About the PSR
The framework for the PSR
New Zealand's policy framework for protective security has four tiers and a hierarchical structure.
The four tiers support government and private sector organisations to implement protective security measures.
Protective Security Requirements framework
Tier 1 — Strategic security directive
The strategic security directive is the New Zealand Government's overarching security policy statement. It’s the keystone of the PSR.
The directive articulates the government's requirement for protective security: that it enables organisations to work together securely in an environment of trust and confidence.
Tier 2 — Core policies and mandatory requirements
Tier 2 contains the core security policies and mandatory requirements that government organisations must implement to ensure a consistent and controlled security environment throughout the public sector.
Once implemented, this tier enables government organisations to have more confidence in information-sharing practices and collaborative working arrangements.
The mandatory requirements span security governance, personnel security, information security, and physical security.
Tier 3 — Protocols and best-practice guidance
Tier 3 provides detailed management protocols and guidance to support your organisation to implement mandatory requirements and establish best-practice security measures.
Key best-practice documents include:
- management protocols for conducting protective security activities to meet the mandatory requirements
- guidance for improving your security practices
- references to additional protective security and risk management resources and standards.
These documents standardise protective security practices across government to:
- enable information sharing
- support inter-organisation business
- help meet international obligations.
The New Zealand Government will continue to develop and refine protective security policy that promotes the most effective and efficient ways to securely deliver government business.
The policies and related protocols and requirements cover four areas: security governance; and personnel, information, and physical security.
Good security governance is about conforming and performing.
‘Conforming’ means your organisation meets the PSR’s mandatory requirements.
‘Performing’ means your organisation uses security measures to:
- contribute to your overall performance through the secure delivery of goods, services or programmes
- ensure the confidentiality, integrity and availability of your people, information and assets.
Applying governance principals
The PSR is based on the principles of public sector governance, including:
- accountability — being answerable for decisions and having meaningful mechanisms in place to ensure your organisation adheres to all applicable protective security requirements
- transparency and openness — having clear roles and responsibilities for protective security functions, and clear procedures for making decisions and exercising authority
- efficiency — ensuring the best use of limited resources to further the aims of the organisation, with a commitment to risk-based strategies for improvement
- leadership — achieving an organisation-wide commitment to good protective security performance through top-down leadership.
The people your organisation employs must be suitable for having access to official information and assets. They must meet standards for integrity, honesty, and tolerance.
When necessary, your people must get a security clearance at the appropriate level.
Your organisation is responsible for managing your people throughout the employment lifecycle to prevent accidental or intentional security breaches.
The mandatory requirements for information security are based on the following elements:
- confidentiality — ensuring information is accessible only to those authorised to have access
- integrity — safeguarding the accuracy and completeness of information and processing methods
- availability — ensuring authorised users have access to information and associated assets when required.
Your organisation must also apply safeguards so that:
- information is protectively marked and labelled as required
- information in ICT systems is properly managed and protected through all phases of a system's life cycle.
Your organisation must provide and maintain:
- a safe working environment for your people, contractors, clients, and the public
- a secure physical environment.
Tier 4 — Your organisation’s policies, plans, and procedures
Your organisation must develop security policies, plans, and procedures that meet your business needs.
Your policies and procedures should:
- complement and support other operational procedures in your organisation
- include any risks your organisation creates that may affect other organisations
- consider any risks inherited from business partners
- be at a standard that is equal to or higher than the PSR (not lower).
Page last modified: 5/08/2019