have their own visitor registration.

Visitors into Zones 4 and 5 or sensitive areas should be required to provide government-issued credentials embodying photographic identity features and a signature (examples are listed in Part A of Annex C).

Removal of people from agency premises

Agencies must have documented procedures for dealing with members of the public behaving unacceptably on agency premises or who are present in a restricted area. Employees must be informed of these procedures.

If a member of the public behaves in an unacceptable manner, a duly authorised person should take the following steps when they consider it necessary for the person to leave the premises:

  • initially seek the person’s cooperation to cease the behaviour and/or to leave the premises
  • ask the person to stop the behaviour and warn them they could be required to leave the premises immediately
  • if the person does not stop the unacceptable behaviour advise them that due to their behaviour, the agency is withdrawing permission for them to be on the premises
  • request the person to leave the premises immediately
  • warn the person the police will be called if they remain and of the possible legal consequences of non-compliance with the request to leave.

In most cases the person will agree to leave. If it is assessed to be safe to do so, the person should be accompanied until they have left. However, if they refuse to leave, the agency should contact the police immediately.

No employee or guard is to attempt to physically remove a person from agency premises unless permitted to do so under legislation. This would normally be left to a police officer. The police contact telephone number should be available to all employees.

Relevant legislation may include:

  • Summary Offences Act 1981
  • Crimes Act 1969
  • Defence Act 1990.

Access by the media

Agency employees considering giving access to media representatives should consult the CSO before granting access to agency premises.

In addition to the agency standard visitor control procedures, the following procedures should be followed:

  • a designated employee should accompany media representatives throughout the visit
  • protectively marked information is locked away (preferable) or at least protected from view
  • additional restrictions are considered when appropriate such as handing in mobile phones and other recording and communications equipment
  • the agency media liaison unit or public affairs area is consulted about the arrangements.

The agency may consider additional controls to be necessary for particular sites.

If an agency grants permission for a visit to areas where protectively marked information is being used or handled, the employee responsible for the media representatives should remind them that no photographs or recordings of any type can be taken at any time during the visit except with specific agency approval.

Access by children to areas where protectively marked information is stored or processed

Agencies should develop policies for allowing children into areas where sensitive or protectively marked material is being held or related work carried out.

Young children, although possibly able to read, are less likely to fully comprehend protectively marked material. In addition they are less likely to have sufficient long-term memory to recall details such as names and identities. Therefore children up to the age of five may be permitted short-term access to premises, with the prior agreement of the relevant agency manager, provided they are accompanied by the parent or guardian (being a staff member) at all times.

Children over the age of five are often able to comprehend written material and have well developed long-term memory. Older children ought only to be allowed access to areas where sensitive or protectively marked work is being undertaken or stored under extenuating circumstances and only at the discretion of the agency head.

Extenuating circumstances under which access may be granted are:

  • a staff member is called in for emergency duty and no child minding is available at short notice
  • a staff member is recalled from leave and a child requires unique parental care
  • a staff member is required to sign papers, arrange posting activity or other administrative tasks while in sole charge of a child
  • normal child-care arrangements are terminated without prior notice and a staff member, who is required to report for duty, is unable to make alternative arrangements
  • a staff member is required to attend for duty when a child is injured (but not suffering from infectious illness) and requires monitoring.

The parent or guardian is responsible for the safety, wellbeing and behaviour of the child whilst on premises (including emergency evacuations) and ought not to leave the child unattended, noting:

  • children (as with any other uncleared individuals) are not to be given access to corporate IT systems or protectively marked material
  • work areas ought, as much as possible, to be cleared of any sensitive or protectively marked material whilst children are present
  • children ought not be present at meetings or during discussions where sensitive or protectively marked material is discussed
  • in line with occupational health and safety requirements, access will not be granted to children who are suffering from, or convalescing after, an infectious illness.

Parents or guardians are responsible for obtaining prior approval for children to enter official premises.

House security and/or building wardens should maintain a log of children entering official premises (noting alternative recording arrangements will be made for attendance at official family functions) for use in the event of an emergency situation. 

