1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to:

  • provide a consistent and structured approach to the security requirements for employees working away from the office
  • help agencies ensure the safety of personnel, information and assets
  • help establish consistent terminology relating to working away from the office across the New Zealand government.
Back to the top of page Print this subsection

1.2 Audience

The audience for these requirements is:

  • New Zealand government security management staff
  • any other body or person responsible for the security of New Zealand government people, information or assets outside agency premises.
Back to the top of page Print this subsection

1.3 Scope

These requirements cover information and physical security measures employed by New Zealand government agencies to identify and mitigate the security risks to official information and assets, and protect their employees, when working outside agency facilities.

They provide a checklist for agencies reviewing Working Away from the Office security measures.

They support the implementation of the New Zealand Protective Security Requirements (PSR).

In particular, they support the Physical Security Management Protocol and Information Security Management Protocol and associated requirements.

These requirements do not address security risks to employees who are working overseas.

General overseas travel advice is available online from the Ministry of Foreign Affairs and Trade (MFAT) Safe Travel website. Go to: www.safetravel.govt.nz

Agencies with employees travelling overseas may also refer to the New Zealand Information Security Manual - Working Off-Site.

Agencies must protect any information or assets provided by another government in accordance with international agreements.

Also refer to Safeguarding Foreign Government Information (under development).

Agencies must implement Information and Communications Technology (ICT) arrangements to meet:

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements.

Back to the top of page Print this subsection

2 Working Away from the Office

Working away from the office includes all work undertaken by the agency using mobile employees and remote-workers, that is, work outside of normal agency facilities.

The types of working away from the office that normally require ICT support are:

  • mobile computing and communications
  • remote-working.

Mobile employees may undertake work away from the office without ICT support, for example, using hard copy information.

With the availability of mobile telephones, personal computing devices and wireless computing, the instances of working away from the office where ICT support is not available, or required, are diminishing.

Working away from the office may include fieldwork undertaken on behalf of the agency by contractors, but does not include any work undertaken by contractors in their own facilities. Agencies must address any security requirements in these situations within specific terms and conditions in the contract.

Also refer to the Security of Outsourced Services and Functions.

Print this section

2.1 Mobile computing and communications

Mobile computing and communications is work from a non-fixed location using portable computing/communications devices such as laptops, notebooks, tablets, smart mobile phones and PDAs. 

Mobile computing and communications includes, but is not limited to,:

  • fieldwork
  • occasional work from home without a remote-working agreement
  • temporary work from a client’s facilities or ongoing work from a client’s premises where the parent agency cannot assure the protective security arrangements
  • working in transit where the potential for oversight and overhearing is high.

Agencies should pay close attention to the environment in which workers are expected to operate, as this can range from airport lounges to another agency's office to a remote location and may have a significant impact on security requirements.

While agencies may find it hard to implement some elements of protective security in mobile computing and communications arrangements, they must take all reasonably practicable measures to ensure the physical safety of mobile employees.

Agencies should also address any other protective security concerns.

Refer to Annex A.

Most mobile computing locations are Zone One physical security areas.

See the Security Zones and Risk Mitigation Control Measures.

It may not be possible to apply suitable physical security measures to satisfy a higher Security Zone requirement for mobile computing and communications, and agencies should rely on administrative and ICT security controls to protect their information and assets.

For more information, refer to the New Zealand Information Security Manual.

Back to the top of page Print this subsection

2.2 Remote-working

Remote-working provides agencies and employees with flexibility in meeting their objectives by allowing employees to work from alternate fixed locations.

Remote-working may also be a strategy in an agency’s business continuity planning.

Remote-work is distinguished from mobile computing by having a controlled environment.

Remote-work is subject to a formal agreement between the agency and the employee. Agencies must treat work from locations that have not received prior approval as mobile computing.

Remote-working includes working away from the office using remote ICT systems in fixed locations such as:

  • Working from home on a regular basis, which may include:
    • work from home as a normal work arrangement, either full time or part time
    • arrangements for staff to regularly work from home outside of normal work hours (day-extender)
    • a regular casual remote-working arrangement, for example, primary care-givers.
  • Working from alternative office space:
    • provided on an ongoing basis to the agency, in client premises, where the agency has some ability to provide protective security
    • provided by the agency in another location, for example business continuity sites or regional sites
    • located in another New Zealand government agency’s facilities.

Agencies may wish to supply part time remote-workers with a dedicated portable device to use in both locations to avoid synchronisation problems and reduce costs.

As for part time remote-workers, day extenders may use a single device.

Day extenders may have an expectation of agency ICT support at any time, day or night.

