The purpose of these requirements is to provide a consistent and structured approach to determining agency-specific security awareness training requirements.
The audience of these requirements is:
- New Zealand government security management and human resources staff
- contractors to the New Zealand government providing security advice and services
- any other body or person responsible for the security of New Zealand government people, information or assets.
These requirements cover protective security measures within:
- New Zealand government facilities
- other facilities handling New Zealand government information and assets
- other facilities where New Zealand government employees are located.
Security awareness training is an important element of protective security.
It supports physical, information (including information privacy) and personnel security measures, as well as informing staff of the security governance requirements within their organisation.
To truly enhance a security culture within an agency, a security awareness training initiative must effectively communicate agency policies and protective security expectations.
Employees must undertake security awareness training as soon as possible after starting with the agency and it should therefore be included as part of their induction programme.
Agencies should hold regular refresher training sessions to confirm prior knowledge and inform employees of any new measures.
Agencies should give additional training if the threat environment changes.
These requirements support the implementation of the New Zealand Protective Security Requirements (PSR).
In particular, they support the Protective Security Governance Requirements suite of documents that aid agencies to meet their protective security requirements.
Where legislative requirements are higher than controls identified in these requirements, the legislative controls take precedence and should be applied.
1.4 Compliance requirements
A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.
A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:
- a control is not relevant because the risk does not exist
- or a process or control(s) of equal strength has been substituted.
Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head. In particular an agency should pose the following questions:
- Is the agency willing to accept additional risk?
- Have any implications for All of Government security been considered?
- If so, what is the justification?
A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.
The PSR provides agencies with mandatory and best practice security measures.
The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.
1.5 Relevant standards
The standards relevant to these requirements are: