1 Introduction

Print this section

1.1 Purpose

The purpose of this section is to help agencies:

  • identify their security needs and responsibilities
  • define internal security governance and management structures
  • comply with the PSR’s mandatory requirements.
Back to the top of page Print this subsection

1.2 Audience

The audience of the PSR is:

  • New Zealand government agency heads
  • New Zealand government security management staff
  • contractors to the New Zealand government providing protective security advice and services
  • any other body or person responsible for the security of New Zealand government personnel, customers and members of the public, and/or the security of information and physical assets.
Back to the top of page Print this subsection

1.3 Scope

This document covers:

  • the PSR’s strategic objectives and mandatory requirements
  • protective security governance
  • core policies for protective security.
Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates use of the control is mandatory. These are baseline controls unless they are demonstrably not relevant to the agency and this can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates use of the control is considered good and recommended practice. Valid reasons for not implementing a control could exist, including:

  • a control is not relevant because the risk does not exist
  • or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency. This residual risk needs to be agreed and acknowledged by the agency head.
In particular agencies should consider the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for all-of-government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the agency’s governance and assurance processes.

The PSR provides agencies with mandatory and best practice security measures. The controls detailed above identify if and when agencies need to consider specific security measures to comply with the mandatory requirements listed in Annex A.

Back to the top of page Print this subsection

2 Strategic security objectives and the mandatory requirements

This information, along with the governance arrangements and policies outlined elsewhere in the PSR, describe the high-level mandatory requirements applicable to all agencies.

The detailed protocols and requirements support the core policies for security governance, personnel security, information security and physical security.

The protocols set out minimum procedural requirements. Agencies may have specific security risks that mean they will need to meet more than the minimum requirements.

All agencies should comply with the requirements contained within the core policies for protective security.

The security elements within each of the three core policy areas are listed below.

Protective security governance core policy

  • Agency governance structure
  • Security risk management
  • Policies, plans and protocols
  • Assurance and reporting
  • Developing a security culture
  • Security investigations
  • Contracting
  • International security agreements
  • Business continuity management

Personnel security management core policy

  • Agency personnel security policy and planning
  • Risk management
  • Need-to-know principle
  • Security vetting process
  • National security clearance levels
  • Ongoing personnel security management

Information security management core policy

  • Agency information security policy and planning
  • Information security framework and external party access
  • Information asset protective marking and control
  • Operations security management

Physical security management core policy

  • Agency physical security policy and planning
  • Protection of employees
  • Facility security
  • Workplace health and safety
  • Duty of care – third parties
  • Physical security of ICT equipment and information
  • Physical security in emergency and increased threat situations

The following sections introduce the mandatory requirements (‘must’) that are part of each core policy and also best-practice recommendations (‘should’) that agencies need to consider to create fit-for-purpose security environments. This information is expanded on throughout the PSR.

Print this section

2.1 Legislation

The mandatory requirements are not set down in statute, but are based on legislation relating to protective security and reflect Government objectives.

Where legislation requires an agency to manage protective security in a manner contradictory to the PSR, that legislation is to take precedence over the PSR.

Legislation applicable to agencies includes, but is not limited to:

  • Crimes Act 1961
  • Criminal Discourses Act 2008
  • Customs and Excise Act 1986
  • Defence Act 1990
  • Employment Relations Act 2000
  • Income Tax Act 2007
  • Official Information Act 1982
  • Privacy Act 1993
  • Public Finance Act 1989
  • Public Records Act 2005
  • State Sector Act 1988
  • Summary Offences Act 1981.
Back to the top of page Print this subsection

3 Protective security governance

Print this section

3.1 Agency governance structure

To implement protective security standards, agencies are required to clearly identify internal security governance structures and delineate responsibilities.

Mandatory requirement

GOV1: Agencies must establish a governance structure within their agency that ensures the successful management of protective security risk.

Agencies should:

  • develop a governance structure to enable the effective identification and management of security risks
  • gain endorsement from the agency head for security risk management structures, assurance mechanisms and resource allocation.