As remote work locations are often fixed and the location is known to other members of the agency and the employees’ associates, there may be additional security risks to agency remote-workers, information and assets.

Agencies must assess the protective security requirements of all remote-working locations, including:

  • security clearance management
  • personal security and safety
  • information and ICT security
  • physical security.

Refer to Annex A.

The level of physical security required will depend on the business impact level of any compromise, loss of integrity or unavailability of agency information or assets, or the potential for harm to remote-workers.

Prior to implementing remote-working arrangements, agencies must assess the suitability of the protective security measures of any proposed locations where the compromise of official information or assets handled at the location would have a business impact level of high or above.

See Business Impact Levels 

Agencies should also assess the suitability of protective security measures in other remote-working locations.

Refer to Annex A.

Most remote-working locations will meet Zone Two physical security requirements without significant modifications to the remote-working site. 

See Security Zones and Risk Mitigation Control Measures.

Remote-working from home

Remote-working from home must be subject to an agreement between management and the employee.

Remote-working agreements normally require an assessment of the home office or work site.

Refer to Annex B for links to sites that provide advice on developing remote-work agreements.

Remote-working assessments should assess compliance with any human resources and occupational health and safety requirements, and include all relevant security elements identified later in these requirements.

Also refer to Annex A.

Remote-working communications arrangements

Agencies must include at least the following in any remote working agreements:

  • conditions of employment
  • occupational health and safety arrangements
  • security requirements.

The agreement should:

  • identify appropriate technology required to access information accessed from the remote-working location, refer to (New Zealand Information Security Manual - Working Off-Site)
  • determine what equipment the agency will provide, what equipment the remote-worker will provide and what will be shared, including any specific controls relating to use of personal equipment
  • detail how technical assistance is to be provided in the event of equipment failure or disruption
  • determine the physical attributes of the remote-work office and whether they conform to safety and security standards
  • articulate availability expectations, for example being contactable by telephone or email. General employment considerations and advice on employment agreements can be sought from the Ministry of Business, Innovation and Employment (MBIE)
  • provide remote-worker emergency procedures
  • identify procedures to change the agreement.
Back to the top of page Print this subsection

2.3 Working away from the office without ICT support

Working away from the office without ICT support can occur in any of the locations identified for mobile computing and communications or remote-working.

The employee may still have access to official information in hard copy and agency assets which must be protected.

Back to the top of page Print this subsection

3 Personal safety when working out of the office

Agencies have a responsibility under the Health and Safety at Work Act 2015, Health and Safety in Employment Regulations 1995 and relevant codes of practice to take all reasonably practicable steps to address any risks and prevent injury to their employees, their clients and the public outside of agency facilities as a result of agency actions.

The safety and security of employees should take precedence over security of agency information and assets.

Employees should not unreasonably put themselves at risk of injury or harm to protect agency information or assets.

Chief Security Officers (CSO) and Health and Safety Officers should work together to develop agency requirements to assist in reducing risks to staff safety and improving staff security when out of the office. 

The requirements should include:

  • identifying potential hazards and risks, the likelihood of the hazards or risks occurring and appropriate risk mitigation measures
  • preventive measures that staff can take prior to leaving the office
  • actions to take in an emergency
  • dealing with clients and the public
  • vehicle safety and security when transporting protectively marked information and equipment
  • personal risks when carrying/protecting valuables and attractive agency information and assets
  • incident reporting procedures.

For more information, refer to Annex B

Print this section

4 Protecting agency information and physical assets

Agencies must:

  • assess the risks to New Zealand government information and assets
  • ensure staff are appropriately briefed and trained to comply with agency-specific requirements relating to the protection of agency information and physical assets
  • mitigate the risks to agency information and assets to an acceptable level
  • apply controls to give assurance in information and asset sharing arrangements when working away from the office.
Print this section

4.1 ICT security

Agencies must meet all ICT security requirements for remote-working and mobile computing specified in the New Zealand Information Security Manual - Working Off-Site prior to the commencement of the arrangement.

ICT security for remote-working equipment can be difficult to enforce.

When remote-working is performed on agency-provided equipment, it is reasonable to expect that the equipment will be used in a similar way to ICT equipment located in the agency.

Agencies should clearly define reasonable personal use in their remote-work and mobile computing and communications policies.

There is the potential for agency-provided equipment to be used by members of the employee’s family in home-based remote-working arrangements. Agencies should clearly detail any requirements, or restrictions, regarding the use of agency equipment by members of a remote-worker’s family and these should be included in all home-based remote-work policies.

Mobile portable computing devices are most at risk from people wishing to steal the equipment for:

  • the resale value of the equipment
  • access to the information held on the equipment.

