On 8 December 2014, Cabinet approved the Protective Security Requirements, incorporating the New Zealand Information Security Manual (NZISM), in place of the Security in the Government Sector and the Protective Security Manual.
The Protective Security Requirements (PSR) provides a policy framework that, when implemented, provides pathways for successfully protecting people, information and assets and outlines the Government’s expectations for managing:
- Information security
The PSR is designed to better help agencies manage business risks and assure continuity of service delivery.
The Protective Security Requirements are designed to help government departments assess the risks that might confront their organisation’s people, information and assets. It enables departments to implement a security approach that reflects their individual risk environments and business needs. The requirements will evolve as new threats emerge and to keep pace with changing technology.
Who does it apply to?
Cabinet has directed all public service departments and the New Zealand Defence Force, New Zealand Police, New Zealand Security Intelligence Service and Parliamentary Counsel Office to implement the Protective Security Requirements.
Crown entities, while not currently required to implement the PSR, are encouraged to have an awareness of the Requirements as a future roll-out to Crown Entities and Independent Crown Entities is anticipated. Also, those Crown Entities and Independent Crown Entities that currently liaise with public service departments, the New Zealand Defence Force, New Zealand Police, New Zealand Security Intelligence Service or Parliamentary Counsel Office, should ensure that they meet the standards required by the PSR in order to provide assurance that their own security policies, plans and protocols enable continued liaison and cooperation.
What does it involve?
The PSR is described as a 3-legged stool with each component essential to the structure.
There are 10 mandatory requirements relating to security governance that agencies must follow. They include:
- Establishing a structure for governing security within their agency
- Adopting a risk management approach
- Developing a set of protective security policies, plans and protocols to meet their specific business needs
- Having an annual review and assurance system in place
- Providing staff, including contractors, with information and security awareness training
- Establishing procedures for reporting and investigating security incidents and taking corrective action
- Ensuring contracted providers comply with the PSR and any agency-specific protective security protocols
- Establishing a Business Continuity Management (BCM) programme
PERSONNEL SECURITY (PERSEC)
Personnel security focuses on assessing the trustworthiness, integrity and reliability of staff and contractors. It involves:
- Identifying suitable staff,
- Educating staff on their responsibilities and
- Evaluating their continuing suitability
(There are seven mandatory requirements in respect of access to official information and resources, and management of the security clearance process)
INFORMATION SECURITY (INFOSEC)
Information security focuses on procedural measures designed to mitigate risks associated with producing, handling and protecting information and assets. It involves:
- Information security through policy and an agency security plan
- Establishing a framework to manage information security within an agency
- Policies and protocols relating to protective marking of information assets
- Documenting and implementing procedures and measures for managing information, ICT systems and network tasks
- Having formal processes to approve ICT systems to operate in accordance with the NZISM
PHYSICAL SECURITY (PHYSEC)
Physical security focuses on the provision and maintenance of a safe and secure environment. It involves the protection of agency employees and visitors, as well as the physical measures designed to prevent unauthorised access to official resources and to detect and respond to security incidents. It involves:
- Providing clear direction on physical security through development of policy and an agency security plan
- Having in place policies and protocols for all aspects of physical security
- Integrating physical security into the process of planning, selecting, designing and modifying agency facilities
- Ensuring an proposed physical security measure or activity follows the relevant health and safety requirements
- Showing a duty of care for the physical safety of the public interacting with the New Zealand government
- Implementing a level of physical security measures that minimises or removes the risk of information assets being made inoperable, inaccessible or improperly accesses or used
- Developing plans and protocols to move up to heightened security levels in cases of emergency and increased threat
What does it mean for current contractors and service providers to government agencies?
Private contractors and service providers employed by government agencies have responsibilities under the PSR. They include –
- Being aware of the PSR and the security policies and procedures that apply to your employer agency
- Understanding the impact of an employer agency’s security policies and procedures on the services provided (e.g. information management, information and communications technology, facilities design and management, personnel recruitment, general security services)
- Developing a positive working relationship with your employer agency to promote open communication and add value to the security environment through the prompt identification and resolution of issues
- Depending on the role, you may also need to gain and maintain a national security clearance (sponsored by your employer agency) and clearly understand your security obligations and responsibilities as a clearance holder)
What does it mean for private sector companies wanting to do business with government agencies?
Being able to demonstrate an awareness of the PSR and having systems and processes that support a risk based approach to managing personnel, information security and physical security will be an advantage to any company seeking to do business with a government agency.
Requests for Proposals (RFP) and Requests for Tender (RFT) from government agencies can now specify a requirement for a service provider or contractor to be able to meet their obligations under the PSR.
Knowing whether your product, personnel or systems are PSR compliant and able to satisfy the security requirements demanded of government agencies and their service providers is essential in today’s security environment.
What are the benefits to our own business?
Okay, so you are not a service provider or contractor to a government agency, and don’t plan to be – why should the PSR matter to your business or organisation? Simple – this is a comprehensive yet scalable framework which can sit over any organisation, large or small.
In a diverse and complex threat landscape, it is important that businesses and organisations have systems in place to reduce their vulnerabilities. Threats may include violence against staff, criminal damage against property, significant fraud, theft of information and laws, employers have greater responsibility and liability in respect of the health and safety of their staff. Ensuring a business or organisation has a set of protective security policies, plans and protocols to meet their specific business needs greatly contributes to meeting these requirements.
How Omega Investigations can help
In Australia, they have a Protective Security Training College (PSTC) within the Attorney General’s Department offering security practitioners courses and certification in the Protective Security Framework (the Australian equivalent of New Zealand’s PSR). At present in New Zealand there is no certification for persons trained in the PSR and courses run by the New Zealand Security Intelligence Service (NZSIS) are only offered to security practitioner staff of government agencies.
As well as being a company that is vastly experienced in carrying out risks assessments for organisations and businesses, Omega Investigations has the added advantage of a staff member having attended the NZSIS Chief Security Officer (CSO) training for the PSR.
Lisa Grace, our Manager of Intelligence, Risk and Security, attended the course in Wellington in 2015 and received instruction from some of the best in the field of risk and security and who are the foremost specialists in the PSR.
Having worked in intelligence roles within government for a number of years, Lisa understands the importance of robust systems and processes when it comes to security. Developing and implementing a security plan, policies and procedures is crucial to the protection of people, information and assets. Staff training is also vital in creating or improving a security awareness culture within an organisation.
We are happy to sit down and discuss your requirements whether you need end-to-end assessment, review, systems creation and implementation or just a consultation on existing security plans and processes.
We’re here to help ensure your business and business opportunities are protected.