On this page
Managing security risks proportionately and effectively enables organisations to protect people, information and assets. To successfully manage security risks organisations must ensure security is part of their organisational culture, practices and operational plans.
The PSR contains eight governance requirements which work together to ensure effective oversight and management of all security areas.
This section provides a high-level overview of the PSR security governance mandatory requirements. To understand, implement, and comply with the PSR security governance mandatory requirements, please refer to the following documents:
Establish and maintain a governance structure that ensures the successful leadership and oversight of protective security risk. Appoint members of the senior team as:
To implement protective security requirements, your organisation must clearly:
Develop a governance structure that enables you to effectively identify and manage security risks.
Your organisation head is responsible for reviewing and endorsing your proposed security risk management structures, assurance mechanisms, and resource allocations.
GOV 1 includes the following requirements:
GOV 1.1 covers the Organisation head’s key accountabilities and responsibilities for establishing and maintaining a secure environment that protects its people, information, and assets. This includes ensuring effective security governance, leadership and management, risk management, planning, and performance management.
GOV 1.2 covers requirements for establishing an effective security management function. This includes requirements when considering appointing a Virtual CISO. Also refer to Security Governance Appendix A: Key protective security roles and responsibilities for more information.
Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the GOV 1 mandatory requirement.
Adopt a risk management approach that covers every area of protective security across your organisation, in accordance with the New Zealand standard ISO 31000:2018 Risk Management – Guidelines.
Develop and maintain security policies and plans that meet your organisation’s specific business needs. Make sure you address security requirements in all areas: governance, information, personnel, and physical.
To successfully manage security risks, organisations must:
GOV 2 includes the following requirements:
GOV 2.1 covers requirements for security risk management including threat assessment and the recommended use of business impact levels (BILs) to help determine the impacts of risks. Also refer to Security Governance Appendix B: Business Impact Levels (BILs) for more information.
GOV 2.2 covers requirements for security planning to effectively address your risks.
GOV 2.3 covers requirements for establishing effective security policies, processes, and procedures across all security domains.
Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the GOV 2 mandatory requirement.
Maintain a business continuity management programme, so that your organisation’s critical functions can continue to the fullest extent possible during a disruption. Ensure you plan for continuity of the resources that support your critical functions.
Business continuity is the capability of an organisation to continue delivery of products or services within acceptable timeframes, and at acceptable capacity following a disruptive event.
Causes of disruptions include natural events such as earthquakes or severe weather, loss of a key resource such as a power failure, technological failure, or supply chain disruption, as well as security threats such as sabotage, espionage, or cyber-attacks. Disruptions can occur at any time, for any reason, and their impact varies.
The International Standards Organisation (ISO) 22301 sets the standard for business continuity management (BCM).
An organisation must maintain a BCM programme to ensure it is effective and secure during a disruptive event. It must also consider how it will maintain protective security during a business continuity event and build effective security measures into its business continuity programme.
GOV 3 includes the following requirements:
GOV 3.1 covers requirements for establishing an appropriate business continuity programme.
GOV 3.2 covers requirements for understanding the critical functions in the organisation and their requirements for continuity during a disruptive event.
GOV 3.3 covers requirements for ensuring that you have effective solutions, plans, and resources for maintaining your critical functions during a disruptive event.
GOV 3.4 covers requirements for educating your people and validating your business continuity plans to confirm you are prepared for disruptions. This includes information on the different types of validations you may run (discussion exercise, scenario exercise, simulation exercise, live exercise, or testing of technology, equipment or procedures.
GOV 3.5 covers requirements for regularly reviewing and maintaining your business continuity programme.
Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the GOV 3 mandatory requirement.
Provide regular information, security awareness training, and support for everyone in your organisation, so they can meet the Protective Security Requirements and uphold your organisation’s security policies.
Building security awareness (including through training) helps an organisation to create a strong security culture that protects people, information, and assets.
An organisation must build security awareness to ensure that its people understand their security obligations, are aware of security risks, and follow security procedures.
GOV 4 includes the following requirements:
GOV 4.1 covers requirements for establishing a security awareness and training programme including who to train, the scope of the programme, and how to ensure that the training programme is effective.
GOV 4.2 covers requirements for conducting security awareness training and the minimum topics for coverage.
GOV 4.3 covers requirements for building and supporting a strong security culture.
Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the GOV 4 mandatory requirement.
Identify and manage the risks to your people, information, and assets before you begin working with others who may become part of your supply chain.
The PSR applies as much to service providers and outsourced services as it does to your internal operations. Organisations rely on suppliers to deliver products, systems, and services. This includes your partners, cooperating organisations, and customers. These suppliers broaden the risks the organisation is exposed to. Suppliers can be a weak point in an organisation’s security defences when they are not managed well.
