1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to:

  • help agencies protect their people, information and assets
  • provide agencies with a framework for incorporating protective security requirements into contracts when agencies outsource functions
  • provide a consistent and structured approach to determining:
    • the protective security controls required at service providers' premises
    • personnel security clearance requirements of service providers' staff
    • protective security management arrangements within contracts.
Back to the top of page Print this subsection

1.2 Audience

The audience for these requirements is:

  • agency security, contract and procurement management personnel
  • contracted service providers
  • agency managers engaging with contracted service providers on a day-to-day basis.
Back to the top of page Print this subsection

1.3 Scope

These requirements cover:

  • security measures when contracting outsourced services and functions 
  • adopting an outsourcing approach to service provision
    • within New Zealand government facilities
    • to offsite service providers, both onshore and internationally.

Accountability for the performance of the service or function and responsibility for outcomes remains with the agency. Agency responsibility includes the management of security risks where external service providers are being used.

These requirements also support the Personnel Security Management Protocol.

They are part of a suite of information that help agencies meet their protective security and outsourcing requirements.

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to the Strategic Security Objectives, Core Policies and the Mandatory Requirements.

Back to the top of page Print this subsection

2 Including protective security terms and conditions in contracts

Print this section

2.1 Role of the contract manager

The contract manager within an agency is responsible for ensuring the service provider complies with any protective security terms and conditions in the contract.

Contract managers should consult with the Chief Security Officer (CSO) to identify essential security requirements when developing tender documents and throughout the life of the contract.

Back to the top of page Print this subsection

2.2 Agency obligations

To meet their obligation to protect personnel, official information or agency assets from unacceptable risk when outsourcing services or functions, agencies must:

  • assess security issues associated with outsourcing or procurement during the planning phase of the procurement
  • determine and publish in relevant Request documents any mandatory and desirable security requirements, including any relevant provisions relating to subcontracting
  • utilise risk management as the basis of protective security terms and conditions in the contract and ongoing contract management of the service provider and its employees.

Agencies should, where possible, explicitly refer to the highest level of protectively marked information the service provider will access throughout the course of the contract, in Request documents and in the final contract.

If the required level of access changes, this is to be advised to the contractor as soon as possible through contract variation procedures.

Agencies should take into account ISO 31000:2009 Risk Management - Principles and Guidance on Implementation when identifying, assessing and treating risks and when developing strategies for managing security risks in procurement. 

Back to the top of page Print this subsection

2.3 Contract details

All relevant contracts should include details of essential protective security requirements specific to agency requirements. The inclusion of a general condition stating the service provider must comply with the PSR is not likely to be appropriate or enforceable.

Agencies should identify the elements of their protective security policies and procedures that apply and specifically include these obligations as terms and conditions in contracts.

Contracts should provide for periodic updating of security requirements by the contracting agency to accommodate changes in the:

  • risks to the agency or service provider
  • national security risks
  • protective security policies and protocols.

Agencies should consider using a separate schedule of security requirements to clearly identify the protective security conditions in contracts.

This would simplify amendments to the protective security terms and conditions if needed.

Back to the top of page Print this subsection

2.4 Specific considerations

In addition to any other statutory requirements or agency-specific security requirements, agencies must ensure that contracts require service providers to comply with the Information Privacy Principles (IPP) of the Privacy Act 1993 when entering into a contract on behalf of the New Zealand Government.

Agencies should include a condition in contracts allowing agency representatives to access the service provider’s premises, records and equipment to monitor the service provider’s compliance with the protective security conditions in the contract.

Generally, contracts should specify that information provided by the agency, or generated as a result of the contract, belongs to the government and should never be used for any purpose other than the service or function covered by the contract.

By clearly identifying agency information, the agency can impose protective security requirements on its information.

Some information generated as a result of the contract may be subject to Intellectual Property (IP) claims by the service provider.

Where possible, IP issues should be determined prior to entering into a contract.

Agencies should ensure any relevant contract with a service provider includes terms and conditions that permit the agency to terminate the contract if the service provider fails to comply with the protective security provisions in the contract, including the unwillingness, or inability of a service provider to remedy any security breaches.

