1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to:

  • achieve a consistent approach to assessing protective security controls in agency facilities
  • assist agencies to protect their people, information and assets
  • assist agencies to identify any areas of non-compliance and address these through mitigation and education actions
  • assist agencies to evaluate the effectiveness of their protective security controls
  • improve agency protective security policies and procedures. 
Back to the top of page Print this subsection

1.2 Audience

The audience of these requirements is:

  • agency heads and senior management responsible for security
  • Chief Security Officers (CSOs), Chief Information Security Officers (CISOs) and other agency security management personnel
  • contracted protective security management service providers.
Back to the top of page Print this subsection

1.3 Scope

Compliance with policy requirements is fundamental to effective and accountable governance, including the management of protective security policy.

Compliance reporting is designed to provide reasonable assurance to the government that agencies are complying with the New Zealand Protective Security Requirements (PSR) mandatory requirements.

The PSR is government policy and includes mandatory requirements that must be applied in accordance with the circumstances of each agency.

These requirements cover security governance, personnel security, information security and physical security.

The mandatory requirements of the PSR form the basis for agency self-assessment of protective security measures.

By adhering to the mandatory requirements of the PSR, agencies are implementing a consistent protective security standard across government.

This supports inter-agency cooperation and promotes information sharing.

Through the process of assessing compliance, agencies will be able to:

  • identify any areas of non-compliance and address these through mitigation and education actions
  • evaluate the effectiveness of agency protective security controls
  • improve agency protective security policies and procedures.

These requirements relate to protective security measures:

  • within New Zealand government facilities
  • facilities handling New Zealand government information and assets
  • where New Zealand government employees or contractors are located.

These requirements support mandatory requirement GOV5. They are part of a suite of documents that aid agencies to meet the protective security requirements.

Where legislative requirements are higher than controls identified in these requirements, the legislative controls take precedence and are to be applied.

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements for Agencies.

Back to the top of page Print this subsection

1.5 Relevant standards

Back to the top of page Print this subsection

2 Benefits of mapping and reporting compliance

Compliance with the mandatory requirements will assist agencies to attain effective and appropriate protective security management in line with the New Zealand government’s expectations.

Compliance with the PSR provides benefits to government, portfolios and agencies.

Benefits to the New Zealand government

Benefits to government include:

  • providing a mechanism to assure the government that sound and responsible protective security occurs across government
  • enabling the identification of any serious or systemic protective security issues across government, which can then be addressed through policy changes and education programmes
  • enabling the government to identify and implement better practice protective security
  • enabling, where appropriate, the communication to ministers of significant compliance issues within their portfolios
  • promoting intra-portfolio cooperation between agencies to address portfolio-wide issues.

The information provided will be used to inform whole-of-government protective security status reporting.

Benefits to agencies

Benefits to agencies include:

  • the ability to identify and treat non-compliance issues on a timely basis
  • knowledge gained by one agency can be captured and issued to all relevant agencies, improving the efficiency and effectiveness of protective security practices
  • assurance about the security of information and asset sharing arrangements.
Print this section

3 Accountabilities and responsibilities

Print this section

3.1 Agency accountabilities and responsibilities

Agencies:

  • are accountable for meeting their protective security obligations and assessing the extent to which they comply with the PSR
  • must assign responsibilities for managing compliance to appropriately trained and competent employees
  • must provide employees, including contractors, with the necessary information and assistance to promote compliance and advise of any consequences of non-compliance
  • upon request, must report on their level of compliance and significant or systemic protective security issues, including any corrective actions to mitigate the issues
  • must document policy exceptions to provide a record they can use to assess their compliance with the mandatory requirements of the PSR
  • should, where necessary, strengthen existing internal controls and mechanisms based on their compliance and risk assessments.
Back to the top of page Print this subsection

3.2 Employee accountabilities and responsibilities

Employees:

  • should, as a condition of accepting employment within an agency, agree to comply with protective security policy as directed by agency management
  • should be aware of the consequences of failure to comply with the PSR mandatory requirements.
Back to the top of page Print this subsection

3.3 Agency head accountabilities and responsibilities

Agency heads should be responsible for:

  • ensuring their agency complies with the PSR
  • reporting on the effectiveness of the agency’s protective security policies and procedures in complying with the mandatory requirements.
Back to the top of page Print this subsection

3.4 Employees responsible for protective security management

Employees who are responsible for protective security management, including CSOs and CISOs, should:

  • effectively manage their agency’s security, including applying appropriate protective security measures based on their risk profile
  • liaise with relevant security, governance and compliance personnel, in particular, where there is a centralised approach to compliance management
  • assist with the organisation and coordination of risk assessments, internal audits, and compliance reviews
  • advise on the compliance requirements relevant to their agency
  • record and manage exceptions
  • identify and arrange for the provision of appropriate training needed to improve or ensure compliance
  • prepare an agency compliance exception report against the mandatory requirements of the PSR, or provide input to the report where the compliance reporting role is undertaken elsewhere within the agency.
Back to the top of page Print this subsection

4 Compliance reporting

Certain agencies must report, externally and in writing, on their compliance with the mandatory requirements of the PSR, confirming that:

  • they have undertaken an assessment against the mandatory requirements
  • compliance for each mandatory requirement is being effectively managed
  • any unacceptable risk relating to these mandatory requirements has been treated appropriately
  • their compliance obligations have been met.

The written report from the agency head must:

  • contain a declaration of compliance with the mandatory requirements
  • where not compliant, state any areas of non-compliance, identifying:
    • details on measures taken to mitigate identified risks
    • areas of non-compliance requiring further action
    • any proposed future measures to address non-compliance
    • any residual risks.

Agency heads are the accreditation authority for RESTRICTED and below compliance requirements. Agencies should also advise any non-compliance with specific PSR mandatory requirements to the relevant agencies listed below.

  • The Director, Government Communication Security Bureau (GCSB) for matters relating to CONFIDENTIAL and above material and the New Zealand Government Information Security Manual (NZISM).
  • The Government Chief Information Officer (GCIO) for matters relating to Information and Communications Technology (ICT) risk.
  • The Director of Security New Zealand Security Intelligence Service (NZSIS) for matters relating to national security.
  • The heads of any agencies whose people, information or assets may be affected by the non-compliance if not already advised when the non-compliance was first identified.

Agencies should advise the GCSB, NZSIS or affected agencies, as applicable, at the time of any incident.

Also refer to the Reporting Incidents and Conducting Security Investigations.

Print this section

4.1 Measuring compliance

Agencies should develop policies and procedures to measure their compliance against the mandatory requirements of the PSR. 

Agencies should develop an agency-specific compliance checklist to aid in measuring their compliance. 

The template in Annex A, and the other self-assessment supporting files, have been provided to assist agencies.

Back to the top of page Print this subsection

About

Compliance with policy requirements is fundamental to effective and accountable governance, including the management of protective security policy. 

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information