1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to:

  • provide guidance to agencies developing protective security policies, plans and procedures, using a consistent and structured approach
  • assist agencies to achieve a consistent approach to determining personnel, information, physical and procedural controls used to manage security risks
  • help agencies determine the level of control required to:
    • meet the security threat environment
    • give suitable protection to information, people and assets
    • provide assurance to other agencies for information sharing.
Back to the top of page Print this subsection

1.2 Audience

The audience of these requirements is:

  • New Zealand government security management staff
  • any other body or person responsible for developing protective security policies, plans or procedures on behalf of New Zealand government agencies.
Back to the top of page Print this subsection

1.3 Scope

These requirements relate to protective security measures:

  • within New Zealand government facilities
  • within other facilities handling New Zealand government information and assets
  • where New Zealand government employees are located.

These requirements provide best practice advice to agency security management staff.

Where legislative requirements are higher than controls identified in these requirements the legislative controls take precedence and should be applied.

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies, and the Mandatory Requirements for Agencies

Back to the top of page Print this subsection

1.5 Relevant standards

Back to the top of page Print this subsection

2 Approach

Print this section

2.1 Developing policy, plans and procedures

Agencies must have policies in place that cover the reporting of security incidents, the management of security incidents and the conduct of security investigations.  These policies should specify the roles and responsibilities of staff involved in managing incidents and investigations.

After setting up a policy framework based on operational needs, the first stage in developing protective security policies, plans and procedures is asset identification and risk assessment as outlined in these requirements. 

The policy, plan and procedures then become intermeshed. The plan will include revision of the policy and procedures to treat and provide specific agency risk mitigation strategies (plans) and measures (controls – includes procedures) to be implemented over a prescribed time (plan).

Agency protective security policies, plans and procedures may be presented in a single document, separate documents or incorporated into other agency operations documents.

If agency protective security policies, plans and procedures are not in a single document, they should be developed in conjunction with one another, based on the agency risk assessment, as each document will influence the other.

The security policies, plans and procedures should consider the agency objectives and other agency operational policies and outcomes.

 

Diagram 1: Components of agency protective security

Components of agency protective security figure 1

Back to the top of page Print this subsection

2.2 Dissemination of policies, plans and procedures

Agencies must identify the appropriate employees and platform for/across which the security policies, plans and procedures are to be disseminated.

Agencies should consider utilising dissemination methods to reach a wider audience such as intranet sites and security education and awareness initiatives.

For more information, refer to the Security Awareness Training.

Security policies, plans and procedures require 'whole-of-agency' awareness to ensure effective implementation and management.

Back to the top of page Print this subsection

2.3 Review of policies, plans and procedures

All protective security policies, plans and procedures should be reviewed as the risk environment changes, or at least every two years.

These reviews should also identify any gaps in agency policy or mitigation measures and comply with New Zealand Government expectations as outlined in the PSR.

Back to the top of page Print this subsection

3 Asset identification and risk assessment

All protective security policies, plans and procedures must:

  • mitigate identified risks to agency assets, including personnel, information, physical assets and services (including third party dependencies),
  • apply controls to meet the New Zealand Government’s governance expectations
  • in the case of asset-sharing arrangements, apply controls to meet the other agencies’ expectations, whichever is the higher.

In addition to meeting general government policies, agency protective security policies must address any applicable legislative or policy requirements that are specific to the agency.

Asset identification and security risk management documents can form part of an agency security plan or be standalone and inform the agency protective security policies and plan.

Print this section

3.1 Asset identification

Agencies must identify all assets that are important to the ongoing operations of the agency or to the national interest.

Business Impact Levels provides a consistent model for agencies to use when assigning a value to assets based on the impact arising from the compromise of confidentiality, loss of integrity or unavailability of the assets.

Back to the top of page Print this subsection

4 Protective security policy

Agency protective security policy gives authority to all protective security controls used in the agency protective security plan and procedures. 

The controls are designed to treat the risks to agency assets and must meet the New Zealand government’s expectations.

The agency head, or his or her delegate, should approve protective security policy as agency policy. This will ensure that the policy can be enforced.

The Chief Security Officer (CSO) should actively monitor agency security policy to ensure that the policy continues to address the risks to the agency’s security.

Print this section

4.1 Components of protective security policy

Protective security policies must cover four key areas - governance arrangements, personnel security policy, information security policy and physical security policy.

Governance arrangements

Governance arrangements, including how protective security relates to other components of an agency’s operational governance, including, but not limited to:

  • security components of employee and public safety
  • security requirements in contracts
  • assigning security management roles
  • audit and compliance reporting
  • fraud control
  • sourcing and handling foreign government information
  • processes for policy exceptions
  • review and amendment.

Personnel security policy

Personnel security policy, including, but not limited to, the reasons supporting and authority for the policy and:

  • agency-specific checks for employees
  • security clearance requirements including on-going security clearance management
  • use of emergency access to protectively marked material
  • security violation, breach and infringement investigation and management arrangements.