For more information refer to Security Structure and Agency Responsibilities.

Mandatory requirement

GOV2: Agencies must appoint a member of senior management as the Chief Security Officer (CSO), responsible for the agency protective security policy and oversight of protective security practices.

Agencies should:

  • identify and establish protective security roles, with defined responsibilities
  • assign the role of CSO and any other security lead roles as appropriate
  • be aware of the functions of the CSO as described in Security Structure and Agency Responsibilities. 
Back to the top of page Print this subsection

3.2 Security risk management

Mandatory requirement

GOV3: Agencies must adopt a risk management approach to cover all aspects of protective security activity across their organisation, in accordance with the New Zealand standard AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines.

Agencies should develop a security risk management process to:

  • identify risks specific to their people, information and assets
  • specify the agency’s level of risk tolerance
  • determine appropriate protections to reduce or eliminate risks
  • identify and accept responsibility for residual risks.

What is appropriate will vary from agency to agency, but the process should be transparent and justifiable. Risk avoidance is not risk management.

Agencies should consider the impact on their business when determining the consequences of the compromise or loss of agency information or assets, or of harm to people.

In addition to agency’s individual functions and security concerns, common messages for managing security risks are:

  • security risk management is the responsibility of every staff member, including contractors
  • risk management, including security risk management, is part of day-to-day business
  • the process for managing security risk is logical, systematic and should be a part of the agency’s standard management processes
  • changes in the threat environment should be continuously monitored, and necessary adjustments made, in order to maintain an acceptable level of risk and a good balance between operational needs and security.

Agencies should also:

  • establish the scope of any security risk assessment and identify the people, information and assets to be safeguarded
  • determine threats to people, information and assets, in New Zealand and abroad, and assess the likelihood and impact of a risk occurring
  • assess risks against vulnerabilities and the adequacy of existing safeguards
  • implement supplementary protective security measures to reduce risks to acceptable levels.

For more information refer to:

 

Back to the top of page Print this subsection

3.3 Policies, plans and protocols

Mandatory requirement

GOV4: Agencies must develop their own set of protective security policies, plans and protocols to meet their specific business needs. Policies and plans must be reviewed every two years or sooner if changes in risks or the agency’s operating environment dictate.

 

Policies and protocols should:

 

  • detail the objectives, scope and approach to the management of the protective security issues and risks the agency faces
  • be endorsed by the agency head
  • identify protective security roles and responsibilities
  • be reviewed in the context of changes to agency business and security risks
  • be consistent with the agency’s security risk assessment findings
  • explain the consequences for breaching the policy or circumventing any associated protective security measure
  • be communicated on an ongoing basis, be accessible to all agency employees and, where reasonable and practical, be publicly available.

 

For more information refer to Developing Agency Protective Security Policies, Plans and Procedures.

 

Back to the top of page Print this subsection

3.4 Assurance and reporting

Mandatory requirement

GOV5: Agencies must have an assurance system to conduct an annual security assessment against the mandatory requirements detailed within the Protective Security Requirements. Agencies must be prepared to report this assessment information upon request from lead security agencies.

The assurance, review and reporting process aims to help agencies assess how well they are ensuring the safety of people and the confidentiality, integrity and availability of essential resources.

The process comprises internal self-assessment and reporting, and in some cases external reporting to lead security agencies.

For more information refer to Compliance Reporting.

Back to the top of page Print this subsection

3.5 Developing a security culture

To successfully deliver the PSR, agencies should foster a professional culture and a positive attitude towards protective security.

Mandatory requirement

GOV6: Agencies must provide all staff, including contractors, with sufficient information and security awareness training to meet the obligations of the Protective Security Requirements.

Agencies should:

  • ensure individuals who have specific security duties receive appropriate and up-to-date training
  • communicate and make available to all staff, including contractors, agency protective security policies
  • have an ongoing security awareness programme to inform and regularly remind people of security responsibilities, issues and concerns
  • brief national security clearance holders on the access privileges and prohibitions attached to their clearance level when they gain or renew a clearance and when otherwise required in the clearance renewal cycle.

