Protective Security Requirements framework

How the Protective Security Requirements support organisations to implement protective security measures

ABOUT005

Diagram showing the four tiers of the protective security framework

 

New Zealand's policy framework for protective security has four tiers and a hierarchical structure. The four tiers support government and private sector organisations to implement protective security measures.


Tier 1
Strategic security directive

The strategic security directive is the New Zealand Government's overarching security policy statement. It’s the keystone of the PSR.

The directive articulates the government's requirement for protective security: that it enables organisations to work together securely in an environment of trust and confidence.


Tier 2
Mandatory requirements

Tier 2 contains the mandatory requirements that government organisations must implement to ensure a consistent and controlled security environment throughout the public sector. Once implemented, this tier enables government organisations to have more confidence in information-sharing practices and collaborative working arrangements.

The mandatory requirements cover four key areas – security governance, personnel security, information security, and physical security. All organisations who adopt the PSR should comply with these requirements.

GOV 1 – Establish and maintain the right governance

GOV 2 – Take a risk-based approach

GOV 3 – Prepare for business continuity

GOV 4 – Build security awareness

GOV 5 – Manage risks when working with others

GOV 6 – Manage security incidents

GOV 7 – Be able to respond to increased threat levels

GOV 8 – Assess your capability

PERSEC 1 – Recruit the right person

PERSEC 2 – Ensure their ongoing suitability

PERSEC 3 – Manage their departure

PERSEC 4 – Manage national security clearances

INFOSEC 1 – Understand what you need to protect

INFOSEC 2 – Design your information security

INFOSEC 3 – Validate your security measures

INFOSEC 4 – Keep your security up to date

PHYSEC 1 – Understand what you need to protect

PHYSEC 2 – Design your physical security

PHYSEC 3 – Validate your security measures

PHYSEC 4 – Keep your security up to date


Tier 3
Protocols and best-practice guidance

Tier 3 provides detailed management protocols and guidance to support your organisation to implement the mandatory requirements and establish best-practice security measures.

Key best-practice documents include:

  • management protocols for conducting protective security activities to meet the mandatory requirements
  • guidance for improving your security practices
  • references to additional protective security and risk management resources and standards.

These documents standardise protective security practices across government to:

  • enable information sharing
  • support inter-organisation business
  • help meet international obligations.

The New Zealand Government will continue to develop and refine protective security policy that promotes the most effective and efficient ways to securely deliver government business.

 

Security governance (GOV)

Good security governance is about conforming and performing.

‘Conforming’ means your organisation meets the PSR’s mandatory requirements.

‘Performing’ means your organisation uses security measures to:

  • contribute to your overall performance through the secure delivery of goods, services or programmes
  • ensure the confidentiality, integrity and availability of your people, information and assets.

Applying governance principles

The PSR is based on the principles of public sector governance, including:

  • accountability – being answerable for decisions and having meaningful mechanisms in place to ensure your organisation adheres to all applicable protective security requirements
  • transparency and openness – having clear roles and responsibilities for protective security functions, and clear procedures for making decisions and exercising authority
  • efficiency – ensuring the best use of limited resources to further the aims of the organisation, with a commitment to risk-based strategies for improvement
  • leadership – achieving an organisation-wide commitment to good protective security performance through top-down leadership.

 

Personnel security (PERSEC)

The people your organisation employs must be suitable for having access to official information and assets. They must meet standards for integrity, honesty, and tolerance.

When necessary, your people must get a security clearance at the appropriate level.

Your organisation is responsible for managing your people throughout the employment lifecycle to prevent accidental or intentional security breaches.

 

Information security (INFOSEC)

The mandatory requirements for information security are based on the following elements:

  • confidentiality – ensuring information is accessible only to those authorised to have access
  • integrity – safeguarding the accuracy and completeness of information and processing methods
  • availability – ensuring authorised users have access to information and associated assets when required.

Your organisation must also apply safeguards so that:

  • information is protectively marked and labelled as required
  • information in ICT systems is properly managed and protected through all phases of a system's life cycle.

 

Physical security (PHYSEC)

Your organisation must provide and maintain:

  • a safe working environment for your people, contractors, clients, and the public
  • a secure physical environment.

Tier 4
Your organisation’s policies, plans, and procedures

Your organisation must develop security policies, plans, and procedures that meet your business needs.

Your policies and procedures should:

  • complement and support other operational procedures in your organisation
  • include any risks your organisation creates that may affect other organisations
  • consider any risks inherited from business partners
  • be at a standard that is equal to or higher than the PSR (not lower).