Information security policy

Information security policy, including, but not limited to, the reasons supporting and authority for the policy and:

  • protective markings
  • Business Impact Levels (BILs)
  • Information and Communications Technology (ICT) access
  • email and internet use
  • removal of information from agency premises
  • control of agency information held by commercial entities
  • control of personal and commercial information held by agencies on behalf of other parties.

Physical security policy

Physical security policy, including, but not limited to, the reasons supporting and authority for:

  • agency employee and visitor access, there may be site-specific policies where there are different roles/risks in facilities
  • access by children
  • security and safety of people, in conjunction with other agency safety policies
  • remote-working and mobile computing
  • physical security of information.
Back to the top of page Print this subsection

4.2 Components of agency protective marking policy

Agencies must develop specific protective marking policies, plans and procedures based on the New Zealand Government Security Classification System.

Agencies must develop detailed guidance to identify agency-generated information that requires a protective marking. This will help to ensure that information is marked at the appropriate level.

An agency’s protective marking policy should mitigate information security risks and facilitate sharing arrangements.

A protective marking policy supplements the security plan and, while it may form part of the plan, the guide can be used as standalone advice to employees.

Each agency’s individual protective marking requirements should mitigate the impact of the compromise of the official information it holds. 

As such, the policy should be as comprehensive as possible. This can be achieved by consulting with representatives from every section within an agency.

The objectives of an agency protective marking policy should be to:

  • identify the value of the information
  • determine the level of protective marking needed, based on the impact of compromise of the confidentiality of the information.

Agencies with diverse functions may need to develop more than one protective marking policy, or sectionalise their policy based on function.

This will depend on the range of agency operations. Agencies may also need to develop policies to assist business partners to protectively mark sensitive or security classified information they may generate on behalf of the agency.

Protective marking and control of agency protective marking policy

The control and protective marking of the agency’s protective marking policy itself should be carefully considered against the business impact of the compromise of the confidentiality of the policy. 

Individual elements of the policy should be protectively marked as appropriate.

Grouping information

Grouping information by type and potential harm may make it easier for employees to select the appropriate protective marking. 

Examples of types of information are:

  • client information, for example, individuals or organisations
  • financial information, for example, accounts, budget or payments
  • personnel information, for example, payroll, medical or taxation
  • project information, for example, projects with similar objectives or processes might be grouped.

The groups could be further divided based on the impact of the compromise to individuals or organisations, the agency, the government, the national interest or national security.

Considerations when developing a protective marking guide

When developing agency protective marking guides agencies should also consider:

  • the capabilities of their ICT systems to label, store and transmit information
  • procedures for archiving information
  • procedures for disposing of unneeded information (in accordance with the Public Records Act 2005) through destruction, return to originator or transfer to another agency
  • protecting the integrity of information
  • establishing accountabilities and responsibilities for protectively marked material
  • balancing the need to make information as widely available as possible, while still protecting the national interest and national security.

Also refer to Handling Requirements for Protectively Marked Information and Equipment.

Areas that should be covered in an agency protective marking guide

Agency protective marking guides should include the following areas.

  • The agency protective marking policy (if not included as part of the agency information security management policy).
  • A summary of the types of information generated or held by the agency that require protective markings, possibly in the form of a ready reference for employees, based on:
    • the impact of the compromise of confidentiality
    • requirements for endorsement and/or compartmented markings
    • any legislative secrecy provisions.
  • How to apply protective markings to documents. Agencies should include procedures for the use of any templates in their systems and, for cases where templates are not applicable, document how to manually apply protective markings. Agencies should also consider including information on applying timeframes to protectively marked information when it is event-specific.
  • Procedures for applying protective markings to information generated as a result of protectively marked information being provided from other sources. This should include marking information at the same level or higher than that received and how to request permission to use part of the information at a lower level.
  • Procedures for protectively marking information received from foreign governments. Foreign government information must be handled in accordance with the articles of any agreements with the foreign governments. The agency protective marking guide could include a comparative protective marking table.
  • Who can apply protective markings. Some agencies require a senior officer to confirm the application of protective markings above a certain level, including the inclusion of endorsement and/or compartmented markings.
  • How to apply protective markings in the agency records management system. Electronic records management systems need to have the protective markings included in the document metadata.
  • How to apply protective markings to emails. Agency email systems should have a capacity to apply protective marking to emails. In addition, agencies should have procedures relating to what types of information can be emailed and to whom.
  • Agency protective marking review and declassification procedures. The archiving of protectively marked information can result in a large administrative and financial cost to agencies. As the impact of most information changes over time, agencies should have procedures to review the protective markings.

If not included in other areas of the agency’s information security procedures, agencies may include:

  • storage advice, including storage within the agency and using external providers
  • transmission procedure, show to transfer information to other agencies
  • destruction procedures (in accordance with the Public Records Act 2005), including the location and direction for use of shredders and bins.
Back to the top of page Print this subsection

5 Protective security plans and procedures

An agency’s protective security plan and procedures must treat the agency’s security risks and facilitate secure information sharing arrangements. 

Protective security procedures supplement the security plan and, while they may form part of the plan, can also be used as standalone advice to employees.

Each agency’s security plan will be different. It will reflect the agency’s individual protective security requirements and mitigation strategies according to threat levels and risks to assets and information. 

As such, a plan should be as comprehensive as possible and developed with attention to detail.

This can be achieved by:

  • developing the plan through consultation with representatives from every section within an agency
  • having extensive liaison with other staff directly involved with providing agency security infrastructure (for example, CSO, Chief Information Security Officer (CISO), Information Technology Security Manager (ITSM), Property Managers and Security Advisors) throughout the whole development process and during ongoing reviews.

A security plan is also a means by which an agency can review the degree of security risk that exists in different areas of its operations and make plans to treat risks.

The objectives of a security plan should be to:

  • identify areas of security risk through appropriate security risk assessments
  • outline practical steps that can be taken to minimise these risks.

An agency must develop site security plans for each individual agency site. The agency must assess each site separately so that the controls applied address the specific risks at each site.

Agency protective security plans and procedures will only be successful if senior management input and support is gained.

Print this section

5.1 Protective marking and control of the security plan

The protective marking and control of the complete security plan should be carefully considered against the business impact of the compromise of the confidentiality of the plan.

Individual elements of the plan should be protectively marked as appropriate.

Back to the top of page Print this subsection

5.2 Components of a security plan

The protective security plan covers controls to address all elements of protective security.

Governance arrangements

Governance arrangements should include, but not be limited to:

  • roles and responsibilities
  • contract service provider and third party security
  • disaster recovery and business continuity planning
  • reporting incidents and conducting security investigations
  • audit and compliance reporting
  • fraud control
  • review and amendment.

Governance arrangements may be standalone plans managed by other sections of the agency. If so, agency security management personnel should be consulted in the development of the individual plans.

Personnel security

Personnel security arrangements should include, but not be limited to:

  • personnel security provisions in the recruitment process, in conjunction with agency human resource management
  • national security vetting and clearance lists
  • contact reporting
  • security clearance management
  • ongoing security awareness training.

Information security

Information security arrangements should include, but not be limited to:

  • ICT access
  • protectively marked information archival, in conjunction with agency records management
  • cyber security
  • information handling within the agency, as well as when in transit or out of the office
  • ICT network security
  • electronic data storage and access
  • hardcopy information storage and handling.

Physical security

Physical security arrangements should include, but not be limited to:

  • site security plans
  • physical security of employees, visitors and the public on agency sites, in conjunction with agency safety plans
  • physical security of information
  • protection of physical assets
  • access control systems
  • security alarm systems
  • measures to increase security if agency-specific threats increase
  • security of disaster recovery or alternative agency sites, in conjunction with business continuity plans
  • physical security for remote working/working away from the office.
Back to the top of page Print this subsection

5.3 Security plan format

The following are suggested headings for security plans.

Foreword

The foreword to the security plan allows the agency head to state the importance of security planning, and endorse the plan, as well as outline the need for effective security risk management.

Statement of purpose and objectives

The statement of purpose and objectives links the security plan to the security policy.

It sets out the role and responsibility of the agency and links this to the security practices required to ensure minimal disruption to its operation and resources. 

In other words, what the agency considers its vital tasks are and how security relates to its ability to perform these tasks. It also takes into consideration the strategies reflected in an agency’s corporate plan.

The objectives of the security plan should be set out clearly.

Assessment of existing security measures

The assessment evaluates the agency’s current protective security arrangements and details current exposure as well as any potential threats.

This may be in the form of a formal threat assessment undertaken by competent agency personnel or a contracted service provider.

Main section

The main section of the plan should feature actions or strategies, resources needed, responsibilities and outcomes or performance indicators. These can be separate documents or incorporated into a single file.

  • Actions or strategies. The actions and strategies outline what needs to be done to meet the objectives and treat the security risks identified in the threat assessments or meet the controls needed to give assurance in asset sharing agreements. This section includes a timetable for these actions to occur.
  • Resources and responsibilities. The resources and responsibilities describe what resources are needed and who is responsible for implementing the strategies. In addition, this section details what ongoing resources are needed to maintain the required level of protective security and identifies resources that may be needed to implement additional precautions if the threat level increases. Such an event may happen at short notice.
  • Outcomes or performance indicators. The desired outcomes and performance indicators are detailed to allow an assessment of whether the objectives have been met. Indicators need to be measurable both in scope and time.

Examples of a performance indicator could be:

  • reduction in risk levels to the agency’s physical premises (possibly achieved by using Crime Prevention through Environmental Design concepts) to a defined level acceptable to the agency
  • reduction in fraud, theft or losses to agency resources or assets to a defined level acceptable to the agency.

Other sections

The plan should also include (as attachments) procedures developed to support the plan. The procedures may also be released as standalone documents to help inform employees.

Other attachments may include, but are not limited to:

  • the security risk assessment
  • site plans
  • policy documents
  • an agency-specific PSR compliance tracking/mapping spreadsheet
  • links to other agency operational and compliance plans.
Back to the top of page Print this subsection

About

Agencies should take an integrated approach to preparing their protective security policies, plans and procedures 

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information