Back to the top of page Print this subsection

4.8 Receptionists and guards

Agencies that have regular public or client contact should have receptionists or guards to greet, assist and direct visitors.

Guards provide deterrence against loss of information and physical assets and can provide a rapid response to security incidents. Guards may either be directly employed by an agency or be employed through a commercial guarding company.

Agencies must ensure that contracted guards are licensed under the Private Security Personnel and Private Investigators Act 2010.

Agencies must provide receptionists and guards with detailed visitor control instructions.

Receptionist or guards should be able to easily lock all access to the reception and non-public areas in the event of an emergency.

They may only perform other duties, such as CCTV and alarm monitoring, if it does not interfere with their primary task of controlling building access through the reception area. If performing other duties, they should be suitably trained and competent.

The receptionist or guard must be able to lock away all valuable or sensitive material (for example, paperwork, keys) if they need to temporarily leave the vicinity.

Receptionists and guards must have a method of calling for immediate assistance if threatened, for instance a duress alarm or radio, as they are most at risk from disgruntled members of the public.

Agencies must identify any security concerns for receptionists, guards and people using agency reception areas in a security risk assessment and mitigate concerns.

Out-of-hours guarding

Guards and patrols may be used separately or in conjunction with other security measures. The requirement for guards, their duties and the need for, and frequency of, patrols should be based on the level of threat and any other security systems or equipment that are already in place.

Agencies may use out-of-hours guarding or patrols instead of alarm systems in Zones Two to Three. These guards may be permanently on site or visit facilities as part of regular mobile patrolling arrangements.

Agencies must not use guards instead of an approved SAS in Zones Four and Five. However, guard patrols can be used as an extra measure.

Where guard patrols are used instead of an alarm system, patrols should be performed at random intervals:

  • for Zone Three, based on an agency’s risk assessment but intervals must be within every four hours
  • for other areas based on an agency’s risk assessment

and should check all security cabinets and access points as part of their patrols.

Guards must hold security clearances at the highest level of information to which they may reasonably be expected to have incidental contact and in accordance with the facility with which they work.

Also refer to Security Requirements of Outsourced Services and Functions.

Agencies may use out-of-hours guard services in response to alarms in all zones. The response time should be within the delay period given by the physical security controls.

The highest level of assurance is given by 24 hours a day, seven days a week on-site guards who can respond immediately to any alarms.

For Zone Three and above, guards must have a security clearance and briefings at the highest level of the information held in the zone.

Back to the top of page Print this subsection

4.9 Locks and door hardware

Locks

Locks can deter or delay unauthorised access to information and physical assets.

Agencies must:

  • secure all access points to their premises, including doors and operable windows, using commercial grade or NZSIS-approved locks and hardware – these locks may be electronic, combination or keyed
  • give combinations, keys and electronic tokens the same level of protection as the most valuable information or physical asset contained by the lock
  • use NZSIS-approved locks and hardware in Zones Four and Five, see the APL and Annex B.

Agencies should use suitable commercial locking systems in other areas.

Locks are only as strong as the fittings and hardware surrounding them. Agencies should also assess the level of protection needed from doors and frames when selecting locks.

Keying systems

If an agency is using a keying system it should be designed to provide a level of assurance that:

  • unauthorised duplicate keys have not been made
  • provides mitigation to common keying system compromises.

Keying systems should include controls such as:

  • legal controls, for example registered designs, patents
  • levels of difficulty in obtaining or manufacturing key blanks and the machinery used to cut duplicate keys
  • levels of protection against compromise techniques, for example picking, bumping, impressioning, decoding.

When selecting a keying system agencies should evaluate:

  • the level of protection provided against common forms of compromise
  • the length of legal protection offered by the manufacturer
  • supplier protection of agency keying data within the supplier facility
  • the transferability of the system and any associated costs
  • commissioning and on-going maintenance costs.