For more information refer to Security Awareness Training

Agencies should also provide all staff, including contractors, with guidance on relevant sections of legislation covering the unauthorised disclosure of official information, including the:

  • Official Information Act 1982 (sections 6, 9, 27 and 31)
  • Privacy Act 1993 – Information Privacy Principles (section 6)
  • Crimes Act 1961 (sections 78, 78A, 78B, 78C and 79)
  • Summary Offences Act 1981 (section 20A).

The combined effect of the Crimes Act 1961 and the Summary Offences Act 1981 is that the unauthorised disclosure of information held by the New Zealand government is subject to the sanction of criminal law. All personnel need to be aware of whether and how such legislation applies to their role.

Back to the top of page Print this subsection

3.6 Security investigations

Agencies should identify and understand security risks in order to address security incidents and protect people, information and assets.

Mandatory requirement

GOV7: Agencies must have established procedures for reporting and investigating security incidents, and for taking corrective action.

Security investigations are intended to establish the cause and extent of incidents that have, or could have, compromised the New Zealand government.

Through effective reporting and investigation of security incidents, agencies should determine vulnerabilities and reduce the risk of future occurrences.

A security investigation should protect both the interests of the New Zealand government and the rights of affected individuals.

Agencies must apply the principles of natural justice and procedural fairness to all security investigations.

Procedures should give due regard to ensuring the integrity of any other current or future investigation by the agency or that of another.

If an incident is potentially serious then agencies must consult with the New Zealand Police, the New Zealand Security Intelligence Service (NZSIS), the Government Communications Security Bureau (GCSB) and/or the Government Chief Information Officer (GCIO).

Agencies must also report:

  • incidents suspected of constituting criminal offences to the appropriate law enforcement authorities
  • incidents suspected of involving the compromise of information or assets protectively marked at or above CONFIDENTIAL to the NZSIS
  • major ICT incidents to the GCSB and/or the GCIO.

For more information refer to the Reporting Incidents and Conducting Security Investigations.

Back to the top of page Print this subsection

3.7 Contracting

The PSR applies as much to service providers and outsourced services as it does to internal government agency operations.

Mandatory requirement

GOV8: Agencies must ensure contracted providers comply with the Protective Security Requirements and agency-specific protective security protocols.

Agencies should:

  • apply necessary personnel security procedures to private sector organisations and individuals who have access to New Zealand government assets
  • ensure government assets, including ICT systems, are safeguarded through
    • specifying necessary protective security requirements in the terms and conditions of any contract documentation
    • undertaking assessment visits to verify the contracted service provider complies with the terms and conditions of any contract.

For more information refer to Security Requirements of Outsourced Services and Functions.

Back to the top of page Print this subsection

3.8 International security agreements

The New Zealand government is party to a range of multilateral and bilateral international agreements governing the use, handling and protection of information, including protectively marked material.

Mandatory requirement

GOV9: Agencies must adhere to any provisions concerning the security of people, information and assets contained in multilateral or bilateral agreements and arrangements to which New Zealand or the agency is a party.

Agencies involved in sensitive work with international organisations, or those that handle another jurisdiction’s protectively marked information on their behalf, should ensure their internal procedures comply with relevant obligations.

For more information refer to Safeguarding Foreign Government Information (under development).

Back to the top of page Print this subsection

3.9 Business continuity management

Critical services and associated assets need to remain available to assure the health, safety, security and economic wellbeing of New Zealand and the effective functioning of government.

Business continuity management (BCM) should be part of an agency’s overall approach to effective risk management.

BCM planning sets out the processes agencies should follow in the event of a disruption to business. A key risk for agencies is that they will be unable to remain operational in the event of a crisis or other disruption.

Mandatory requirement

GOV10: Agencies must establish a business continuity management (BCM) programme to provide for the continued availability of critical services and assets, and of other services and assets when warranted by a security threat or risk assessment.