Back to the top of page Print this subsection

2.5 Evaluating tender responses

Where Request documents specify that essential protective security requirements are part of an outsourced service or function, an agency must ensure that tender responses adequately address the contract’s essential security requirements.

If a proposed contract response does not address the essential security requirements, the agency tender evaluation team should either exclude the proposal from consideration or ensure the necessary information is provided before the proposal can continue to be considered.

If a contract is awarded subject to a service provider meeting security provisions, the contract should not start before the agency verifies compliance.

For further information on procurement evaluation, refer to the Government Rules of Sourcing on the Ministry of Business Innovation and Employment’s website. Go to: www.procurement.govt.nz.

Back to the top of page Print this subsection

3 Security clearances for the staff of service providers

All service provider staff who access protectively marked material to perform the contract must be security cleared to the appropriate level before accessing any protectively marked material.

Refer to:

Agencies must sponsor any service provider staff who need a security clearance.

Refer also to PERSEC4.

Agencies are responsible for arranging the security clearance for any of the service providers’ employees or subcontractors who require a security clearance.

Agencies should check with the New Zealand Security Intelligence Service (NZSIS) to determine if a service provider’s employee currently holds a valid security clearance. 

The contracting agency is responsible for personnel security clearance management of service providers’ security clearances throughout the life of the contract.

Agencies should include conditions in the relevant contracts that require the service provider to prevent all access to protectively marked material by personnel whose security clearances are revoked, lapse, are downgraded or who no longer require access.

Refer also to PERSEC6 and PERSEC7.

Most outsourced services or functions will not require access to protectively marked material. Nevertheless, agencies should conduct basic low-level vetting such as police checks and employment history checks of all outsourced staff.

Agencies that conduct agency specific character checks for their own staff should determine whether or not they require the same character checks be conducted for service providers’ staff.

Agencies should also assess if the access to official information justifies requiring service provider staff signing a Non-Disclosure Agreement.

Agencies should seek legal advice when developing their own agreements.

For more information, refer to Annex A

Print this section

3.1 Incidental or accidental contact with protectively marked material

Agencies should include conditions in the relevant contracts that require the service provider to report to the agency when any of the service provider’s employees have any incidental or accidental contact with protectively marked material.

This condition is particularly important in security guard force, cleaning contracts and ICT service provision.

Service provider staff who do not hold a security clearance at the appropriate level should not be permitted to have unescorted access to any areas where protectively marked information is handled or stored.

Back to the top of page Print this subsection

4 Information security

Agencies should ensure the requirements of the Information Management Security Protocol and the New Zealand Information Security Manual for the protection of agency information are addressed when deciding to outsource a service or function.

Agencies should ensure relevant information security requirements needed to meet their information security policies and procedures are included as protective security terms and conditions in a contract.

In addition, agencies must ensure all contracts requiring a service provider to access and handle official information contain terms and conditions that satisfy the following requirements:

  • a direction that no service or function that may require access to official information can be subsequently subcontracted, or subcontracted to a provider different to one agreed, without written approval by the contracting agency
  • a direction to disclose any potential conflicts of interest that would impact on security in the performance of functions or services on behalf of the New Zealand Government
  • that service provider employees requiring access to protectively marked information are cleared to the appropriate level
  • that service provider premises and facilities used to handle or store protectively marked information meet the minimum standards for the storage and handling of official information up to and including the nominated security classification level
  • that service providers have systems able to meet designated information security standards for the electronic processing, storage, transmission and disposal of official information. Also refer to the New Zealand Information Security Manual
  • a direction on any ongoing confidentiality requirements relating to official information provided as part of the contract.

Agencies should consider the potential for legal rights that may be held by a third party, such as overseas shareholders or owners, over a service provider that could allow access to agency information.

Where agencies consider this is a risk, the contract should include terms and conditions, to the extent possible, which protects against third party access.

Agencies should consider the impact on the agency of any loss or compromise of official information held by a service provider, especially aggregated information, and include conditions in the contract to mitigate any assessed risks.

Agencies remain responsible for the management of their official records under the Public Records Act 2005 whether held by the agency or by a service provider at an offsite facility.