Agencies must use NZSIS-approved keying systems in Zone Three to Zone Five. See the APL. Agencies should use NZSIS-approved keying systems in other areas based on their risk assessment.

In Zone Two, agencies must use commercial restricted keying systems – that is, keys that are not able to be readily copied – or combination locks. Agencies should also use restricted keying systems in lower level applications where there is a risk of theft.

Agencies should use mastered key systems with sufficient levels so that separate area master keys control any locks within an EACS and/or alarm system control points. Figure 3 outlines an indicative master keying tree.

Figure 3: Indicative master keying tree

Indicative master keying tree
 

Key control

Agencies must maintain a register of all keys held and issued. Key registers should be appropriately secured and only available to authorised employees.

Registers should include:

  • key number
  • name, position and location of person holding the key
  • date and time issued
  • date and time returned or reported lost.

Agencies must limit the number of, and strictly control, all master keys because the loss of a master key may compromise and require the re-keying of all locks under that master. CSOs should control the issuing of all grand master keys because they may give access to all areas of a facility.

Agencies should regularly audit key registers to confirm the location of all keys in accordance with the agency’s risk assessment.

Agencies’ decisions to allow the removal of keys from their facilities should be based on their risk assessment as this significantly increases the risk of loss. Keys to Zone Four and Zone Five should not be removed from the facility. Agencies must not allow keys to security containers to leave the facility, except in cases of emergency. Where agencies allow keys to be taken out of their facilities:

  • managers should approve the removal
  • agencies should increase the frequency of key audits.

Agencies should provide all employees with training on their key management policy.

Key cabinets

Agencies should locate key cabinets within a facility’s secure perimeter and, where possible, within the perimeter of the zone where the locks are located. Key cabinets may be either manual or electronic.

Commercial grade key cabinets provide very little protection from forced or covert access.

Electronic key cabinets may have automatic audit capacity and replace the need to maintain a key register. In some cases electronic key cabinets can be integrated into the EACS. However there are currently no electronic key containers suitable for high security applications, unless used in conjunction with other control measures such as locating the key container within a security room or area covered by a security alarm.

Combination settings

Combination settings must be memorised and agencies must keep only one written record of each setting for use in an emergency. The record must be held in an appropriately sealed envelope, protectively marked with the highest security classification of the material held in the container and stored appropriately in a separate container. This process should be managed by the CSO.

Agencies must change combination settings:

  • when a container is first received by the agency
  • after servicing the lock
  • after a change of custodian or other person knowing the combination
  • when there is reason to believe the setting has been, or may have been, compromised
  • in any case, not less frequently than every six months
  • when the container is disposed of by resetting the lock to the manufacturer’s setting.

Employees must immediately report the compromise or suspected compromise of a combination setting to the CSO.

Also refer to Reporting Incidents and Conducting Security Investigations.

Agencies should lock and service combination locks in accordance with the lock manufacturer’s instructions.

Doors

Agencies should select doors that provide a similar level of protection to the locks and hardware fitted.

There is significant variation in commercial office door types. These include, but are not limited to:

  • solid core timber
  • composite timber
  • metal framed insert panel
  • metal clad solid core or hollow core
  • glass swing opening
  • rotating glass
  • glass sliding, single and double.

Solid core wooden or metal clad doors may have glass or grill insert panels. The panels and fixings must provide the same level of protection as the door.

Door types and thicknesses for Zones Three to Five are specified in the NZSIS Technical Note – Physical Security of Secure Areas (This information is classified. Please contact the PSR team for further information).

Automatic sliding glass doors normally operate through an electric motor and guide fitted to the top of the door. Some automatic sliding glass doors, particularly when unframed, may be levered open either at the centre joint for double sliding doors or sides for double and single sliding doors. This can make them difficult to secure without fitting drop bolts, lower guides and/or door jambs.

Domestic hollow core doors (used for most internal domestic doors) and domestic sliding glass doors provide negligible delay as they are easily forced. However, if fitted with appropriate locks, they will provide a degree of evidence of intrusion when broken.

