1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to:

  • achieve a consistent approach to protective security controls in agency facilities
  • help agencies to identify and report security incidents
  • help agencies to conduct security investigations
  • assist agencies to protect their people, information and assets.
Back to the top of page Print this subsection

1.2 Audience

The audience of these requirements is:

  • New Zealand government security management staff
  • any individual responsible for the security of New Zealand government people, information or assets
  • any individual who has been delegated with protective security responsibilities under the New Zealand Protective Security Requirements (PSR).
Back to the top of page Print this subsection

1.3 Scope

These requirements cover:

  • identifying and addressing security incidents as part of the New Zealand government’s protective security measures
  • best practice methods for conducting security investigations.

The effective administration of security incidents and investigations is a basic part of good security management. 

Information gathered on security incidents and during investigations may highlight the need for agencies to reassess the effectiveness of current practices or arrangements and is a key driver for continuous improvement activities. 

In turn, good security management helps to contain the effects of a security incident and enables agencies to manage the consequences of a security incident and to recover as quickly as possible.

These requirements provide a flexible structure to enable agencies to manage the risks posed by security incidents. 

Not all security incidents are significant enough to warrant investigation and agencies are encouraged to seek guidance from the appropriate supporting agencies identified within these requirements.

The conduct of investigations is part of an agency’s security management process. A security investigation will establish the cause and extent of an incident that has, or could have, compromised the New Zealand government.  

A security investigation should reinforce security strategies that are designed to protect both the interests of the New Zealand government and the rights of affected/implicated individuals.

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for all of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies, and the Mandatory Requirements.

Back to the top of page Print this subsection

1.5 Relevant standards

The standards relevant to these requirements are:

Back to the top of page Print this subsection

2 Security incidents

A security incident is:

  • a security violation, security breach or security infringement of protective security policy or procedure.  Refer to Annex A
  • an approach from anybody seeking unauthorised access to official resources
  • any other occurrence that results, or may result, in negative consequences for the security of the New Zealand government, its institutions or programmes.

Refer to Contact Reporting for separate advice on recognising and reporting approaches by foreign officials seeking unauthorised access to official resources.

Agency role

Agencies must assess the harm from any security incident to determine the impact on the New Zealand government of actual or suspected loss, compromise or disclosure.

The agency is also responsible for:

  • identifying whether the incident is a minor security incident (an infringement or breach) or a major security incident (a violation, which the agency must report to the appropriate responsible agency)
  • reporting the incident to the New Zealand Security Intelligence Service (NZSIS), Government Communications Security Bureau (GCSB), Government Chief Information Officer (GCIO) and/or other relevant agencies, depending on the nature of the incident.

Agencies must report and record security incidents to monitor security performance and to help agencies identify security risks so they can implement appropriate controls.

Print this section

2.1 Examples of security incidents

Examples of incidents that agency employees and contractors must report to agency security staff are:

  • criminal actions such as actual or attempted theft, break and enter, vandalism, fraud or assault
  • natural occurrences such as fire or storm damage which may compromise agency security
  • incorrect handling of protectively marked information such as:
    • failing to provide the required protection during transfer or transmission resulting in a data spill on an electronic information network or system
    • failing to store protectively marked information in an appropriate security container
    • failing to correctly secure security containers
    • accessing official information without authorisation
    • sharing official information with a person who is not authorised to access it
    • sharing computer passwords or other access control mechanisms
    • any unauthorised use of official resources.
Back to the top of page Print this subsection

2.2 Roles and responsibilities in security incident reporting

Agencies must have a policy in place for security incident reporting.

Agency security policies relating to the administration of security incidents and the conduct of security investigations should specify the roles and responsibilities of staff involved in the administration of security incidents and the conduct of security investigations.

Agency heads

The agency head should ensure procedures are implemented to facilitate reporting of security incidents by agency employees, contractors and contractor employees. 

Agency heads should also ensure that adequate records are kept to report on the agency’s security performance and continuing security requirements.

Programme and senior executive managers

Programme and senior executive managers are responsible for, and should actively support, the implementation and maintenance of procedures for security incident reporting and recording within the areas under their control and within the agency in general.

Programme and senior executive managers should seek advice from the Chief Security Officer (CSO) to assist them in carrying out these responsibilities.

An agency senior management member, independent of the incident, should be responsible for approving the terms of reference and objectives for any security investigation, and should ensure that he or she receives regular reports on investigation progress.

Managers

Managers should ensure security incidents are reported to the CSO and should liaise closely with the CSO on any security concerns. 

