1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to provide a consistent and structured approach to determining agency-specific security awareness training requirements.

Back to the top of page Print this subsection

1.2 Audience

The audience of these requirements is:

  • New Zealand government security management and human resources staff
  • contractors to the New Zealand government providing security advice and services
  • any other body or person responsible for the security of New Zealand government people, information or assets.
Back to the top of page Print this subsection

1.3 Scope

These requirements cover protective security measures within:

  • New Zealand government facilities
  • other facilities handling New Zealand government information and assets
  • other facilities where New Zealand government employees are located.

Security awareness training is an important element of protective security.

It supports physical, information (including information privacy) and personnel security measures, as well as informing staff of the security governance requirements within their organisation.

To truly enhance a security culture within an agency, a security awareness training initiative must effectively communicate agency policies and protective security expectations.

Employees must undertake security awareness training as soon as possible after starting with the agency and it should therefore be included as part of their induction programme. 

Agencies should hold regular refresher training sessions to confirm prior knowledge and inform employees of any new measures.

Agencies should give additional training if the threat environment changes.

These requirements support the implementation of the New Zealand Protective Security Requirements (PSR).

In particular, they support the Protective Security Governance Requirements suite of documents that aid agencies to meet their protective security requirements.

Where legislative requirements are higher than controls identified in these requirements, the legislative controls take precedence and should be applied.

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements for Agencies.

Back to the top of page Print this subsection

1.5 Relevant standards

The standards relevant to these requirements are:

Back to the top of page Print this subsection

2 Security awareness training content

Security education should:

  • be ongoing
  • be provided to all staff
  • be designed to promote a sense of personal responsibility for effective security, regardless of position, grade or level of access
  • help counter threats through imparting a basic knowledge of security principles.
Print this section

2.1 Security training

Training goals

Security training should:

  • be provided to staff with specific security responsibilities
  • be designed to impart a sound knowledge and understanding of the agency’s security rules and procedures, appropriate to specific responsibilities
  • provide staff with sufficient knowledge so they can effectively perform their security duties.

Training content

Agencies should implement security awareness training that covers the following areas:

  • agency security procedures and policies
  • personal safety measures
  • asset protection
  • protection of official information from inappropriate use, loss, a breach of privacy and corruption
  • reporting requirements including changes of personal circumstances, incident reporting, and any mandatory or legislative reporting requirements
  • additional security briefings.

Approved training providers

Training programmes should use a mixture of delivery methods and follow the principles of adult education.

When appropriate, agencies should use New Zealand Qualification Authority (NZQA) approved training providers.

Security awareness approach

To support security awareness training agencies should develop ongoing security awareness methods to enhance organisational security culture.

This could be achieved through:

  • campaigns that address the ongoing needs of the agency and the specific needs of sensitive areas, activities or periods of time
  • security instructions and reminders through publications, electronic bulletins and visual displays such as posters
  • protective security-related questions in staff selection interviews
  • drills and exercises
  • inclusion of security attitudes and performance in the agency performance management programme.

Staff to involve in security awareness training

Agencies must provide security awareness training/briefings to the following.

  • Agency employees, secondees and any contractors based in agency facilities. This training should be provided initially as part of the person’s induction process or as soon as possible after commencement.
  • Agency employees, secondees, contractors and other people to whom the agency gives access to unclassified official information.
  • Holders of a New Zealand Government security clearance on the issue of that clearance, and at minimum every five years as a condition of revalidation of the clearances. The briefings should detail the clearance holders’ information security responsibilities.

An agency should provide targeted security awareness training when the agency has an increased or changed threat environment.

Back to the top of page Print this subsection

2.2 Identified agency-specific risk and policies

Agency-specific risks and countermeasures are identified as part of the agency risk review and policies.

Security awareness training should be designed to mitigate agency specific risks.

Agencies should make employees and contracted service providers aware of the protective security programmes operating in their area, the threat it is designed to counter and their roles and responsibilities in relation to it.

Back to the top of page Print this subsection

2.3 Personal safety measures

Staff with specific emergency, safety or security roles should receive regular training and participate in exercises to confirm their ongoing competency. 