Agencies should:

  • ensure governance arrangements establish authorities and responsibilities for a BCM programme and for the development and approval of business continuity plans
  • within the context of asset identification, undertake impact analyses to identify and prioritise the agency’s critical services and assets, including identifying and prioritising information exchanges provided by or to other agencies and external parties
  • develop plans, measures and arrangements to ensure the continued availability of critical services and assets, and of any other service or asset when warranted by a threat or risk assessment
  • undertake activities to monitor the agency’s level of overall preparedness
  • make provisions for the continuous review, testing and audit of business continuity plans.

For more information refer to:

ISO 22301:2012 Societal Security – Business Continuity Management Systems – Requirements

Business Continuity Institute – Good Practice Guidelines 2013: A Guide to Global Good Practice in Business Continuity.

Back to the top of page Print this subsection

4 Personnel security management core policy

The protection of government-held resources includes limiting access to people whom the New Zealand government assesses to be suitable and whose work responsibilities require them to access the resources. This applies to all resources (e.g. information, financial resources, physical assets), not only those that are protectively marked.

Suitability for access is determined through assessment processes that are appropriate to the sensitivity of the resources in question. For example access to national security classified assets is dependent on holding a national security clearance.

 

Print this section

4.1 Agency personnel security policy and planning

The purpose of personnel security is to provide a level of assurance as to the honesty, trustworthiness and loyalty of people who access government resources.

All people employed by the New Zealand government may be subject to security vetting.

Mandatory requirement

PERSEC1: Agencies must ensure New Zealand government employees, contractors and temporary staff who require ongoing access to New Zealand government information and
resources:

  • are eligible to have access
  • have had their identity established
  • are suitable to have access, and
  • are willing to comply with government policies, standards, protocols and requirements that
    safeguard that agency’s resources (people, information and assets) from harm.

Agencies must have in place policies and procedures to assess and manage the ongoing suitability
for employment of all staff and contractors.

 

Back to the top of page Print this subsection

4.2 Risk management

Agencies should employ a risk management approach to personnel security that is consistent with
protective security principles.

The aim is to reduce the risk of loss, damage or compromise of protectively marked resources
through the application of appropriate checks and measures before and during employment.

In isolation such measures do not provide a guarantee of reliability and they need to be supported
by effective line management.

They are not an alternative to the correct application of the need-to-know principle, access controls
or information security measures.

For more information refer to:

Back to the top of page Print this subsection

4.3 Need-to-know principle

Mandatory requirements

PERSEC2: Agencies must:

  • identify positions within their agency that require access to CONFIDENTIAL, SECRET and TOP SECRET assets and information
  • ensure the level of security clearance sought is necessary, and
  • ensure personnel have the requisite level of security clearance prior to being granted access to information protectively marked as CONFIDENTIAL or higher.

PERSEC3: Agencies must maintain a register of personnel and contractors who hold a security clearance.

The fundamental rule of personnel security is that agencies should base all access decisions on the need-to-know principle.

Before granting access, agencies should establish the existence of a legitimate need to access protectively marked resources to carry out official duties.

Other justifications, such as a position of authority or the desire to enter controlled areas for the sake of convenience, are not valid.

Back to the top of page Print this subsection

4.4 Security vetting process

Mandatory requirements

PERSEC4: An application for a security clearance must be sponsored by a New Zealand government agency.

PERSEC5: Agency heads must obtain a recommendation from the NZSIS prior to granting a security clearance. Agencies must follow the Protective Security Requirements Personnel Security Management Protocol and supporting requirements for personnel security.

The NZSIS has the statutory mandate for the security vetting process and for making recommendations on security trustworthiness. Only the NZSIS may conduct security vetting for the New Zealand government. Agencies must receive a security vetting recommendation from the NZSIS before granting a national security clearance.

The security vetting process is intrusive by its very nature and the NZSIS must conduct the process with care and sensitivity, and in accordance with government policy.

All vetting decisions are based on an assessment of the whole person and at all stages must be made in accordance with the principles of natural justice and procedural fairness.

NZSIS must resolve any doubts about the suitability of a candidate to access national security classified resources.

For further information refer to the Personnel Security Management Protocol.