Managers should consult with the CSO and Chief Information Security Officer (CISO) regarding a security incident involving the agency’s ICT systems.

Managers have an important role to play in security incident reporting. Their supervisory role makes it probable that they could be the first to detect a security incident. 

Additionally, their detailed knowledge of their staff makes it likely they will become aware of any behaviour that may be of security concern. 

Chief Security Officer (CSO)

The CSO is responsible for receiving and actioning information regarding security incidents.

The CSO should record security incidents and investigation outcomes to enable regular reporting to senior management on agency security performance. Staff should inform the CSO of all security incidents.

Chief Information Security Officer (CISO)

The CISO is responsible for receiving and actioning incidents relating to ICT system or content security incidents.

These include denial of service attacks, targeted malicious email attacks and loss of ICT assets or information.

The CISO should report all major ICT security incidents to the National Cyber Security Centre (NCSC).

The CISO should inform the CSO of any ICT security incidents and the likely impacts to the agency. The CISO may have a role in the investigation of any ICT security incident.

Agency employees

Agencies must advise all agency employees, including contractors and contractor employees, that they have a responsibility to comply with agency procedures for reporting security incidents. 

Agencies must provide these same employees, contractors and contractor employees with security awareness training.

Refer to GOV6

Back to the top of page Print this subsection

3 Reporting security incidents

Agencies should establish a formal incident reporting and response procedure and report all protective security incidents through appropriate channels.

This may include reporting the circumstances of any contact with people or agencies seeking to obtain information for which they do not have a need-to-know and/or through unauthorised means.

Agencies must make all staff aware of their responsibilities and the procedure for reporting security incidents.

For advice on actions to be taken following breaches of cyber security, refer to the New Zealand Information Security Manual - Cyber Security Incidents.

Print this section

3.1 Reporting security weaknesses

Agencies should require staff note and report any observed or suspected security weaknesses or threats to procedures, policies, systems or services.

Staff should report these matters to the appropriate authority as quickly as possible. Staff should be aware that they should not, in any circumstances, attempt to prove a suspected weakness before reporting.

This is for their own protection, as testing weaknesses might be interpreted as a potential misuse of the system.

Back to the top of page Print this subsection

3.2 Learning from incidents

Agencies should have procedures in place to quantify and monitor the types, volumes and costs of incidents and malfunctions.

This information should be used to:

  • identify recurring or high-impact incidents or malfunctions
  • indicate the need for enhanced or additional controls to limit the frequency, damage and cost of future occurrences
  • inform the security policy review process.
Back to the top of page Print this subsection

3.3 Disciplinary process

Agencies should have a formal disciplinary process for employees who have violated the agency’s security policies and procedures.

This may be part of the agency's general disciplinary process for misconduct related issues.

The disciplinary process can:

  • act as a deterrent to staff who might otherwise be inclined to disregard security procedures
  • ensure correct, fair treatment for staff who are suspected of committing serious or persistent breaches of security.

Staff should be made aware of the disciplinary process as part of workplace induction training as well as included in a security education programme.

Back to the top of page Print this subsection

3.4 Procedures for ensuring staff report recorded security incidents

Agency security policy

The agency security policy and procedures should make provisions for reporting security incidents by:

  • requiring that agency staff and contractors report security incidents
  • including formal procedures and mechanisms to make it easy to report security incidents
  • requiring the CSO to maintain records of any reported incidents and any other security incidents.

Agency security awareness training to include reporting security incidents

An agency’s security awareness training must include details about the:

  • agency’s procedures for reporting security incidents
  • responsibility of staff to report security incidents.
Back to the top of page Print this subsection

3.5 Recording incidents

Agencies should develop a mechanism for recording incidents that best suits their security environment and operational requirements. 

Records of security incidents should include:

  • time, date and location of security incident
  • type of official resources involved
  • description of the circumstances of the incident
  • nature of the incident (deliberate or accidental)
  • assessment of the degree of compromise or harm
  • summary of immediate and/or long term action taken.

Recording security incidents provides valuable insights into an agency’s security environment and performance. 

For instance, multiple minor security incidents could indicate poor security awareness and could alert the agency to the need for increased security training and education.

CSOs should regularly report details of security incidents and any trends to the agency chief executive. 

The statistical information gathered by agencies through security investigations and contact reporting will assist each agency to determine if it requires additional protection and security measures.

Back to the top of page Print this subsection

3.6 Dealing with minor security incidents

Agencies should develop their own procedures and practices to investigate minor security incidents, which should take into account agency-specific issues.