An organisation must consider adopting twelve principles of supply chain security to manage protective security risk of its suppliers.
GOV 5 includes the following requirements:
Threats from an organisation’s supply chain come in many forms – inadequate security of their systems, a malicious insider working within, or undertake fraud or malicious acts of their own. Organisations must assess the risks its supply chain poses to its operation.
Organisations must set and communicate its security requirements across the supply chain lifecycle and undertake effective due diligence before procuring or contracting new suppliers or establishing new partnerships. This requires mandated government organisations to follow New Zealand Government Rules for Procurement (including Rule 44 – Reasons to exclude a supplier).
Organisations must ensure that their supply chain is meeting its security requirements and should measure its security performance.
As security threats and risks are constantly changing, it is good practice to build continuous improvement processes within supply chain management processes.
Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the GOV 5 mandatory requirement.
Make sure every security incident is identified, reported, responded to, investigated, and recovered from as quickly as possible. Ensure any appropriate corrective action is taken.
A security incident is an event caused by an individual or group that has or could have resulted in loss or harm to an organisation’s assets, information or people, or an action that breaches the organisation’s security procedures.
This may include:
Incident management is the process of identifying, recording, analysing, reporting, investigating, acting upon, and learning from incidents. Security investigations establish the cause and extent of an incident that has, or could have, compromised your organisation or the New Zealand Government. The process of investigating and reporting security incidents also helps an organisation understand its vulnerabilities and reduce the risk of future incidents.
An organisation must ensure that it can identify, report, respond to, investigate and recover from security incidents.
GOV 6 includes the following requirements:
Ensure that your organisation has a robust and proactive approach to managing security incidents that the personnel understand and follow. Cyber incidents are only a matter of when, not if. A robust and effective approach will help ensure that the organisation is resilient and prepared.
Ensure that your personnel understand their responsibilities, can detect that an incident has happened, and raises it to the appropriate team for assessment and investigation as quickly as possible.
Recording and tracking security incidents gives valuable insights into an organisation’s security environment and performance. For instance, repeated minor security incidents could be a symptom of poor personnel awareness and a need for more security awareness training.
Ensure that your security incident team understand their responsibilities for reporting security incidents to other relevant agencies and build these into your security incident management processes.
Security incidents can result in security investigations, disciplinary action, and/or criminal investigation. While investigations are underway, interim measures may be necessary to protect people, information, or assets at risk.
Corrective action must be taken in response to relevant security incidents but also organisations should consider use of other monitoring and analysis practices to learn and reduce the likelihood of future incidents (such as root cause analysis, and post security incident reviews).
Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the GOV 6 mandatory requirement.
Develop plans and be prepared to implement heightened security levels in emergencies or situations where there is an increased threat to your people, information, or assets.
Be prepared to increase heightened security levels in emergencies or situations of increasing security risks. Security alert levels communicate information about the security measures an organisation uses to reduce risks in emergency situations and other times of heightened risk. Alert levels also allow an organisation to scale its security measures, so they are appropriate to the type of incident and can change easily as risks increase or decrease.
GOV 7 includes the following requirements:
Organisations need to be ready to respond to emergency and increased security risk situations. Example events or threats include protests, demonstrations, bomb threats, threats of harm to a staff member, or other health and safety events such as fires, floods or natural disasters. Use all types of risk information including site security plans, health and safety plans, risk assessments, risk management plans, business continuity plans, and security incident reviews.
Developing alert levels helps an organisation to apply security measures quickly before or during an event. A quick response can increase the ability to protect people, information, and assets. Refer to Security Governance Appendix C: Developing alert levels guidance for more information.
Organisations need to identify the security measures it will use and develop response plans in line with the risks they are exposed to. Refer to example measures in the Operational security measures for alert levels [PDF, 44 KB] guidance.
Organisations need to establish mechanisms to monitor the risk environment to ensure they can change alert levels and kick off response plans as quickly as possible during the event.
Organisations also need to practice their responses and learn from events to ensure that you identify gaps and improve your response performance.
Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the GOV 7 mandatory requirement.
Use an annual evidence-based assessment process to provide assurance that your organisation’s security capability is fit-for-purpose. Provide an assurance report to Government through the Protective Security Requirements team if requested.
Ongoing improvement in protective security requires a cycle of assessing and managing risks in an ever-changing environment. By using a self-assessment cycle, the organisation can:
If your organisation is new to the PSR framework, your goals will be different to other organisations who have been on the protect security journey for a while. See Security Governance Appendix D: PSCMM improvement goals for organisations new to PSR for additional guidance.
GOV 8 has the following requirements:
Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the GOV 8 mandatory requirement.