When selecting security doors agencies should incorporate any requirements of the New Zealand Building Code and any disability access requirements.

Back to the top of page Print this subsection

4.10 Closed-circuit television coverage

The use of CCTV should be considered by agencies when developing ‘security in depth’ for a site. CCTV is a visual deterrent to unauthorised access, theft or violence, and as an auditable access record.

Agencies should consider the costs of CCTV systems as they can represent a significant capital cost. On-going monitoring, maintenance and support costs may also be high.

Agencies can use CCTV to cover and give a visual record of:

  • site access points, including internal access to higher security zones
  • full site perimeter coverage
  • access to specific physical assets or work areas.

Agencies must comply with all relevant jurisdictional legislation governing CCTV usage. The Privacy Commission has produced a guide for complying with the Privacy Act 1993.

Refer to Privacy and CCTV: A Guide to the Privacy Act for Businesses, Agencies and Organisations.

The benefits of CCTV may include being able to:

  • monitor event-activated alarms
  • be used in conjunction with an SAS to help those responsible for responding to the alarm
  • be used in conjunction with an access control system to aid personal identification for remote site entry control
  • use motion detectors
  • use visual analytics (suspicious package detection).

Considerations on the use of CCTV include:

  • how its use fits into the context of the overall security plan of the site
  • the type of incident anticipated and in what way it will be expected to help the response to these incidents
  • the need to advise staff and clients that it is in use on the premises
  • the functional requirement.

Agencies should seek specialist advice before designing and installing a CCTV system to ensure the proposed system meets agency needs.

When CCTV images are used to support criminal proceedings, the quality of images or data should be suitable for use as evidence.

Agencies should be aware that computers used to store images may require significant memory space. Excessive compression of data may severely affect the quality of images stored.

Agencies should consider the period that images need to be retained when designing their security systems.

Back to the top of page Print this subsection

4.11 Security lighting

Lighting, both internal and external, can make an important contribution to physical security.

Agencies should consider, at the design stage, what the security lighting is intended to achieve, for example deterring unauthorised entry, assisting guards conducting patrols, illuminating areas with CCTV coverage and/or providing employees with safety lighting in car parks.

Motion detection devices can also be set up so any detected movement will activate lighting and/or CCTV.

Agencies should ensure lighting meets the illumination requirements of any CCTV systems installed.

Also refer to the Illuminating Engineering Society publication IES-G-1-03 Guidelines on Security Lighting for People, Property and Public Spaces.

Back to the top of page Print this subsection

4.12 Perimeter access control

Agencies with significant threats or larger, multi-building facilities may require perimeter access controls to restrict access to their facilities. For example this may include defence establishments.

Types of perimeter controls include but are not limited to:

  • fences and walls
  • pedestrian barriers
  • vehicular barriers.

Fences and walls

Fences and walls can be used to define and secure the perimeter of a facility. Agencies should determine the need for perimeter fencing during their initial security risk assessment and before finalising the selection of a site.

Fences may be impractical for sites in the urban environment, particularly in central business districts.

The level of protection a fence will give depends on its height, construction, the material used, access control and any additional features used to increase its performance or effectiveness, such as topping, lighting or connection to an external alarm or CCTV system.

Agencies that use fences and walls to prevent or deter unauthorised access must develop supporting procedures to monitor and maintain the fences and monitor the grounds for unauthorised access.

Agencies should ensure access points are at least as strong as any fence or wall used.

Related standards:

Pedestrian barriers

Agencies should assess the need to restrict pedestrian access through fences or walls by installing controlled entry and exit points.

This may include locked gates, gates connected to EACSs or alarm systems, manned guard stations and turnstiles.

Vehicle barriers

Agencies should assess whether vehicle barriers are warranted at their premises. British standard PAS 69:2006 Guidelines for the Specification and Installation of Vehicle Security Barriers provides some advice on selecting suitable fixed barriers.

Back to the top of page Print this subsection

4.13 Security containers and cabinets

Agencies should secure official information or portable valuable physical assets and money in suitably assessed containers (see the APL) appropriate to the business impact of the compromise, loss of integrity or unavailability of the information and/or assets.