Back to the top of page Print this subsection

4.5 National security clearance levels

There are four levels of national security vetting, each involving more rigorous checking. They are listed below.

  • CONFIDENTIAL – an assessment of the individual’s suitability for ongoing access to New Zealand government resources protectively marked at the CONFIDENTIAL level.
  • SECRET – an assessment of the individual’s suitability for ongoing access to CONFIDENTIAL and SECRET protectively marked resources.
  • TOP SECRET – an assessment of the individual’s suitability for ongoing access to resources that have been protectively marked CONFIDENTIAL, SECRET or TOP SECRET. This includes resources that carry compartmented markings.
  • TOP SECRET SPECIAL – an assessment of the individual’s suitability for ongoing access to all resources protectively marked under the security classification system, including resources that carry compartmented markings. This level of security vetting usually relates to employment within an agency in the New Zealand Intelligence Community.
Back to the top of page Print this subsection

4.6 Ongoing personnel security management

Mandatory requirements

PERSEC6: Agencies must have personnel security clearance management arrangements in place for all staff, including contractors, who hold a security clearance.

PERSEC7: Agencies must notify the NZSIS of the granting, downgrading, suspension or cancellation of a security clearance. Any reason associated with disciplinary action or unsuitability of the candidate to obtain/maintain the appropriate level of clearance must be reported to the NZSIS.

Personnel security is an important element of an agency’s protective security regime, as is sound overall management practice.

The initial security vetting process only provides a snapshot of an individual at a particular point in time.

Aside from formal periodic and NZSIS-initiated reviews of national security clearances, agency managers are responsible for providing ongoing support, awareness and education as part of an agency’s security clearance management regime.

Agencies should have in place security clearance management processes that provide for the timely identification and assessment of issues that may impact an individual’s continued suitability to hold a security clearance.

These processes should complement, but not substitute, clearance review and security education processes.

Security clearance management processes should:

  • include tailored, agency-specific security clearance management programmes
  • provide clear instructions and requirements in agency security clearance management policy and procedures
  • through security education and training, regularly reinforce the requirement for staff to report relevant contacts and changes in personal circumstances.

For more information refer to the Personnel Security Management Protocol and supporting requirements.

Back to the top of page Print this subsection

5 Information security management core policy

The New Zealand government collects and receives information to fulfill its functions and expects all those who hold or access this information to protect it.

Agencies should develop, document, implement and review appropriate security measures to protect information from unauthorised use or accidental modification, loss or release through:

  • establishing an appropriate information security culture within the agency
  • implementing security measures that match the information’s value, sensitivity and any protective marking
  • adhering to all legal requirements.

The mandatory requirements of this core policy are based on the following elements:

  • confidentiality – ensuring information is accessible only to those authorised to have access
  • integrity – safeguarding the accuracy and completeness of information and processing methods
  • availability – ensuring authorised users have access to information and associated assets when required.

The term ‘information assets’ within this policy refers to any form of information, including:

  • printed documents and papers
  • electronic data
  • the software or ICT systems and networks on which information is stored, processed or communicated
  • the intellectual information (knowledge) acquired by individuals
  • physical items from which information regarding design, components or use could be derived.

For more information refer to the Information Security Management Protocol and supporting requirements.

Sharing information and other assets

Agencies must implement this policy when sharing protectively marked information and assets with New Zealand government agencies, other governments, private sector, educational and international organisations.

In such cases agencies should outline security responsibilities, safeguards to be applied and terms and conditions for continued participation.

Agencies must treat information and other assets received from foreign jurisdictions in accordance with relevant legislation and agreements between the parties concerned.

Print this section

5.1 Agency information security policy and planning

Mandatory requirements

INFOSEC1: Agencies must address information security requirements through the development and implementation of an information security policy as part of the agency security plan.

