1 Introduction

Print this section

1.1 Purpose

The purpose of the New Zealand Protective Security Requirements (PSR) is to help agencies:

  • identify their individual levels of security risk tolerance
  • achieve the mandatory requirements for protective security expected by government
  • develop an appropriate security culture to securely and effectively meet their business goals.
Back to the top of page Print this subsection

1.2 Audience

The audience of the PSR is:

  • agencies subject to the State Sector Act 1988
  • bodies that receive Ministerial direction to apply the general policies of the New Zealand government
  • other bodies established for a public purpose under a law of the New Zealand government agencies, where the body or agency has received a notice from the relevant Minister that the PSR applies to them
  • any New Zealand private sector or non-government organisation that seeks to protect its people, information and assets.
Back to the top of page Print this subsection

1.3 Scope

These requirements cover:

  • New Zealand’s four-tier approach to protective security
  • New Zealand’s protective security policy for government.

The New Zealand government takes appropriate measures to protect its people, information and assets at home and overseas.

How the government protects its people, information and assets is critical to effective engagement with the New Zealand people.

Protective security outside of New Zealand

Some requirements of this policy may be difficult for New Zealand government agencies to apply when operating in certain foreign environments.

In such situations, special protocols may be developed in consultation with the Ministry of Foreign Affairs and Trade (MFAT), the New Zealand Security Intelligence Service (NZSIS) and the Government Communications Security Bureau (GCSB).

Restrictions may be placed on personal activities at locations where the environment is particularly dangerous.

Generally all employees, unless on diplomatic posting and covered by the Vienna Conventions, are automatically subject to local laws and regulations. 

For travel information and specific security arrangements and limitations, employees should contact MFAT or the nearest New Zealand embassy or High Commission.

Back to the top of page Print this subsection

1.4 Legislation

The PSR supports legislation relevant to protective security and it reflects the aims and objectives of the New Zealand government.

Some agencies are responsible for collecting or processing official information that is subject to additional legislation. These requirements generally take precedence over the PSR. Where such legislation mandates lower standards than the PSR, agencies must meet the PSR’s higher standards.

As a valuable resource, information is only to be released in accordance with the policies, legislative requirements and directives of the government, New Zealand Courts and international obligations. 

The unauthorised disclosure of protectively marked information held by the New Zealand Government is subject to the sanction of criminal law.

Section 29 (3) of the Public Records Act 2005 refers to the ‘Security in the Government Sector manual issued from time to time by the Government.’ The Protective Security Requirements now constitutes government policy as referenced in that Act.

Back to the top of page Print this subsection

2 Four-tier approach to protective security

New Zealand’s protective security policy is organised in a four-tiered, hierarchical structure.

Refer to Figure 1.

Tier one

Tier one is the Government's overarching security policy statement.

Tier two

Tier two presents core policies and introduces the mandatory requirements government agencies must implement to ensure a consistent and controlled security environment throughout the public sector.

This will achieve a satisfactory level of assurance between agencies, increasing confidence in information-sharing practices and collaborative working arrangements.

Tier three

Tier three provides detailed policy protocols and specific policy requirements to support agencies implementing the mandatory requirements and establishing best practice security measures.

Tier three provides agencies with the guidance to develop and implement tier four agency-specific security policies and procedures.

Agency heads are responsible and accountable for the implementation and oversight of the four-tier approach to protective security within their agencies.

The New Zealand government will continue to develop and refine protective security policy that promotes the most effective and efficient ways to securely deliver government business. 

Print this section

3 New Zealand Government protective security

The PSR’s four-tier hierarchical approach to protective security is represented in Figure 1.

Each tier provides standards for government agencies and supports the implementation of protective security.

Figure 1 - Protective Security Requirements Framework

Figure 1 - Protective Security Requirements Framework

 

Print this section

3.1 Strategic Security Directive (tier one)

The Strategy Security Directive (tier one) is the keystone of the PSR.

It articulates the government’s requirement for protective security to be a business enabler that allows agencies to work together securely in an environment of trust and confidence.

Also refer to Security Structure and Agency Responsibilities

Back to the top of page Print this subsection

3.2 Core policies, strategic security objectives and the mandatory requirements (tier two)

The core policy controls in the PSR describe the high-level mandatory requirements.

