Home

Showing results for access

Filter results by or show all

Requirements Common questions Case studies

Access

Obtaining knowledge or possession of information (including verbal, electronic and hard copy information) or other resources, or obtaining admittance to an area.

Agency Cyber Security Responsibilities for Publicly Accessible Information Systems

1.3 Scope

These requirements cover:

provision of internet access to the workforce
public access to services and information, using the internet
public access to services and information from kiosks located on government premises
public wireless access to services and information from government premises.

The scope of advice does not include risks specific to email, social media and removable media used to facilitate online transactions.
Online services offer the public a convenient, efficient and access...

Agency Personnel Security

5.5 Actions where a clearance holder leaves an agency

Depending on the level of the clearance held, the actions when a clearance holder leaves an agency should involve debriefs for any access to compartmented information, exit appraisals and post-separation contact between the clearance subject and the employing agency.
Exiting staff must be reminded of the need for continued discretion and their lifelong obligation to protect protectively marked information.
An agency should advise NZSIS when clearance holders leave their employment....

4 National security clearance requirements

Good personnel security regimes provide a level of assurance as to the honesty, trustworthiness and loyalty of people who have access to government resources.
Where employees and contractors will have regular and ongoing access to protectively marked information and resources at CONFIDENTIAL, SECRET or TOP SECRET level, higher levels of assurance are required.
Security vetting is the process by which NZSIS assesses an individual's loyalty to New Zealand, integrity and trustworthiness, and their...

Can I access protectively marked material that is higher than my national security clearance level?

No. Individuals can only access protectively marked material up to the level their clearance allows. Agencies must not grant ‘waivers’, ‘interim’ or ‘temporary’ security clearances while waiting for a recommendation from the NZSIS. Agencies can submit urgent clearance requests. Agencies should contact the NZSIS to discuss these cases prior to sending requests. Agency heads may authorise emergency access in exceptional circumstances. The emergency access provisions must not be used to...

Can I be issued with a temporary national security clearance?

... ‘temporary’ security clearances while waiting for a recommendation from the NZSIS. Agencies can submit urgent clearance requests. Agencies should contact the NZSIS to discuss these cases prior to sending requests. Agency heads may authorise emergency access in exceptional circumstances. The emergency access provisions must not be used to facilitate entry or appointment into a position, or on reassignment of duties, while awaiting completion of the security vetting process. More detail about...

Correctly storing protectively marked information in exceptional circumstances: an INFOSEC and PHYSEC case study

... stored the information in the appropriate way, using the appropriate storage TOP SECRET information must be securely stored in the appropriate zone and storage container.  TOP SECRET information is not permitted to be stored in Zone 3 (limited employee access with controlled visitors only) or Zone 4 (strictly controlled employee access with personal identity verification) except in exceptional circumstances.   TOP SECRET information must be stored in a NZSIS accredited Zone 5 in a Class B co...

Email fraud: an INFOSEC case study

... Employees working for government, especially those in possession of a national security clearance, should take care to post as little personal information on the internet about themselves as possible as their identity could be fraudulently used to obtain access to information, resources or assets.  See also the New Zealand Information Security Manual. Amy should have: been more aware of spoofing email and known what to do Spoofing emails, which may be motivated by financial, criminal or poli...

Risks of a compromised website: a PHYSEC, INFOSEC case study

... various policies and legislation.  To date, the agency has not conducted a risk assessment on having the information published online. However, it is discovered that due to poor coding, a hostile foreign agency could hack the agency’s firewall to access all public content, as well as information in a private back-end database not intended for public release.  Allowing hackers to access to such a range of information would lead to a catastrophic compromise of information and irreparably dama...

Risks of discussing sensitive information outside the workplace: a PERSEC case study

... and awareness training As part of complying with the mandatory requirements of the PSR, agencies must provide all staff with sufficient security information and awareness training.  Staff should: receive adequate security training be briefed on the access privileges and prohibitions attached to their security clearance receive ongoing information about their security responsibilities, issues and concerns.  In particular, staff should be aware of, and accept their individual responsibilitie...

Risks of granting security vetting waivers: a PERSEC case study

This case study looks at the possible implications if an agency head were to incorrectly grant a security vetting waiver.  Themes covered, include: importance of vetting for individuals requiring access to information, areas or networks protectively marked at CONFIDENTIAL or above importance of vetting for individuals known to an agency head. Scenario – what happened Murray is the CSO of a large government department about to quickly hire two administration staff on a temporary basis. Murra...

Risks of making personal information public through social media: a PERSEC, INFOSEC case study

... harmful when seen in isolation. However, when Craig’s information is aggregated, it could be used by anyone online to figure out his employer, the nature of his work, his professional and personal contacts, his hobbies and the likelihood of him having access to protectively marked information. Lessons learned – what should have happened Craig’s agency made a couple of important oversights in this scenario. The agency should have: ensured Craig was aware of his individual responsibility t...

Risks of taking electronic media overseas and not reporting the carrying of protectively marked information: an INFOSEC, PERSEC and PHYSEC case study

... Zealand, they delete information on the devices they consider sensitive. The pair know there will be foreign delegates present at the conference so leave their devices in their hotel room in the room safe. During their absence, foreign intelligence officers access their hotel room and install malware on their devices that will automatically log all activity conducted on the devices, even once Chris and Taylor have returned to New Zealand. Additionally, the officers clone the hard drive of the l...

Risks of unauthorised personnel accessing restricted areas and agencies failing to follow physical security plans and procedures: a PHYSEC and PERSEC case study

This case study looks at the possible risks of allowing unauthorised personnel to access restricted areas and failing to follow an agency’s physical security plan and procedures. Themes covered include: requesting authorisation from unauthorised personnel evaluating the risk of frequent visitors securing building entry and exit points adhering to an agency’s physical security plan and procedures. Scenario – what happened Andrew is a disgruntled contractor formerly employed by a large gov...

What do I need to consider before travelling overseas?

... either work or personal, you must consider the risks posed if the devices were lost, stolen or compromised. Electronic devices hold a significant amount of information about you, or the New Zealand government, and may provide an adversary with long-term access to that information. If possible, government employees should avoid taking work-issued electronic media or devices overseas. If necessary, use agency-supplied specific devices for overseas travel. Familiarise yourself with your agency’s...

What is a national security clearance?

A national security clearance is granted to an individual following a favourable vetting assessment by NZSIS. It indicates an individual’s suitability to access protectively marked material up to a specific clearance level. Security vetting, required before a security clearance can be granted, is a series of background checks and assessments carried out by the NZSIS’s vetting officers. For further information, see New Zealand Personnel Security Management Requirements – Information for Sec...

When do I need to report a change in circumstances?

Some changes in personal circumstances may affect an individual’s suitability to have access to protectively marked information. Some significant changes may be used by foreign intelligence services, issue-motivated groups, criminal organisations or others to coerce or induce individuals into providing information or equipment belonging to the New Zealand government. Security clearance holders must report any changes in their personal circumstances to their CSO at the time they occur. Changes...