 

The policy and plan should:

 

  • detail the objectives, scope and approach to the management of information security risks and issues within the agency
  • be endorsed by the agency head
  • identify information security roles and responsibilities
  • detail the types of information an employee:
    • can lawfully disclose in the performance of his or her duties
    • needs to obtain authority to disclose
  • be reviewed and evaluated in line with changes to agency business and information security risks
  • be consistent with the requirements of the agency’s wider protective security plan and information security risk assessment findings
  • address the issue of data aggregation
  • include details of the agency’s declassification programme
  • explain the consequences of breaching the policy or circumventing any associated protective security measure
  • be communicated on an ongoing basis, be accessible to all employees and, where practical, be publicly available.
Back to the top of page Print this subsection

5.2 Information security framework and external party access

Mandatory requirement

INFOSEC2: Agencies must establish a framework to provide direction and coordinated management of information security. Frameworks must be appropriate to the level of security risk in the agency’s information environment and consistent with business needs and legal obligations.

Agencies should:

  • document requirements for information security when entering into outsourcing contracts and arrangements with contractors and consultants
  • enter into Memoranda of Understanding (MOU) with other agencies when regularly sharing information and, where reasonable and practical, make these MOUs publicly available
  • ensure that prior to providing third parties with access to government information and ICT systems, security measures that match the protective marking of the information or ICT systems are in place and clearly defined in relevant agreements or contracts
  • ensure appropriate permissions are received before providing third parties with access to information not originating within the agency.
Back to the top of page Print this subsection

5.3 Information asset protective marking and control

Mandatory requirement

INFOSEC3: Agencies must implement policies and protocols for the protective marking and handling of information assets in accordance with the Protective Security Requirements New Zealand Government Security Classification System and the New Zealand Information Security Manual.

When addressing policies and procedures for protective marking and control, agencies should:

  • identify, document and assign owners for the maintenance of security measures for all major information assets, including hardware, software and services used in agency operations (including ICT assets used to process, store or transmit information)
  • require all agency information be classified and protectively marked in accordance with the New Zealand Government Security Classification System
  • implement controls for all security classified and protectively marked information (including for handling, storage, transmission, transportation and disposal) in accordance with the Handling Requirements for Protectively Marked Information and Equipment
  • develop and maintain a protective marking guide specific to the agency which is accessible to all employees.

Additionally, agencies should ensure:

  • the agency’s protective marking guide does not limit the provisions of relevant legislative requirements or other obligations (including international) under which the agency operates
  • disposal of public records is in accordance with legislative and regulatory requirements.
Back to the top of page Print this subsection

5.4 Operations security management

Mandatory requirements

INFOSEC4: Agencies must document and implement operational procedures and measures to ensure information, systems development and systems operations are designed and managed in accordance with security, privacy, legal and regulatory obligations under which the agency operates.

INFOSEC5: Agencies must ensure there is a formal process to approve ICT systems to operate.
This process, known as ‘certification and accreditation’, is an essential component of the governance and assurance of ICT systems and supports risk management. The process is described in the New Zealand Information Security Manual.

Operational procedures and responsibilities

Agencies must document and implement operational procedures and measures to ensure information, ICT systems and network tasks are managed securely and consistently in accordance with required levels of security and privacy protection.

Agencies should:

  • have in place incident management procedures and mechanisms to review violations and to ensure appropriate responses to security incidents, breaches and failures
  • have in place adequate controls to prevent, detect, remove and report attacks and malicious code on ICT systems and networks
  • operate comprehensive systems maintenance processes and procedures, including operator, audit and fault logs, and backup procedures
  • implement operational change control procedures to ensure appropriate management and approval of all changes to information processing facilities or ICT systems
  • comply with legal obligations when exchanging information in any form with other agencies or third parties
  • apply the protective marking standards and controls specified in the Information Security Management Protocol and the New Zealand Information Security Manual.

Information access controls

Agencies must have in place measures for controlling access to all information, ICT systems, networks (including remote access), infrastructures and applications.

Access control rules must be consistent with the agency’s risk assessment, business requirements, security classifications and legal obligations.

Agencies should:

  • assess access requirements against the New Zealand Information Security Manual
  • require specific authorisation to access agency ICT systems
  • assign each user a unique personal identification code and secure means of authentication
  • define, document and implement policies and procedures to manage operating systems security, including user registration, authentication management, and access rights and  privileges to ICT systems and application utilities
  • display restricted access and authorised use only (or equivalent) warnings upon access to all agency ICT systems
  • where wireless communications are used, appropriately configure security features to at least the equivalent level of security of wired communications
  • implement control measures to detect and regularly log, monitor and review ICT systems and network access and use, including all significant security-relevant events
  • conduct risk assessments and define policies and processes for mobile technologies and teleworking facilities
  • prior to connection, assess security risks and implement appropriate controls associated with the use of ICT facilities and devices not owned by government such as mobile telephones, personal storage devices, Internet and email.

Information systems development and maintenance

Agencies must have in place security measures during all stages of ICT system development and implementation. These measures must match the assessed security risk of the information holdings contained within the systems.

When implementing new ICT systems, or changing existing systems, agencies must:

  • address security from the early phases of the system development lifecycle, including concept development, planning, requirements analysis and design
  • consult internal and/or external audit functions when implementing new or significant changes to financial and critical business systems
  • incorporate processes in applications, including data validity checks, audit trails and activity logging, to ensure the integrity and accuracy of data captured or held by systems
  • apply authentication policies and techniques set out in the New Zealand Information Security Manual
  • identify and implement access controls
  • control access to ICT system files to ensure the integrity of business systems, applications and data
  • carry out appropriate change control, system and acceptance testing and migration control measures when installing or upgrading software
  • conduct certification and accreditation of all new systems to confirm they meet security standards.

Compliance

In order to ensure legal, regulatory, privacy and contractual obligations relevant to information security are managed appropriately, agencies must:

  • take all reasonable steps to monitor, review and audit agency information security effectiveness, including assigning appropriate security roles and engaging internal auditors, external auditors and specialist organisations when required
  • regularly review all agency information security policies, processes and requirements, including contracts with third parties, and report their compliance to agency management.

 

Back to the top of page Print this subsection

6 Physical security management core policy

New Zealand government agencies hold significant resources on behalf of the Crown to fulfill government functions, for example, to develop policy, implement programmes and deliver services to the public.

The Government expects each agency to create and maintain an appropriate physical security environment for the protection of these functions, associated resources and people.

Physical security environments should support the efficient and effective delivery of agency outputs without compromising the application of protective security measures and while also taking into account relevant health and safety standards.

Risk management

Agencies must employ a risk management approach to determine appropriate levels of physical protection for their functions, information, assets, employees and the public.

These decisions require a rigorous analysis of security risk.

For more information refer to:

Security-in-depth

Sensible management of security risk will involve finding appropriate and cost-effective ways to minimise risk through a combination of procedural, personnel and physical security measures.

This mix establishes a series of barriers that prevent or restrict unauthorised access or harm to resources. It also establishes mechanisms to detect and respond to security breaches within an acceptable timeframe. This is known as security-in-depth.

Print this section

6.1 Agency physical security policy and planning

Mandatory requirement

PHYSEC1: Agencies must provide clear direction on physical security through the development and implementation of an agency physical security policy, and address agency physical security requirements as part of the overall agency security plan.

The policy and plan should:

  • detail the objectives, scope and approach for the management of physical security issues and risks within the agency
  • be endorsed by the agency head
  • identify physical security roles and responsibilities
  • continuously review physical security measures to reflect changes in the threat environment and take advantage of new and cost-effective technologies
  • be consistent with the requirements of the agency’s protective security plan and physical security risk assessment findings
  • explain the consequences of breaching the policy or circumventing any associated protective security measure
  • be communicated on an ongoing basis and be accessible to all agency employees.

For more information refer to the Physical Security Management Protocol and supporting requirements.

Back to the top of page Print this subsection

6.2 Protection of employees

Mandatory requirement

PHYSEC2: Agencies must have in place policies and protocols to:

  • identify, protect and support employees under threat of violence, based on a threat and risk assessment of specific situations. In certain cases agencies may have to extend protection and support, for example to family members
  • report incidents to management, human resources, security and law enforcement authorities, and/or Worksafe NZ, as appropriate
  • provide information, training and counselling to employees
  • maintain thorough records and statements on reported incidents.

