3 Security clearances for the staff of service providers
All service provider staff who access protectively marked material to perform the contract must be security cleared to the appropriate level before accessing any protectively marked material.
Agencies must sponsor any service provider staff who need a security clearance.
Refer also to PERSEC4.
Agencies are responsible for arranging the security clearance for any of the service providers’ employees or subcontractors who require a security clearance.
Agencies should check with the New Zealand Security Intelligence Service (NZSIS) to determine if a service provider’s employee currently holds a valid security clearance.
The contracting agency is responsible for personnel security clearance management of service providers’ security clearances throughout the life of the contract.
Agencies should include conditions in the relevant contracts that require the service provider to prevent all access to protectively marked material by personnel whose security clearances are revoked, lapse, are downgraded or who no longer require access.
Refer also to PERSEC6 and PERSEC7.
Most outsourced services or functions will not require access to protectively marked material. Nevertheless, agencies should conduct basic low-level vetting such as police checks and employment history checks of all outsourced staff.
Agencies that conduct agency specific character checks for their own staff should determine whether or not they require the same character checks be conducted for service providers’ staff.
Agencies should also assess if the access to official information justifies requiring service provider staff signing a Non-Disclosure Agreement.
Agencies should seek legal advice when developing their own agreements.
For more information, refer to Annex A.
3.1 Incidental or accidental contact with protectively marked material
Agencies should include conditions in the relevant contracts that require the service provider to report to the agency when any of the service provider’s employees have any incidental or accidental contact with protectively marked material.
This condition is particularly important in security guard force, cleaning contracts and ICT service provision.
Service provider staff who do not hold a security clearance at the appropriate level should not be permitted to have unescorted access to any areas where protectively marked information is handled or stored.
4 Information security
Agencies should ensure the requirements of the Information Management Security Protocol and the New Zealand Information Security Manual for the protection of agency information are addressed when deciding to outsource a service or function.
Agencies should ensure relevant information security requirements needed to meet their information security policies and procedures are included as protective security terms and conditions in a contract.
In addition, agencies must ensure all contracts requiring a service provider to access and handle official information contain terms and conditions that satisfy the following requirements:
- a direction that no service or function that may require access to official information can be subsequently subcontracted, or subcontracted to a provider different to one agreed, without written approval by the contracting agency
- a direction to disclose any potential conflicts of interest that would impact on security in the performance of functions or services on behalf of the New Zealand Government
- that service provider employees requiring access to protectively marked information are cleared to the appropriate level
- that service provider premises and facilities used to handle or store protectively marked information meet the minimum standards for the storage and handling of official information up to and including the nominated security classification level
- that service providers have systems able to meet designated information security standards for the electronic processing, storage, transmission and disposal of official information. Also refer to the New Zealand Information Security Manual
- a direction on any ongoing confidentiality requirements relating to official information provided as part of the contract.
Agencies should consider the potential for legal rights that may be held by a third party, such as overseas shareholders or owners, over a service provider that could allow access to agency information.
Where agencies consider this is a risk, the contract should include terms and conditions, to the extent possible, which protects against third party access.
Agencies should consider the impact on the agency of any loss or compromise of official information held by a service provider, especially aggregated information, and include conditions in the contract to mitigate any assessed risks.
Agencies remain responsible for the management of their official records under the Public Records Act 2005 whether held by the agency or by a service provider at an offsite facility.
5 Physical security
Agencies must ensure that the requirements of the Physical Security Management Protocol for the protection of agency personnel, information and assets are addressed when deciding to outsource a service or function.
Agencies should ensure relevant physical security requirements to meet their physical security policies and procedures are included as protective security terms and conditions in a service contract.
6 Contract management
Contract management involves monitoring both the performance of contracted functions or services and adherence to the essential security requirements of the contract.
- seek to develop a positive working relationship with their service providers to promote open communication and add value to the security environment through the prompt identification and resolution of issues
- monitor the service provider’s security procedures by undertaking regular site visits and audits.
Agencies should ensure that the service provider advises relevant employees and any subcontracted service providers of the protective security terms and conditions that apply under the contract.
Agencies should include conditions in relevant contracts that require the service provider to remind any departing personnel who have accessed official or protectively marked information that their responsibility to maintain confidentiality is ongoing.
For more information, refer to the Office of the Auditor-General - Procurement Guidance for Public Entities.
6.1 Reporting security breaches and incidents
A security incident might have wide-ranging and critical consequences for the agency and for the New Zealand Government.
Agencies should include conditions in contracts that specify the service provider is to notify the agency of any actual or suspected security incidents or breaches that may impact on:
- their ability to deliver the services they have been contracted to provide
- the agency’s information which is held by, or in transit to/from, the service provider.
Agencies should investigate any actual or suspected security breaches reported by a service provider, as well as any other breaches that may involve a service provider of which the agency is aware.
Also refer to Reporting Incidents and Conducting Investigations.
Reporting incidents to agencies allows for the identification of future risk reviews and assessments and will help agencies to evaluate current security plans and procedures.
When necessary, the agency should consider adjusting security procedures to deal with any security risk disclosed by the investigation.
Agencies should include conditions in relevant contracts that require service providers to report any breaches of Information and Communications Technology (ICT) security not involving agency information.
Agencies should also consider requiring service providers to report other ICT security issues to the contracting agency even when not immediately relevant to the contract.
6.2 Periodic assessments of service providers’ premises
Agencies should inspect any premises used to store New Zealand government information or assets prior to the start of a relevant contract to verify that the protective security measures and procedures specified by the contract comply with the PSR.
Agencies should consider, when assessing service providers that offer services to multiple agencies, sharing the assessment and outcome information with other user-agencies to prevent duplication of effort.
Agencies should periodically reinspect the premises of contractors and sub-contractors during the life of the contract to ensure continued compliance with the PSR.
These inspections should be undertaken on, but not be limited to, the following occasions:
- prior to any renegotiation or extension of a contract, where the contract term exceeds two years
- following a security incident at the service provider’s (or sub-contractor’s) premises
- as part of the agency’s security risk review.
Agencies should reassure concerned service providers that the purpose of the access is to monitor the contract and not to discover information or details unconnected with the contract.
6.3 Completion of the contract
Agencies should apply appropriate strategies for transitioning security arrangements at the completion or termination of the contract.
Agencies should include conditions in relevant contracts that require the service provider to delete all of the agency’s information from the service provider’s ICT systems.
Agencies must ensure that they recover records (both electronic and hard copy) and assets under the control of the service provider.
When a legal requirement arises that causes the service provider to temporarily retain certain records, post-contract expiry, the agency should continue to monitor and reassess security.
Agencies should also include conditions in the relevant contracts that require the service provider to maintain protective security measures if for legal reasons the service provider cannot return records or assets at the end of a contract.
When protectively marked information is held on ICT systems, service providers must be required to sanitise the systems at the conclusion of the contract in accordance with the New Zealand Information Security Manual.
Agencies should include conditions in relevant contracts that require the service provider to remind any personnel who have accessed official or protectively marked information that confidentiality requirements are ongoing.