Agencies should reduce the risk of unauthorised access to information through robust encryption on mobile computing devices.

Agencies must:

Agencies must treat any unencrypted information on a device that is lost as compromised.

Agencies must also evaluate the potential for compromise when determining the impact of the loss of any encrypted information.

Use of an employee’s personal ICT equipment

Unless agencies can manage the safe disposal or sanitisation of an employee’s personal ICT equipment, agencies should not allow the use of personal ICT equipment for processing agency information with a business impact from the compromise of information of high or above, or protectively marked RESTRICTED or above.

Agencies should frequently assess the risks of allowing employees to use personal or private ICT equipment for agency business.

Even when using remote access devices that do not allow agency information to be stored on non-volatile memory, there is the potential for agency information to be stored on volatile memory of the equipment.

For more information, refer to the New Zealand Information Security Manual.

Agencies should also communicate to employees that information is written to the volatile memory of ICT equipment when working from a USB stick, or similar device storage device, causing risk.

For more information, refer to:

Use of public ICT equipment, wireless networks and communications

Agencies must prohibit employees from accessing protectively marked information on public computers or other public ICT communication devices.

All information accessed on public ICT equipment, for example internet cafes, hotel business centres or airport lounges is at risk. The agency has no control over who can access the equipment nor the security features or applications enabled on the equipment by its owner or manager.

Back to the top of page Print this subsection

4.2 Physical protection of official information when away from the office

Prior to its use, agencies should determine if any work space outside of the office can:

  • appropriately secure protectively marked information stored at the work area
  • be independently secured
  • be protected from oversight or overhearing by other people, including family and children.

Agencies should also determine if ICT equipment used in the work area can be secured or segregated from the agency’s ICT system.

Agencies should determine their own procedures to ensure appropriate accreditation of proposed sites. This would normally require a security inspection of the proposed sites.

Protectively marked information

Agencies should prohibit protectively marked information being stored outside their offices unless the information will be stored in accordance with the Information Security Management Protocol, the Physical Security Management Protocol and supporting requirements.

This includes the accreditation of any ICT and physical security arrangements.

Agencies should not allow the storage of TOP SECRET information outside of agency premises unless it is critical for an operation. Agencies must have the New Zealand Security Intelligence Service (NZSIS) certify all storage of TOP SECRET information.

Conversation security

Agencies must develop procedures to protect sensitive or protectively marked offsite conversations from being overheard.

It may be impossible to prevent determined adversaries, including foreign intelligence services, from listening to conversations held outside of audio secure areas.

Agencies should only allow protectively marked conversations outside of audio secure areas if it is critical to an operation.

Agencies should seek advice from information originators prior to allowing conversations involving information protectively marked at SECRET outside of audio secure areas.

Agencies should seek advice from NZSIS and the originating agency prior to allowing conversations involving information protectively marked at TOP SECRET outside of audio secure areas.

The following measures may reduce the threat of sensitive or protectively marked conversations being accidentally overheard or recorded.

 

  • Sensitive or protectively marked conversations, including telephone calls, should not be held in hire cars, taxis, shuttles, official vehicles, hotel rooms or conference rooms unless measures have been taken to ensure audio security. These areas are at high-risk of audio surveillance, particularly when travelling overseas.
  • Holding protectively marked conversations in closed public spaces, while sitting or standing in one place, easily allows the conversation to be overheard or recorded. Classified conversations held in public, on aircraft, in airport lounges, while at the local café or in other locations known to be frequented by agency personnel are at significant risk and should be discouraged.
  • The risk of audio interception is greatly increased when travelling overseas. Wherever possible classified official information, including conversations/telephone calls, should be accessed within secured facilities. Allied secure facilities are acceptable, provided they are accredited to the appropriate level and the information being discussed is permitted to be shared with the allied government.
  • Where no secure facility is available and a protectively marked conversation/telephone call is essential the employee should find an open public place such as a park or other open area and conduct the conversation while walking, being careful to ensure the conversation is not overheard by casual observers. Parks and open areas offer the greatest protection from casual audio surveillance. ‘White noise’, for example running water such as fountains, may also reduce the ability to remotely record conversations without specialist equipment.

It is much easier to record a conversation than it is to record a laptop's screen.

The risk of conducting sensitive or protectively marked conversations in unsecured places is much greater than reading an email or typing a document.

Physical security of official information in private client facilities

Agencies can find it difficult to adequately secure their information when their staff are located inside commercial or private client facilities.

Agencies will not normally have control over client alarm or keying systems.