When selecting security containers and cabinets, agencies should evaluate potential risks such as theft, damage or other compromise of physical assets and information from people internal and external to the agency.

Factors that will affect the class of security container required include:

  • the level of protective marking
  • the business impact of the compromise
  • the value and attractiveness of the information or physical assets being stored
  • the location of the information or physical assets within a facility (refer to Table 3)
  • the structure and location of the building
  • access control systems
  • other physical protection systems, for example locks, alarms and the security of the outer zone.

Placing security containers against the perimeter walls of a security zone potentially allows an attack based in a lower security zone, possibly bypassing a number of the additional security features of the more secure zone.

Agencies should, wherever possible, therefore avoid placing security containers against a lower security zone perimeter.

Agencies should ensure valuable physical assets that contain official information, such as computers and other ICT equipment, are protected from whichever has the higher BIL:

  • compromise of the aggregation of information on the physical asset
  • loss of the physical asset itself.

Where possible, agencies must store protectively marked information separately from other physical assets. This will:

  • lower the likelihood of the compromise of information if physical assets are stolen
  • help investigators determine the reason for any incidents involving unauthorised access.

Commercial safes and vaults

Agencies should store unclassified material in commercial safes and vaults designed to give a level of protection against forced entry that is commensurate with the BIL of the assets.

Because commercial grade security safes and vaults can provide varying degrees of protection, agencies should seek the advice of a qualified locksmith or manufacturer when determining the criteria they need to apply when selecting commercial safes and vaults.

Safes and vaults can be:

  • fire resistant (either document or data)
  • burglary resistant
  • a combination of both.

Refer to Annex D.

The New Zealand Standard AS/NZS 3809:1998 Safes and Strongrooms provides advice on design criteria for safes and strongrooms used to protect valuable physical assets.

It categorises safes and vaults as:

  • basic - suitable for homes, small businesses, offices
  • commercial - suitable for medium retail, real estate agents
  • medium security - suitable for large retail, post offices
  • high security - suitable for financial institutions, clubs
  • extra high security (vaults only) - suitable for high volume financial institutions.

Agencies should use safes and vaults from the following international standards that meet similar design criteria as the New Zealand Standard:

The following international standards provide advice on testing for fire resistance in safes:

  • UL 72 – Tests for Fire Resistance of Records Protection Equipment
  • JIS S 1037 – Standard Fire Test
  • KSG 4500 – Fire Proof Safes

NZSIS-approved

NZSIS-approved security containers are designed for the storage of protectively marked information.

Agencies should use an NZSIS-approved security container when the level of protectively marked material requires this.

Refer to Annex B.

Due to their design, these containers provide a high level of covert attack tamper evidence, and significant delay from clandestine attack, but limited protection from forcible attack.

There are three levels of NZSIS-approved containers.

Class A – Designed to protect information that has an extreme or catastrophic BIL in high-risk situations. These containers are extremely heavy and may not be suitable for use in some buildings with limited floor loadings. These were previously referred to as Group 1 containers or Group 2 containers that have additional drill protection.

Class B – Designed to protect information that has an extreme or catastrophic BIL in low-risk situations and information that has a high or very high BIL in higher risk situations.

Class B containers are broadly of two types:

  • heavy types suitable for use where there are minimal other physical controls (previously these were Group 2 containers that did not have additional drill protection)
  • lighter models designed for use in conjunction with other physical security measures (previously referred to as Group 3 containers).

Agencies should consider the siting of Class A and B containers as weight may be an issue, particularly in older buildings.

Class C – Designed to protect information that has up to an extreme BIL in low-risk situations and information that has a medium BIL in higher risk situations. These containers must be fitted with an NZSIS-approved restricted keyed lock or padlock (these were previously referred to as Group 4 containers).

Agencies should, where their risk assessments indicate, use lockable commercial containers for:

  • information with a low-to-medium business impact and where an NZSIS-approved container is not required
  • higher level information within an NZSIS-approved secure room.