Notifying the NZSIS of security incidents involving holders of security clearances

Agencies must advise NZSIS about repeated minor security incidents and any major security incidents that relate to a person’s suitability to hold a security clearance. 

Also the agency must notify NZSIS of the outcome of any investigation into a security incident that relates to a person’s suitability to hold a security clearance.

Contact reporting scheme

All clearance holders must report contacts with foreign officials or any requests from foreign officials to access agency assets or protectively marked information or resources.

Refer to Contact Reporting.

Back to the top of page Print this subsection

3.7 Dealing with major security incidents

Agency policies and procedures for dealing with a major security incident must be more formal to reflect the deliberate, reckless or negligent nature of actions that may compromise security.

Where a suspected major security incident involves the compromise of official information or other resources that originate from, or are the responsibility of another agency, agencies must seek advice from the originating agency prior to instigating any investigation.

The originating agency may have operational security requirements that need to be applied to the investigation.

In some cases it may be more appropriate that the originating or responsible agency carries out the investigation. The 'need-to-know' principle will apply.

Reporting major security incidents

Agencies must report to appropriate agencies any security incidents that involve suspected:

  • espionage (NZSIS)
  • sabotage (NZSIS and/or Police)
  • acts of foreign interference (NZSIS)
  • attacks on New Zealand’s defence system (New Zealand Defence Force (NZDF))
  • politically motivated violence (NZSIS and/or Police)
  • promotion of communal violence (NZSIS and/or Police)
  • serious threats to New Zealand’s border integrity (Customs and/or Immigration and/or Ministry for Primary Industries (MPI)).

For major security incidents, agencies must conduct an initial assessment of the potential compromise and contact the appropriately responsible agency as soon as possible.

The agency should strictly observe the need-to-know principle in relation to the details of a major security incident and the fact that it has occurred in the agency until advised otherwise.

Reporting cyber security incidents to NCSC

Agencies should report suspected cyber security incidents to NCSC including:

  • suspicious or seemingly targeted emails with attachments or links
  • any compromise or corruption of information
  • unauthorised hacking
  • any viruses
  • any disruption or damage to services or equipment
  • data spills.

Agency ICT security policies and plans should require early contact with NCSC to avoid inadvertently compromising any investigation into a cyber security incident.

Reporting security incidents involving Cabinet material

Agencies should report suspected security incidents involving Cabinet material to the Cabinet Office within the Department of the Prime Minister and Cabinet (DPMC). 

The Cabinet Manual provides information about the security and handling of Cabinet documents.

The Cabinet Manual is available online from http://www.cabinetmanual.cabinetoffice.govt.nz/

Reporting criminal incidents to law enforcement bodies

Where the incident may constitute a criminal offence, the agency may need to report to the appropriate law enforcement body. 

Agencies should seek advice from the New Zealand Police in such matters.

Reporting critical incidents involving the safety of the public

Any critical incidents requiring immediate response, in particular where lives are at risk, should be reported to the appropriate emergency services by contacting ‘111’.

These critical incidents, which may affect public safety and require a coordinated response in support of the New Zealand government and/or local government, include:

  • assault, including armed or military-style assault
  • arson, including suspected arson
  • assassination, including suspected assassination
  • bombing, including suspected use of explosive ordnance or improvised explosive devices
  • chemical, biological or radiological (CBR) attack, including suspected CBR attack
  • attack on the National Information Infrastructure (NII) or critical infrastructure using the NII
  • violent demonstration involving serious disruption of public order
  • hijacking, including suspected hijacking
  • hostage situation, including suspected hostage situation
  • kidnapping, including suspected kidnapping
  • mail bomb, including suspected mail bomb
  • threats of harm to self or others
  • white powder incident, including real or significant hoax incidents.

Occupational health and safety incidents

Agencies must report major occupational health and safety incidents (which involve serious injury or death) to WorkSafe New Zealand.

Details to include when reporting major security incidents

When reporting suspected major security incidents the agency must provide the following details:

  • date/time of the incident or when it was reported or discovered
  • brief details of the incident
  • what may have been compromised (type and level of protective marking)
  • names of those involved in the incident (if known)
  • name and contact details of the agency for follow up
  • an initial assessment of the harm or damage
  • what action has already been taken or measures implemented.

Agencies should also notify any changes or updates of reported incidents to the same agency to which they reported the incident, unless otherwise advised by that agency.

Agencies should be responsible for distributing information about incidents within their agencies.

