The purpose of these requirements is to:
- achieve a consistent approach to protective security controls in agency facilities
- help agencies to identify and report security incidents
- help agencies to conduct security investigations
- assist agencies to protect their people, information and assets.
The audience of these requirements is:
- New Zealand government security management staff
- any individual responsible for the security of New Zealand government people, information or assets
- any individual who has been delegated with protective security responsibilities under the New Zealand Protective Security Requirements (PSR).
These requirements cover:
- identifying and addressing security incidents as part of the New Zealand government’s protective security measures
- best practice methods for conducting security investigations.
The effective administration of security incidents and investigations is a basic part of good security management.
Information gathered on security incidents and during investigations may highlight the need for agencies to reassess the effectiveness of current practices or arrangements and is a key driver for continuous improvement activities.
In turn, good security management helps to contain the effects of a security incident and enables agencies to manage the consequences of a security incident and to recover as quickly as possible.
These requirements provide a flexible structure to enable agencies to manage the risks posed by security incidents.
Not all security incidents are significant enough to warrant investigation and agencies are encouraged to seek guidance from the appropriate supporting agencies identified within these requirements.
The conduct of investigations is part of an agency’s security management process. A security investigation will establish the cause and extent of an incident that has, or could have, compromised the New Zealand government.
A security investigation should reinforce security strategies that are designed to protect both the interests of the New Zealand government and the rights of affected/implicated individuals.
1.4 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist
- or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head. In particular an agency should pose the following questions:
- Is the agency willing to accept additional risk?
- Have any implications for all of Government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.
The PSR provides agencies with mandatory and best practice security measures.
The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.
1.5 Relevant standards
The standards relevant to these requirements are:
- NZS 27002:2006 Information Technology - Security Techniques - Code of Practice for Information Security Management (Section 13 details standards for information security incident management, including reporting security events and weaknesses, and management of information security incidents and improvements).