These requirements span security governance, personnel security, information security and physical security.

Also refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements for Agencies.

A control with a ‘must’ or ‘must not’ compliance requirement indicates use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and this can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above identify when agencies need to consider specific security measures to comply with the mandatory requirements.

Governance

Good protective security governance is about:

  • conformance - how an agency uses protective security arrangements to ensure it meets its policy and standards obligations and government’s expectations
  • performance - how an agency uses protective security arrangements to contribute to its overall performance through the secure delivery of goods, services or programmes, as well as ensuring the confidentiality, integrity and availability of its people, information and assets.

The PSR is based on the principles of public sector governance, including:

  • accountability - being answerable for decisions and having meaningful mechanisms in place to ensure each agency adheres to all applicable protective security standards
  • transparency and openness - having clear roles and responsibilities for protective security functions, and clear procedures for making decisions and exercising authority
  • efficiency - ensuring the best use of limited resources to further the aims of the agency, with a commitment to risk-based strategies for improvement
  • leadership - achieving an agency-wide commitment to good protective security performance through top-down leadership.

Agency heads must implement protective security governance arrangements. They must also:

  • use risk management principles and policies appropriate to their agency’s functions and the security threats faced in developing, implementing and maintaining
    • protective security measures
    • business continuity management plans
  • monitor and review their security plans to ensure they are complying with mandatory requirements
  • assess their agency’s overall compliance with the PSR on an annual basis
  • adequately train all employees to ensure they fully understand their security responsibilities
  • remain accountable for the efficient and secure performance of outsourced functions
  • investigate security incidents promptly and with sensitivity.

Personnel security

Agencies must ensure the people they employ are suitable and meet standards for integrity, honesty and tolerance. 

Where necessary, people must be security cleared to the appropriate level.

Agencies are also responsible for managing personnel throughout their employment to prevent accidental or intentional security breaches.

Information security

Agencies must appropriately safeguard all official information to ensure its:

  • confidentiality (that is, information must not be made available or disclosed to unauthorised individuals, entities or processes)
  • integrity (that is, data must not be altered or destroyed in an unauthorised manner and accuracy and consistency must be preserved regardless of changes)
  • availability (that is, information must be accessible and useable on demand by authorised entities).

Agencies must apply safeguards so that:

  • only authorised people, using approved processes, access information
  • information is only used for its official purpose, retains its content integrity, and is available to satisfy operational requirements
  • information is protectively marked and labelled as required.

Agencies must also ensure information created, stored, processed or transmitted in or over government Information and Communications Technology (ICT) systems is properly managed and protected throughout all phases of a system's life cycle.

This must be done in accordance with requirements set out in the PSR, which includes the New Zealand Information Security Manual (NZISM).

Physical security

Agencies must provide and maintain:

  • a safe working environment for their employees, contractors, clients and the public
  • a secure physical environment.
Back to the top of page Print this subsection

3.3 Protocols, standards and best practice requirements (tier three)

Tier three of the PSR contains the key practice documents including:

  • protocols for the conduct of protective security activities to meet the mandatory requirements
  • better practice guidelines
  • references to additional protective security and risk management resources.

These documents standardise protective security practices across government to facilitate information sharing, support inter-agency business and help meet international obligations.  

Back to the top of page Print this subsection

3.4 Agency-specific policies and procedures (tier four)

Agencies must develop protective security policies and procedures that meet their business needs.

These policies and procedures should complement and support other agency operational procedures.

Agency protective security policies and procedures should take into account the risks created by the agency that impact on other agencies, as well as the risks inherited from business partners.

Although agencies should produce protective security policies and procedures to take into account their specific circumstances or needs, these polices must not create a standard that is lower than prescribed in the PSR.

Back to the top of page Print this subsection

About

The New Zealand Government takes appropriate measures to protect its people, information and assets, at home and overseas. How the Government protects its people, information and assets is critical to effective engagement with the New Zealand people. The Protective Security Requirements (PSR) is designed to help agencies:

 

  • identify their individual levels of security risk tolerance,
  • achieve the mandatory requirements for protective security expected by government, and
  • develop an appropriate security culture to securely and effectively meet their business goals.

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information