Vehicle safes

Agencies should consider fitting vehicle safes to vehicles used by field staff when they are carrying valuable physical assets or official information.

An agency risk assessment may indicate additional controls are required to adequately mitigate some risks when transporting protectively marked material or valuable assets in vehicles.

These safes are of similar construction to low grade commercial security containers or approved Class C containers and provide some protection against opportunistic theft. They are not designed to provide protection where the vehicle is left unattended for prolonged periods, for example overnight.

To ensure the effectiveness of vehicle safes, agencies should consider:

  • bolting the safe to the vehicle (preferably out of sight)
  • fitting anti-theft controls such as immobilisers and alarms.

Secure rooms, strongrooms and vaults

Agencies with large quantities of official information or valuable physical assets, where their compromise, loss of integrity or unavailability would have a business impact, may use a secure room, strongroom or vault instead of containers to protect the information or physical assets.

Refer to Table 5.

Security rooms are suitable for the storage of large quantities of official information. The minimum construction and security requirements of secure rooms can be found in:

  • NZSIS Technical Note – Class A Secure Room (this information is classified; please contact the PSR team for further information)
  • NZSIS Technical Note – Class B Secure Room (this information is classified; please contact the PSR team for further information)
  • NZSIS Technical Note – Class C Secure Room (this information is classified; please contact the PSR team for further information).

Agencies should seek advice from a reputable manufacturer before installing a commercial vault or strong room for the protection of valuable physical assets.

Agencies must use Table 5 when selecting the minimum level of security containers or security rooms for storing official information where the compromise, loss of integrity or unavailability of the information has a business impact.

Agencies must assess the business impact of the compromise, loss of integrity or unavailability of the aggregation of information before determining the level of container required. A limited holding of information is an amount where compromise, loss of integrity or unavailability does not increase the BIL.

Table 5: Selecting security containers or rooms for storing official information


Note:

1.  In exceptional circumstances, to meet an operational requirement (for example, where the information cannot be immediately returned to an appropriate zone area), agencies may store the information for a period not to exceed 72 hours before being returned to an appropriate zone. CSOs should initially seek advice from NZSIS before implementing arrangements for the temporary storage of protectively marked information outside an approved zone.

 

Agencies should use Table 6 as a guide to selecting commercial safes and vaults for storing valuable physical assets where their compromise, loss of integrity or unavailability has a business impact on the agency (also refer to Table 1).

Agencies should use other controls that give the same level of intrusion resistance and delay for items that cannot be secured in safes or vaults, such as large items.

Agencies should consult with a suitably qualified locksmith or vault manufacturer to determine the appropriate safe or vault for their needs.

Table 6: Selecting safes or vaults for protecting valuable physical assets

 

Back to the top of page Print this subsection

4.14 Other controls

There are a number of other control measures agencies can use in specific situations. The following are indicative examples and agencies should determine which controls best meet their requirements.

Table 7 provides examples of additional measures that may be used to address specific threats. This list is not exhaustive.

Table 7: Additional controls to address specific risks

MeasureSpecific risks addressed
Hidden and/or fixed duress alarm Personnel safety concerns for reception areas and meeting rooms.
May be of value for home-based workers.
Individual duress alarm Personal safety concerns for personnel in the field or unpatrolled public areas.
Individual item alarm and/or alarm circuit Provide additional protection to valuable physical assets in premises.
Provide protection for physical assets on display.
Vehicle alarm Deter vehicle theft or theft of information and physical assets from vehicles.
Two-person access system Protection of extremely sensitive information.
Vehicle safes Deter theft of information and physical assets from vehicles.
Vehicle immobilisation Prevent vehicle theft.
Front counters and interview or meeting rooms Restrict access by aggressive clients or members of the public.
Allow regular meetings with clients or members of the public without accessing security areas.
Mailrooms and delivery areas Provide a single point of entry for all deliveries.
Control mail-borne threats from entering a facility without screening.
Technical surveillance counter and audio security Reduce vulnerability to, or detect, the unauthorised interception of sensitive or protectively marked information.
Reduce vulnerability to electronic eavesdropping on sensitive conversations.
Conference security Extra measures taken for a conference to prevent unauthorised people gaining access to protectively marked information and ensure the proceedings are conducted without disruption.