Unless agencies have full control over the office space occupied by their staff in client facilities, agencies should treat any non-New Zealand government facilities as Zone One areas for information and asset storage.

Options for transferring information to remote locations

It is unrealistic to expect staff to maintain physical custody of the information at all times if it cannot be carried on their person.

However, agencies should restrict the use of removable ICT media, such as USB sticks and portable hard-drives, to carry large quantities of information as they are easily lost.

Information is at considerable risk when being transported. Agencies should consider all alternatives prior to giving approval for the transport of information to remote locations by employees.

These can include:

  • remote secure access to agency ICT networks (if a connection can be arranged)
  • transport to nearby New Zealand government or jurisdictional facilities by endorsed couriers or secure networks for collection by employees once onsite
  • storage of the information on a Government Communication Security Bureau (GCSB) approved portable device that provides additional logical controls to prevent unauthorised access.

Where alternative transport cannot be arranged, agencies should if possible make arrangements to secure information during breaks in trips in suitable New Zealand government or New Zealand government-approved jurisdictional government facilities.

For more information, refer to Security Zones and Risk Mitigation Control Measures.

Disposal of official information

Agencies should have procedures in place for the secure disposal of official information for all working away from the office situations.

These procedures should be included in any employee briefing or agreement.

Agencies must ensure all protectively marked information is returned to their premises for destruction unless they have approved destruction equipment located off-site.

Back to the top of page Print this subsection

4.3 Protecting agency assets

Assets are more vulnerable to loss outside the office environment. 

An agency should:

  • include any assets provided to employees who are working away from the office in the agency’s asset management register, even when the value of the assets is below the threshold normally applied to control agency assets
  • only allow employees to remove assets from agency facilities that are necessary for the performance of their out-of-the-office duties
  • assign custody of each asset to individual employees prior to allowing the asset’s removal from agency premises
  • advise employees of their responsibilities to safeguard any agency assets which have been entrusted to them
  • provide employees with incident reporting procedures in the event assets are lost or damaged.

Portable assets

Most assets that are used by employees out of the office are portable. 

Once removed from agency premises portable assets are more at risk. 

These assets can include, but are not limited to:

  • vehicles
  • mobile computing devices, including mobile communication devices
  • security containers and other furniture
  • weapons
  • animals
  • samples, for example biological or chemical samples
  • specialist, scientific or research equipment
  • cultural or collection material.

In addition to any legislative requirements to protect dangerous assets, agencies should:

  • advise employees of all measures they should take to safeguard agency portable assets prior to allowing the assets out of the office
  • include a schedule of equipment provided to employees as part of any remote-work agreements
  • have employees sign for any equipment prior to removing it from agency premises.

Assets should not be left in vehicles that are unattended by agency personnel unless unavoidable or physical security measures are in place to protect the vehicle and its contents.

Assets left in hotel rooms or hotel safes will be at risk, particularly when travelling overseas.  The risks to the assets should be evaluated and treated prior to departure.

When travelling, assets in carry-on luggage are more secure than checked in baggage, providing the carry-on luggage remains in the employee’s control.

Agencies must treat as compromised any information contained in misplaced, lost or stolen physical assets.

Security alarm system options

Agencies should evaluate the need for security alarm systems in remote-working arrangements as part of the remote-working risk assessment.

If a security alarm system is required, then agencies should use a system that meets AS/NZ 2201.1:2007 Class 2 or above.

Agencies may use portable alarm systems to protect assets in other mobile work situations, for example vehicles may be fitted with alarms and engine immobilisers.

For more information, refer to Security Zones and Risk Mitigation Control Measures.

Locating assets in private client facilities

Agencies may not be able to control the security of assets located in client premises, even when given a dedicated work space.

Where security cannot be assured, agencies should evaluate the risks to their assets in a similar way to any other unsecure off-site work environment.

Agency assets that are used to regulate the client’s activities may require additional protection where tampering with the assets could compromise the regulation activities.

Reporting incidents

Where employee safety is at risk the employee should in the first instance, if possible, contact the local police for assistance.

Once their safety is assured they should report the incident to their agency.

Agencies must have procedures in place for mobile workers to report security incidents. These procedures should include reporting:

  • any security incident involving agency information and assets
  • other incidents at their work location.

Agencies should consider their ability to respond to, and investigate, incidents that occur outside of their premises when developing incident response procedures for mobile workers. 

For more information, also refer to the Reporting Incidents and Conducting Security Investigations.

Back to the top of page Print this subsection

About

These requirements cover information and physical security measures employed by New Zealand government agencies to identify and mitigate the security risks to official information and assets and protect their employees, when working outside agency facilities.

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information