The purpose of these requirements is to:
- provide a consistent and structured approach to the security requirements for employees working away from the office
- help agencies ensure the safety of personnel, information and assets
- help establish consistent terminology relating to working away from the office across the New Zealand government.
The audience for these requirements is:
- New Zealand government security management staff
- any other body or person responsible for the security of New Zealand government people, information or assets outside agency premises.
These requirements cover information and physical security measures employed by New Zealand government agencies to identify and mitigate the security risks to official information and assets, and protect their employees, when working outside agency facilities.
They provide a checklist for agencies reviewing Working Away from the Office security measures.
They support the implementation of the New Zealand Protective Security Requirements (PSR).
These requirements do not address security risks to employees who are working overseas.
General overseas travel advice is available online from the Ministry of Foreign Affairs and Trade (MFAT) Safe Travel website. Go to: www.safetravel.govt.nz
Agencies with employees travelling overseas may also refer to the New Zealand Information Security Manual - Working Off-Site.
Agencies must protect any information or assets provided by another government in accordance with international agreements.
Also refer to Safeguarding Foreign Government Information (under development).
Agencies must implement Information and Communications Technology (ICT) arrangements to meet:
1.4 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist
- or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head. In particular an agency should pose the following questions:
- Is the agency willing to accept additional risk?
- Have any implications for All of Government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.
The PSR provides agencies with mandatory and best practice security measures.
The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.