Vehicle immobilisation

Agencies should consider vehicle immobilisation to reduce the loss of vehicles to theft. Vehicle immobilisation can be broadly divided into two types:

  • automatic immobilisation of a vehicle when not in use and requires the key or electronic token to start the vehicle
  • remote immobilisation, normally in conjunction with a remote tracking and alarm system that can disable a vehicle while in use.

Front counters and interview or meeting rooms

Agencies that have interaction with the public or clients who may become agitated must install measures that mitigate the risks to employee safety.

This could include, but is not limited to, a specialised front counter that limits physical access to employees, and interview or meeting rooms that are monitored by guards and/or fitted with duress alarms.

Agencies with regular client or public interaction should consider establishing interview or meeting rooms accessible from their public areas.

Mailrooms and delivery areas

Mailrooms and parcel delivery areas are areas of significant risk to agencies from improvised explosive devices and chemical, radiological and biological attacks.

Agencies must assess the likelihood of mail-borne attack and, if warranted, apply suitable physical mitigations, for example mail screening devices, a stand-alone delivery area and/or using a commercial mail receiving and sorting service.

Agencies must have mail handling policies and procedures that are available to all staff. Agencies must give mailroom staff training in the use of any mail handling procedures and/or screening equipment used in their agency.

Agencies should select mail and parcel screening and handling equipment that meets its needs. Guidance can be found in the Australasian standards handbook HB 328:2009 Mailroom Security.

Technical surveillance countermeasures and audio security

Technical Surveillance Countermeasures (TSCM) services are used to provide a high level of assurance sensitive agency information is free from unauthorised surveillance and access.

TSCM is mainly a detection function that seeks to locate and identify covert surveillance devices:

  • before an event
  • as part of a programmed technical security inspection or survey
  • as a result of a concern following a security breach, for example, the unauthorised disclosure of a sensitive discussion.

A TSCM survey also seeks to identify technical security weaknesses and vulnerabilities including the evaluation of physical security controls such as locks, alarms and EACSs.

Agencies must have TSCM surveys carried out for:

  • areas where TOP SECRET discussions are regularly held or the compromise of other discussions may have a catastrophic business impact
  • before conferences and meetings where TOP SECRET discussions are to be held.

Agencies should initially seek advice from the Government Communications Security Bureau (GCSB) on the TSCMs required.

Agencies that need to hold sensitive or telephone conversations or discussions where the content is protectively marked must meet the logical controls in the New Zealand Information Security ManualTelephones and Telephone Systems.

Conference security

The aims of conference security should be to:

  • prevent unauthorised people gaining access to official and/or protectively marked information or physical assets
  • protect the people attending the conference
  • protect property from damage
  • ensure the proceedings are conducted without disruption.

Agencies should undertake a security risk assessment before holding a conference to identify and mitigate any identified risks and, if warranted, develop a specific conference security plan.

Also refer to Event Security.

Back to the top of page Print this subsection

5 Transport and destruction

Agencies must have policies and procedures for the transportation and destruction of physical assets and information.

Print this section

5.1 Transporting information and physical assets

Valuable physical assets

When physical assets are being transported outside of the agencies’ premises, agencies must provide an appropriate level of protection aligned to their potential business impact.

Agencies should seek advice from their insurers when developing procedures to transport valuable physical assets. While there is little risk from covert access, most physical assets are more at risk from theft during transport than when housed in an agency facility. Some control measures may include escorts or guards, or use of secure transport specialists.

Protectively marked information

Agencies must develop procedures that minimise the possibility of unauthorised access during transport.