Agencies are responsible for the health and safety of employees at work. This responsibility extends to situations where employees are under threat of violence because of their duties or because of situations to which they are exposed.

Such situations can include, but are not limited to, terrorism, assault, stalking, threat letters or calls, and the receipt of potentially dangerous substances (e.g. ‘white powder’).

Back to the top of page Print this subsection

6.3 Facility security

Mandatory requirement

PHYSEC3: Agencies must ensure they fully integrate physical security early in the process of planning, selecting, designing and modifying their facilities.

Physical security includes the proper layout and design of facilities, and the use of measures to prevent or delay unauthorised access to government assets.

It includes measures to detect attempted or actual unauthorised access, and to activate appropriate responses.

Physical security also provides measures to safeguard employees from violence.

Agencies should:

  • select, design and modify their facilities to facilitate the control of access
  • determine restricted access areas and have the necessary entry barriers, security systems and equipment based on threat and risk assessments
  • include security specifications in planning, requests for proposals and tender documentation
  • incorporate related costs in funding requirements.

 

Back to the top of page Print this subsection

6.4 Health and safety at work

Mandatory requirement

PHYSEC4: Agencies must ensure any proposed physical security measure or activity is consistent with relevant health and safety obligations.

Agencies should conduct a risk assessment, taking into account the likelihood and consequence of an accident or injury arising as a result of a physical security measure or activity, and put in place appropriate control measures.

For more information refer to the Health and Safety at Work Act 2015.

Back to the top of page Print this subsection

6.5 Duty of care – third parties

Mandatory requirement

PHYSEC5: Agencies must show a duty of care for the physical safety of members of the public interacting directly with the New Zealand government. Where an agency’s function involves providing services, the agency must ensure clients can transact with the New Zealand government with confidence about their physical wellbeing.

Agencies should:

  • take all reasonable precautions which could avoid or reduce the risk of harm to clients
  • where there are a number of effective physical security measures which would reduce the risk of harm, choose the option which is least restrictive to the client
  • ensure the agency physical security plan addresses the risk of harm to clients
  • develop relevant requirements and procedures that identify the precautions to be taken to address the identified risk factors.

 

Back to the top of page Print this subsection

6.6 Physical security of ICT equipment and information

Mandatory requirement

PHYSEC6: Agencies must implement a level of physical security measures that minimises or removes the risk of information assets being made inoperable or inaccessible, or improperly used or accessed.

Agencies should:

  • have in place appropriate building and entry control measures for areas used in the processing and storage of protectively marked information
  • have in place physical security protection (matching the assessed security risk of aggregated information holdings) for all agency premises, storage facilities and cabling infrastructure
  • where practical, locate ICT equipment in areas with access control measures in place to restrict use to authorised personnel only and, where physical access control measures are not possible, have in place other control measures
  • implement policies and procedures to monitor and protect the use and/or maintenance of information, equipment, storage devices and media away from agency premises and, in situations where a risk assessment determines it is necessary, put in place additional control measures
  • implement policies and processes for the secure disposal and/or re-use of ICT equipment, storage devices and media (including delegation, approval, supervision, removal methods and employee training) that match the assessed security risk of the information holdings stored on the asset
  • implement general control policies, including a clear desk and clear screen policy.

 

Back to the top of page Print this subsection

6.7 Physical security in emergency and increased threat situations

Mandatory requirement

PHYSEC7: Agencies must develop plans and protocols to move up to heightened security levels in case of emergency and increased threat. The New Zealand Government may direct its agencies to implement heightened security levels.

Agencies should integrate and coordinate physical security plans and procedures with other emergency prevention and response plans, for example fire, bomb threats, hazardous materials, power failures, evacuations and civil defence emergencies.

 

 

Back to the top of page Print this subsection

About

This information, along with the governance arrangements and core policies outlined elsewhere in the PSR, describes the top-level mandatory requirements applicable to all agencies. The detailed protocols and requirements support the core policies for security governance, personnel security, information security and physical security. 

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information