Print this section

5 Physical security

Agencies must ensure that the requirements of the Physical Security Management Protocol for the protection of agency personnel, information and assets are addressed when deciding to outsource a service or function.

Agencies should ensure relevant physical security requirements to meet their physical security policies and procedures are included as protective security terms and conditions in a service contract.

Print this section

6 Contract management

Contract management involves monitoring both the performance of contracted functions or services and adherence to the essential security requirements of the contract.

Agencies should:

  • seek to develop a positive working relationship with their service providers to promote open communication and add value to the security environment through the prompt identification and resolution of issues
  • monitor the service provider’s security procedures by undertaking regular site visits and audits.

Agencies should ensure that the service provider advises relevant employees and any subcontracted service providers of the protective security terms and conditions that apply under the contract.

Agencies should include conditions in relevant contracts that require the service provider to remind any departing personnel who have accessed official or protectively marked information that their responsibility to maintain confidentiality is ongoing.

For more information, refer to the Office of the Auditor-General - Procurement Guidance for Public Entities

Print this section

6.1 Reporting security breaches and incidents

A security incident might have wide-ranging and critical consequences for the agency and for the New Zealand Government.

Agencies should include conditions in contracts that specify the service provider is to notify the agency of any actual or suspected security incidents or breaches that may impact on:

  • their ability to deliver the services they have been contracted to provide
  • the agency’s information which is held by, or in transit to/from, the service provider.

Agencies should investigate any actual or suspected security breaches reported by a service provider, as well as any other breaches that may involve a service provider of which the agency is aware.

Also refer to Reporting Incidents and Conducting Investigations.

Reporting incidents to agencies allows for the identification of future risk reviews and assessments and will help agencies to evaluate current security plans and procedures.

When necessary, the agency should consider adjusting security procedures to deal with any security risk disclosed by the investigation.

Agencies should include conditions in relevant contracts that require service providers to report any breaches of Information and Communications Technology (ICT) security not involving agency information.

Agencies should also consider requiring service providers to report other ICT security issues to the contracting agency even when not immediately relevant to the contract.

Back to the top of page Print this subsection

6.2 Periodic assessments of service providers’ premises

Agencies should inspect any premises used to store New Zealand government information or assets prior to the start of a relevant contract to verify that the protective security measures and procedures specified by the contract comply with the PSR.

Agencies should consider, when assessing service providers that offer services to multiple agencies, sharing the assessment and outcome information with other user-agencies to prevent duplication of effort. 

Agencies should periodically reinspect the premises of contractors and sub-contractors during the life of the contract to ensure continued compliance with the PSR.

These inspections should be undertaken on, but not be limited to, the following occasions:

  • prior to any renegotiation or extension of a contract, where the contract term exceeds two years
  • following a security incident at the service provider’s (or sub-contractor’s) premises
  • as part of the agency’s security risk review.

Agencies should reassure concerned service providers that the purpose of the access is to monitor the contract and not to discover information or details unconnected with the contract.

Back to the top of page Print this subsection

6.3 Completion of the contract

Agencies should apply appropriate strategies for transitioning security arrangements at the completion or termination of the contract.

Agencies should include conditions in relevant contracts that require the service provider to delete all of the agency’s information from the service provider’s ICT systems.

Agencies must ensure that they recover records (both electronic and hard copy) and assets under the control of the service provider.

When a legal requirement arises that causes the service provider to temporarily retain certain records, post-contract expiry, the agency should continue to monitor and reassess security.

Agencies should also include conditions in the relevant contracts that require the service provider to maintain protective security measures if for legal reasons the service provider cannot return records or assets at the end of a contract. 

When protectively marked information is held on ICT systems, service providers must be required to sanitise the systems at the conclusion of the contract in accordance with the New Zealand Information Security Manual

Agencies should include conditions in relevant contracts that require the service provider to remind any personnel who have accessed official or protectively marked information that confidentiality requirements are ongoing.

Back to the top of page Print this subsection

About

Accountability for the performance of the service or function and responsibility for outcomes remains with the agency. Agency responsibility includes the management of security risks where external service providers are being used.

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information