Back to the top of page Print this subsection

4 Investigations

Print this section

4.1 Principles of procedural fairness

The principles of procedural fairness apply to all investigations. These principles require that individuals whose rights, interests or expectations are adversely affected should be informed of the case against them and be given an opportunity to be heard by an unbiased decision maker. 

Procedural fairness also applies to actions taken as the result of an investigation. 

Refer to Procedural Fairness Requirements.

Back to the top of page Print this subsection

4.2 Types of investigations

Broadly, there are two types of investigation; administrative and criminal.

These requirements mainly focus on security investigations, which are a specific type of administrative investigation.

Agencies may also need to conduct other administrative investigations such as those that relate to:

  • disciplinary matters, where there are possible breaches of the State Services Code Of Conduct or agency codes of conduct.
  • incidents that affect the health and safety of people within agency premises or who are carrying out duties in the field.

If the incident requires more than one type of investigation, the agency should assess which type of investigation takes precedence.

Usually a criminal investigation takes precedence. However, in some security incidents, it may be more urgent to discover the damage and method of compromise and a security investigation will take precedence.

Security investigations

The purpose of a security investigation is to establish what has happened and how. It is not to establish whether a criminal offence has been committed, to aid in any prosecution or to be used to resolve employment or code of conduct disputes.

Rules of evidence may not apply, when gathering information, not necessarily admissible evidence, is the primary focus of a security investigation.

The outcomes of a security investigation focus on risk and damage assessment to establish:

  • the nature of the incident
  • how the incident occurred
  • what the circumstances were that led to the incident occurring
  • person/s involved
  • the degree of damage to national security interests
  • procedures needed to remove or reduce the likelihood of a future similar event.

If a security investigation gives way to a criminal investigation and a subsequent prosecution, then at that point agencies should apply the procedures for conducting criminal investigations and gathering evidence. 

Agencies should seek advice from New Zealand Police or NZSIS to establish whether a violation involves national security and whether there is a possible offence against New Zealand law.

Where other agencies have investigative powers based on legislation, for example the Ministry of Business Innovation and Employment (MBIE), these agencies may have primacy in the decision over which investigation takes precedence. NZSIS or other agencies may have a major role in such an investigation. 

Criminal investigations

A criminal offence refers to an act that will generally be an offence under the Crimes Act 1961 or the Summary Offences Act 1981 or other specific legislation that include criminal offences. 

Agencies may need to conduct criminal investigations such as in cases of fraud, theft and unauthorised disclosure of official information.

The purpose of a criminal investigation is to gather admissible evidence that may lead to placing the offender/s before the courts.

The New Zealand Police can provide guidance and may have significant involvement in such investigations. 

Back to the top of page Print this subsection

4.3 Agency procedures for investigating security incidents

Agencies should establish policy and procedures for investigating security incidents that detail the:

  • responsibilities of the agency investigator
  • responsibilities of senior management
  • actions on receiving a complaint or allegation, including anonymous allegations or reports from whistleblowers
  • terms of reference for the investigation
  • points at which security investigations should be referred to NZSIS, the Police or other appropriate agencies
  • requirement to maintain detailed file notes
  • standards of ethical behaviour by agency investigators, activity recording and the preferred investigation case management system
  • requirement to keep senior management informed of the progress of security investigations and future options
  • requirement for a final report from the agency investigator incorporating background information
  • summary of major findings and recommendations
  • procedures for operational practices such as interviewing anyone whose interests could be adversely affected by the outcome of a security investigation or anyone who may be able to assist with a security investigation.

Agency procedures should clearly distinguish between a security investigation and its remedies and investigations into incidents and matters not related to security, for example, incidents that require other types of administrative, or criminal, investigation. 

Those responsible for security investigations must be aware of the extent and limits of their responsibilities and powers during a security investigation. 

Appointing investigators

When an agency commences an investigation it should appoint an appropriately senior employee who will approve the terms of reference and the investigation plan.

In the interests of procedural fairness the investigator should be impartial and not have an actual or apparent conflict of interest in the matter being investigated. 

Refer to Procedural Fairness Requirements.

Agencies should ensure investigators are appropriately trained and qualified to undertake the type of investigation required.

