Governance

GOV010

Processes for reporting security incidents

Your organisation should have formal processes for responding to and reporting protective security incidents. You must make everyone aware of their responsibilities and the reporting processes.

They should be aware of the need to report anyone who seeks access to information they’re not authorised to access.

For reporting breaches of cyber security, find advice in the New Zealand Information Security Manual - Cyber Security Incidents.


Report weaknesses in security

Your people must report security weaknesses they see or suspect, and threats to processes, policies, systems, or services. They should report weaknesses as soon as possible.

Your people should never attempt to prove a suspected weakness. This is for their own protection. Testing a weakness might be seen as misusing the system.


Learn from incidents

Your organisation should have processes for monitoring and measuring the types, volumes, and costs of incidents and malfunctions. Use the information to:

  • identify recurring or high-impact problems
  • check whether you need more or better measures to limit problems
  • review the security policy.


Have a formal process

Your organisation should have a formal  process for staff who breach your security policies and processes. It may be part of your process for handling misconduct.

It ensures that anyone suspected of breaching security is treated fairly.

Cover the process as part of staff inductions and in your security awareness training.


Make sure staff report security incidents

Your organisation’s security policy and processes should:

  • require that your staff and contractors report security incidents
  • include formal procedures and mechanisms to make reporting easy
  • require the CSO to keep records of incidents.

Your organisation’s security awareness training must include how to report incidents, and state that staff must report incidents.


Record security incidents

Develop methods for recording incidents that suit your organisation’s security environment and operations.

In your records of security incidents, include:

  • the time, date, and location
  • the type of official resources involved
  • a description of the incident’s circumstances
  • whether the incident was deliberate or accidental
  • an assessment of the degree of compromise or harm
  • a summary of immediate and long-term action you will take.

Recording security incidents gives valuable insights into an organisation’s security environment and performance. For instance, if you have many minor security incidents, it could show there is poor staff awareness and that you need more security awareness training.

CSOs should regularly report details of security incidents and any trends to your agency head.


Develop your own processes for minor security incidents

Your organisation is unique, so you should develop your own processes for investigating minor security incidents.

Tell the NZSIS about security incidents involving holders of security clearances
You must tell the New Zealand Security Intelligence Service (NZSIS) about:

  • repeated minor security incidents 
  • major security incidents that relate to a person’s suitability to hold a security clearance
  • the outcome of any security investigation that relates to a person’s suitability to hold a security clearance. 

Report contact with foreign officials

Any staff who hold a security clearance must report unusual or suspicious contacts with foreign officials, or requests from foreign officials for access to your assets or protectively-marked information. More information is in Contact Reporting.


Develop formal procedures for major security incident

Your policies and processes for dealing with major security incidents must be more formal.

When another organisation is involved

If a suspected major security incident involves resources from another organisation, seek advice from that organisation before beginning an investigation. The organisation may have operational security requirements. It may be more appropriate for the originating or responsible organisation to perform the investigation. Apply the 'need-to-know' principle.

Report major security incidents to security agencies

You must report to the right security agency any incidents of suspected:

  • espionage (NZSIS)
  • sabotage (NZSIS, NZ Police, or both)
  • acts of foreign interference (NZSIS)
  • attacks on New Zealand’s defence system (New Zealand Defence Force)
  • politically motivated violence (NZSIS, NZ Police, or both)
  • incitement to communal violence (NZSIS, NZ Police, or both)
  • serious threats to New Zealand’s border (Customs and Immigration, Ministry for Primary Industries or both).

Do an initial assessment, then contact the relevant agency or agencies as soon as possible. Only give information on a need-to-know basis until you are told otherwise. Contact your PSR engagement manager if unsure.

Report cyber security incidents to National Cyber Security Centre

Report any suspected cyber security incidents to National Cyber Security Centre including:

  • suspicious or apparently targeted emails with attachments or links
  • any compromise or corruption of information
  • hacking
  • viruses
  • disruption or damage to services or equipment
  • data spills. 

Your organisation’s ICT security policies and plans should require early contact with NCSC to avoid accidentally compromising a cyber security investigation.

Report security incidents involving Cabinet material to the Cabinet Office
Report suspected security incidents involving Cabinet material to the Cabinet Office in the Department of the Prime Minister and Cabinet.

The Cabinet Manual covers the security and handling of Cabinet documents. The online Cabinet Manual.

Report criminal incidents to law enforcement bodies

Where the incident may be a criminal offence, you may need to report to the appropriate law enforcement body. Ask the NZ Police for advice.

Get emergency help for critical incidents involving public safety

Where lives or public safety are at risk, contact the emergency services — dial 111.

Critical incidents that may affect public safety include the following types:

Personal attacks:

  • assault
  • use of weapons  including firearms
  • threats of harm to self or others
  • violent demonstration with serious disruption of public order
  • chemical, biological, or radiological (CBR) attack, or suspected CBR attack
  • white powder incidents, including real and significant hoax incidents.

Hostage taking, actual or suspected:

  • hostage situation
  • hijacking
  • kidnapping. 

Attacks to property or information:

  • arson or suspected arson
  • bombing
  • mail bomb, or suspected mail bomb
  • attack on the national information infrastructure or critical infrastructure that uses it.

Report major occupational health and safety incidents to WorkSafe

You must report health and safety incidents involving serious injury or death to WorkSafe New Zealand.

Include these details when you report major security incidents

When reporting suspected major security incidents, cover these details:

  • the date and time of the incident, or when it was reported or discovered
  • location
  • brief details
  • what may have been compromised (and the type and level of protective marking, if relevant)
  • the names of those involved in the incident if you know
  • the name and contact details of the agency for follow-up
  • an initial assessment of the harm or damage
  • what action you have already taken.

If you’ve reported a major incident, ensure you also report any updates and changes to the situation.

You are responsible for circulating information about incidents within your own organisation.

 

Page last modified: 21/02/2024