The purpose of these requirements is to:
- provide guidance on achieving a consistent approach to determining physical security controls in agency facilities
- provide a consistent and structured approach to determining the level of control required to meet the threat environment
- give suitable protection to information, people and physical assets
- provide assurance to other agencies for information sharing.
To achieve this, advice on specific controls suitable to varying situations is provided. The type and degree of physical protection control should be determined by a Business Impact Level (BIL) assessment that considers the impact, loss or compromise will have on an agency.
The audience for these requirements is:
- New Zealand government security management staff
- contractors providing physical security advice and services to New Zealand government agencies
- any other body or person responsible for the security of New Zealand government people, information or assets.
These requirements cover:
- physical security measures within New Zealand government facilities
- facilities handling New Zealand government information and physical assets or where New Zealand government employees are located
- risk mitigation and assurance measures
- the security zones methodology and requirements
- details of individual control measures
- a checklist for agencies reviewing physical security measures.
These requirements support the implementation of the Protective Security Requirements (PSR).
In particular, they support the Physical Security Management Protocol. They are part of a suite of documents that aid agencies to meet their physical security requirements.
Where legislative requirements are higher than controls identified in these requirements, the legislative controls take precedence and should be applied.
Agencies should protect any information or physical assets provided by another government in accordance with international agreements.
Also refer to Safeguarding Foreign Government Information (under development).
1.4 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist
- or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head. In particular an agency should pose the following questions:
- Is the agency willing to accept additional risk?
- Have any implications for All of Government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.
The PSR provides agencies with mandatory and best practice security measures.
The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.
1.5 Relevant standards
Other relevant standards, requirements and documents are:
- AS/NZS ISO 31000:2009 Risk management – Principles and Guidelines
- HB 167:2006 Security Risk Management
- AS 1725:2003 Chain-link Fabric Security Fencing and Gates
- AS 3555.1:2003 Building Elements – Testing and Rating for Intruder Resistance – Intruder-resistant Panels
- AS/NZS 2201.1:2007 Intruder Alarm Systems – Client’s Premises – Design, Installation, Commissioning and Maintenance
- NZS 2201.2:1992 Intruder Alarm Systems - Central Stations
- AS/NZS 2201.5:2008 Intruder alarm systems – Alarm Transmission Systems
- AS/NZS 2201 Intruder Alarm Set
- AS/NZS 2343:1997 Bullet-resistant Panels and Elements
- AS/NZS 3809:1998 Safes and Strongrooms
- AS/NZS 3016:2002 Electrical Installations – Electric Security Fences
- BS1722–12:2006 Fences – Specification for Steel Palisade Fences
- BS1722–14:2006 Fences – Specification for Open Mesh Steel Panel Fences
- BS EN 14450:2005 – Secure Storage Units. Requirements, Classifications and Methods of Test for Resistance to Burglary. Secure Safe Cabinets
- CAN/ULC-S319 Electronic Access Control Systems
- Designing out Crime: Crime Prevention Through Environmental Design
- HB 328:2009 Mailroom Security
- IES-G-1-03 Guidelines on Security Lighting for People, Property and Public Spaces
- JIS S 1037 – Standard Fire Test
- KSG 4500 – Fire Test – Fire Proof Safes National Guidelines for Crime Prevention through Environmental Design
- New Zealand Building Code
- Handling Requirements for Protectively Marked Information and Equipment
- Security Classification System
- Personnel Security Management Protocol
- Event Security
- Physical Security Management Protocol
- Business Impact Levels
- Reporting Incidents and Conducting Security Investigations
- Safeguarding Foreign Government Information (under development)
- Security Requirements of Outsourced Services and Functions
- NZS 4301.3:1993 Intruder Alarm Systems – Detection Devices for Internal Use
- New Zealand Information Security Manual– Product Sanitisation and Disposal – Media Disposal
- New Zealand Information Security Manual – Telephones and Telephone Systems
- NZSIS Equipment Selection Guidelines. This information is classified. Please contact the PSR team for further information.
- NZSIS Security Equipment Guide for Shredders (under development)
- NZSIS Technical Note – Class A Secure Room. This information is classified. Please contact the PSR team for further information.
- NZSIS Technical Note – Class B Secure Room. This information is classified. Please contact the PSR team for further information.
- NZSIS Technical Note – Class C Secure Room. This information is classified. Please contact the PSR team for further information.
- NZSIS Technical Note – Physical Security of Intruder Resistant Areas. This information is classified. Please contact the PSR team for further information.
- NZSIS Technical Note – Physical Security of Secure Areas. This information is classified. Please contact the PSR team for further information.
- NZSIS Technical Note – Physical Security of Zone 5 Areas. This information is classified. Please contact the PSR team for further information.
- NZSIS Type B SAS for New Zealand Government – Integration specification (under development)
- NZSIS Type B SAS Implementation and Operation Guide (under development)
- PAS 69:2006 Guidelines for the Specification and Installation of Vehicle Security Barriers
- Privacy and CCTV: A Guide to the Privacy Act for Businesses, Agencies and Organisations
- UL 72 – Tests for Fire Resistance of Records Protection Equipment
- UL 687 – Burglary-resistant Safes
- US FIPS 201.