Back to the top of page Print this subsection

4.4 Understand the role of an investigator

An investigator’s key tasks should include:

  • understanding the incident being investigated and the terms of reference
  • identifying the relevant law, policy or procedures that apply
  • making sufficient inquiries to ascertain all relevant facts about the incident
  • ascertaining whether an offence or incident has occurred based on the relevant facts
  • reporting the findings, identifying the reasons for the findings
  • making relevant recommendations.
Back to the top of page Print this subsection

4.5 Determine the nature of an investigation

Agencies should assess at the outset:

  • whether the investigation is likely to be a criminal, security or other type of investigation
  • the resources needed to conduct the investigation
  • the legal boundaries in which the investigating body is to operate
  • the authorisation needed to undertake the investigation
  • the nature of the possible outcome of the investigation.
Back to the top of page Print this subsection

4.6 Terms of reference for investigations

Agencies should detail a clear and comprehensive statement of the aims and terms of reference for each investigation, including any constraints. 

The terms of reference could include:

  • the background
  • resources allocated (for example, people, financial)
  • timeframes
  • types of inquiries to be conducted
  • powers of the investigating officer to collect evidence by:
    • obtaining information from people about policies, procedures and practices
    • accessing relevant records and other material
    • interviewing witnesses and suspects
    • search and surveillance
  • the format of progress reporting and the final report
  • any special requirements or factors specific to the investigation.

Agencies should ensure the powers of the investigating officer are consistent with all relevant New Zealand legislation.

Back to the top of page Print this subsection

4.7 Conducting investigations

Agencies should, when developing their own investigation procedures, cover such matters as:

  • general and agency-specific legislation and powers
  • inter-agency relationships
  • receipt of allegation (initial consideration and subsequent action)
  • investigation management methodologies and support
  • investigation practices
  • investigation report or brief of evidence
  • Information Privacy Principles (IPPs)
  • investigation result and review
  • recovery actions.

Assess the incident and develop an investigation plan

The investigator should assess:

  • applicable legislation that may determine the nature of, and set the framework for, the investigation
  • the nature of the incident
  • how serious the incident is and the possible level of harm it has for the agency or more widely for government
  • whether the incident indicates the existence of a systemic problem
  • whether it is part of a pattern of conduct
  • whether it may breach any New Zealand law, especially any criminal provision.

Where insufficient power to collect any available or required evidence is identified, or if a conflict of interest is identified, the investigator should refer the investigation to another person or agency with the necessary powers.

The investigator should use the incident assessment to develop an investigation plan.

The plan should identify:

  • the key issues to be investigated
  • any relevant legislation, particular provisions of a code of conduct, agency policy and procedures, particular standards and requirements
  • required evidence
  • methods and avenues to collect the evidence
  • legal requirements and procedures to be followed in collecting evidence
  • the allocation of tasks, resources and timings.

The investigator should consult the officer authorising the investigation if the terms of reference and the investigation plan need to be amended as a result of issues that developed during the course of the investigation.

Gathering information

An investigator identifies, collects and presents information that goes to proving or disproving any matters of fact relating to an incident. 

In an investigation, the types of information are:

  • physical
  • documentary (records)
  • oral (recollections)
  • expert (technical advice).

Information gathered in a security investigation may not be satisfactory in a criminal investigation.

Record and store evidence appropriately

Investigators should maintain a separate file for each investigation that is a complete record of the investigation, documenting every step, including dates and times, all discussions, phone calls, interviews, decisions and conclusions made during the course of the investigation. 

The record should include the handling of the physical evidence. 

Investigators should store this file and any physical evidence securely to prevent unauthorised access, damage or alteration, to maintain confidentiality and to ensure continuity of evidence. 

For any protectively marked information gathered, or generated as part of the investigation, investigators must meet the necessary standards for storage.

Refer to Handling Requirements for Protectively Marked Information and Equipment.

Prepare the investigation report

At the conclusion of the investigation the investigator should report findings to the commissioning body or the decision maker, identify the reasons for the findings according to the terms of reference using supporting material and make relevant recommendations.

An investigation may lead to a range of possible outcomes, including:

  • disciplinary action
  • dismissal of a disciplinary charge following a constituted hearing
  • referral of a matter to an external agency for further investigation or prosecution
  • changes to administrative or security policies, procedures or practices.

Close the investigation

The investigation is closed when all reports are completed and evidence is documented and filed. 

It is better practice for an independent person, preferably more experienced than the investigator, to review the closed investigation. 

This allows an impartial assessment of the investigation that may identify improvements to investigation requirements.

Standard of proof

In administrative investigations, whether conducted for security or other reasons, the decision maker needs to be satisfied that the allegations are proved ‘on the balance of probabilities’.

Back to the top of page Print this subsection

About

The effective administration of security incidents and investigations is a basic part of good security management.  

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information