Agencies have a responsibility to protect employees and visitors.

For more information, refer to:

Employee safety handbook

Agencies should develop an employee safety handbook that is provided to all employees and is readily available on agency intranet sites or similar delivery platforms.

The handbook should include emergency response guidelines and contacts and any agency-specific safety requirements and procedures. 

Agencies with heightened safety or security risks from the public and/or clients should ensure that the employees with whom the public interact are aware of all safety measures in place in the agencies. 

The agencies should also hold regular exercises and drills to confirm the competency of staff. 

Back to the top of page Print this subsection

2.4 Asset protection

Agencies should provide advice to staff on:

  • access control systems
  • legal requirements to protect assets
  • agency specific measures to protect assets
  • how to report lost, damaged or stolen assets
  • asset audit and stocktake requirements.

Agencies should provide the information required to allow employees to meet their responsibilities prior to taking custody of any assets.

Back to the top of page Print this subsection

2.5 Protection of official information

Agencies should ensure that every employee is aware of the protective markings and handling requirements for the resources it possesses or develops.

Agencies should provide employees with training on:

  • agency Information and Communications Technology (ICT) system(s) protective markings
  • special arrangements for producing documents that are protectively marked above the ICT systems’ capability
  • audit and accountability requirements for highly protectively marked material.

All employees, regardless of level or security clearance, need to be aware of the harm caused by the compromise of protectively marked resources handled in their workplace and the ways in which those resources might be vulnerable to compromise or misuse. 

Back to the top of page Print this subsection

3 Internal reporting requirements

Print this section

3.1 Internal reporting contacts

Agencies should provide employees training on the internal reporting process to ensure awareness of reporting contacts for security-related concerns.  

Security risks that should be covered within this information include, but are not limited to:

  • suspicious behaviour
  • threatening behaviour communicated through letters, bomb threats and phone calls
  • broken ICT and security equipment
  • security infringements and breaches
  • full secure waste bins
  • lost identity cards, credit cards and other protectively marked/official material.

Reporting requirements should also include any agency-specific protected disclosure ‘whistleblowing’ provisions.

Public sector agencies must have an internal reporting procedure for information relating to serious wrongdoing by an agency or people within the agency.

Also refer to Protected Disclosures Act 2000.

Back to the top of page Print this subsection

3.2 Changes of circumstances

For more information, refer to Reporting Changes in Personal Circumstances.

Back to the top of page Print this subsection

3.3 Contact reporting requirements

For more information, refer to Contact Reporting.

Back to the top of page Print this subsection

3.4 Additional security briefings

Other types of briefings given to employees may include:

  • overseas travel briefings and debriefings and personal safety briefings when travelling on official business or for personal purposes
  • briefings and debriefings for accessing TOP SECRET material
  • briefings and debriefings to allow access to specific caveat, compartmentalised or codeword protectively marked information or resources
  • specific location briefings for high-risk destinations
  • briefings tailored for specific categories of employment, for example, the unique security issues for Information Technology (IT) staff, scientists and others
  • briefings tailored to contractors, temporary employees, visitors, families of staff
  • briefings tailored to an individual’s particular security needs, as part of a continuing management strategy
  • risk management briefings in general and protective security in particular.
Back to the top of page Print this subsection

This content refers to the following glossary terms:

Access control system Asset Briefings Codeword Compartmented marking Compromise or misuse (especially of information resources) Information and Communications Technology (ICT) Information Security (INFOSEC) Protective marking Protective security Risk mitigation Security clearance Security culture Threat TOP SECRET Unclassified (information)

Tagged with the terms:

Contact reporting scheme/requirements arrangements Changes of circumstances Internal reporting requirements Personal safety measures Internal reporting contacts

About

GOV6

Security awareness training is an important element of protective security. It supports physical, information (including information privacy) and personnel security measures, as well as informing staff of the security governance requirements within their organisation. 

Search this document for:

Supporting Files

Last modified: 18 December 2014

Acknowledgements and licensing information