This could include a combination of:

  • keeping the information under the physical control of an employee
  • using an NZSIS-approved safehand courier
  • using a security briefcase or satchel
  • using an NZSIS-approved single use pouch
  • using NZSIS-approved reusable pouches and containers
  • using NZSIS-approved security seals and tape.

Physical security equipment used to transport protectively marked information provides some protection from opportunistic access but very limited protection from covert access.

Also refer to Handling Requirements for Protectively Marked Information and Equipment.

Security briefcases

Agencies should use security briefcases or security satchels when carrying small amounts of protectively marked information, or aggregations of information, with a high BIL or above. Employees using security briefcases or satchels should keep the briefcase or satchel in their possession at all times.

Security briefcases and satchels are designed to give limited protection against opportunistic access and some evidence of tampering. They are not a replacement for security containers. They do not protect against forced entry. A skilled person may also covertly open a security briefcase. See the APL (this information is classified; please contact the PSR team for further information).

Single use pouches

Agencies may use NZSIS-approved single use pouches in lieu of:

  • paper envelopes and seals for inner envelopes
  • outer envelopes in double enveloping.

Wafer security seals and security tape

Agencies must use NZSIS-approved security seals on inner envelopes when transporting protectively marked information using double enveloping.

Seals should be placed on all openings. Security seals provide limited protection against opportunistic access and some evidence of tampering.

A skilled person can defeat a seal with little, if any, evidence of tampering. Agencies should develop procedures to ensure that access to protectively marked mail is restricted to authorised people.

Reusable pouches

Agencies may use reusable pouches instead of outer envelopes when double enveloping for internal mail.

Back to the top of page Print this subsection

5.2 Destruction equipment

Agencies must destroy protectively marked information using NZSIS-approved destruction equipment or an NZSIS-approved destruction service.

Destruction equipment is used to destroy protectively marked information (paper-based and ICT media) so that the waste cannot be reconstructed.

Agencies should use one of the following options when destroying paper or ICT media:

  • shredding
  • disintegrating
  • pulping (paper-based only)
  • pulverising (ICT media only).

Also refer to:

Shredders

Agencies may use shredders to destroy paper and ICT media, for example CDs, single and dual layer DVDs.

Paper shredders

Commercial strip shredders are not suitable for the destruction of protectively marked material or sensitive waste.

Anybody wishing to access the information will have little difficulty reconstructing the pages from the resultant strips.

Cross-cut shredders produce smaller pieces that are harder to reconstruct. The smaller the particle size the more secure the results.

Manufacturers often grade their shredders based on various international standards that often have differing specifications for each security level.

Agencies should take care when purchasing a shredder to ensure the maximum particle size is suitable for their needs.

Agencies must use the following shredders to destroy paper-based protectively marked information.

  • Grade 3 shredder, maximum particle size 4 mm x 15 mm, suitable for BILs up to and including high or protectively marked information up to and including RESTRICTED.
  • Grade 4 shredder, maximum particle size 1 mm x 15 mm, suitable for BILs up to and including extreme or protectively marked information up to and including SECRET.
  • Grade 5 shredder, maximum particle size 1 mm x 5 mm, suitable for all BILs including TOP SECRET and compartmented marking information.

Where possible, agencies should use a commercial cross-cut shredder for paper waste for official information where the compromise has a BIL up to and including medium.

Alternatively, agencies may use an NZSIS-approved destruction company for all levels of protectively marked information up to SECRET, or TOP SECRET, when directly supervised by an agency officer.

Also refer to NZSIS Security Equipment Guide for Shredders (under development).

ICT media shredders

Agencies should refer to GCSB for advice on approved media shredders to destroy ICT media.

Also refer to Handling Requirements for Protectively Marked Information and Equipment.

Back to the top of page Print this subsection

About

The purpose of these requirements is to:

  • provide guidance on achieving a consistent approach to determining physical security controls in agency facilities
  • provide a consistent and structured approach to determining the level of control required to meet the threat environment
  • give suitable protection to information, people and physical assets
  • provide assurance to other agencies for information sharing. 

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information