Security governance (GOV)

Ensure effective oversight and management of all protective security areas

ABOUT002, ABOUT004, ABOUT007, GOV002

Managing security risks proportionately and effectively enables organisations to protect people, information and assets. To successfully manage security risks organisations must ensure security is part of their organisational culture, practices and operational plans.

The PSR contains eight governance requirements which work together to ensure effective oversight and management of all security areas.

GOV1

Establish and maintain the right governance

Establish and maintain a governance structure that ensures the successful leadership and oversight of protective security risk. Appoint members of the senior team as:

  • Chief Security Officer (CSO), responsible for your organisation’s overall protective security policy and oversight of protective security practices.
  • Chief Information Security Officer (CISO), responsible for your organisation’s information security.

To implement protective security requirements, your organisation must clearly:

  • identify your security governance structure
  • define who is responsible for security governance.

Develop a governance structure that enables you to effectively identify and manage security risks.

Your organisation head is responsible for reviewing and endorsing your proposed security risk management structures, assurance mechanisms, and resource allocations.

GOV2

Take a risk-based approach

Adopt a risk management approach that covers every area of protective security across your organisation, in accordance with the New Zealand standard ISO 31000:2018 Risk Management – Guidelines.

Develop and maintain security policies and plans that meet your organisation’s specific business needs. Make sure you address security requirements in all areas: governance, information, personnel, and physical.

The right risk-management approach will vary from organisation to organisation, but your process should be transparent and justifiable. Risk avoidance is not risk management.

Your organisation’s process for managing security risks should aim to:

  • identify risks specific to your people, information, and assets
  • assess the likelihood and impact of risks occurring
  • assess risks against vulnerabilities and the adequacy of existing safeguards
  • specify your level of risk tolerance
  • determine which protective measures are likely to reduce or eliminate risks
  • identify and accept responsibility for residual risks
  • implement security measures to reduce risks to acceptable levels.

 

Communicate about risk management to raise awareness

Common messages for managing security risks well are:

  • everyone who works for your organisation is responsible for managing security risks (including contractors)
  • risk management, including security risk management, is part of day-to-day business
  • the process for managing security risks is logical, systematic, and part of your organisation's standard management processes
  • changes in your organisation’s threat environment should be continuously monitored and adjusted when necessary to maintain an acceptable level of risk and a good balance between operational needs and security.

 

Develop effective policies and plans

Your policies and plans for protective security should:

  • detail the objectives, scope, and approach to managing your security issues and risks
  • be endorsed by your organisation’s head
  • identify security roles and responsibilities
  • be reviewed when there are changes to your business or changes to your security risks
  • be consistent with your security risk assessment findings
  • explain the consequences for breaching policies or circumventing protective security measures
  • be communicated regularly.

GOV3

Prepare for business continuity

Maintain a business continuity management programme, so that your organisation’s critical functions can continue to the fullest extent possible during a disruption. Ensure you plan for continuity of the resources that support your critical functions.

Critical services and associated assets need to remain available to assure the health, safety, security and economic wellbeing of New Zealanders, and the effective functioning of government.

A business continuity management (BCM) programme should be part of your organisation's overall approach to effective risk management.

BCM planning sets out the processes you should follow in the event of a disruption to business. A key risk for organisations is being unable to remain operational in the event of a crisis or other disruption.

 

Set up a robust programme

Carry out the following activities to ensure your BCM programme is effective.

  • In your governance arrangements, establish who oversees and takes responsibility for your BCM programme, and for developing and approving business continuity plans.
  • As part of your asset identification process, carry out impact analyses to identify and prioritise your organisation's critical services, assets, and information. Include any information exchanges with other organisations and external parties.
  • Develop plans, security measures, and arrangements to ensure your critical services and assets continue to be available. Include any other service or asset when warranted by a threat or risk assessment.
  • Monitor your organisation's overall level of preparedness for a disruptive event.
  • Ensure you continuously review, test and audit your business continuity plans.

GOV4

Build security awareness

Provide regular information, security awareness training, and support for everyone in your organisation, so they can meet the Protective Security Requirements and uphold your organisation’s security policies.

To successfully deliver the PSR, everyone who works for your organisation needs to know and follow your security policies and processes.

Educate everyone about your security requirements

To improve awareness of and compliance with your security measures, your organisation should:

  • ensure people who have specific security duties receive appropriate and up-to-date training
  • communicate your security polices to everyone who works for you, including contractors
  • make sure your security policies are easy to understand and access
  • run an ongoing security awareness programme to regularly remind people of security responsibilities, issues, and concerns
  • brief national security clearance holders on the conditions attached to their clearance level when they gain or renew a clearance, and when required in the clearance renewal cycle.

 

Uphold legislation for protecting official information

Provide everyone who works for you with guidance on the relevant sections of legislation covering the unauthorised disclosure of official information, including the:

The combined effect of the Crimes Act 1961 and the Summary Offences Act 1981 is that the unauthorised disclosure of information held by the New Zealand Government is subject to the sanction of criminal law. Your people need to be aware of whether and how such legislation applies to their role.

GOV5

Manage risks when working with others

Identify and manage the risks to your people, information, and assets before you begin working with others who may become part of your supply chain.

The PSR applies as much to service providers and outsourced services as it does to your internal operations.

When you outsource services or functions, your organisation should:

  • apply personnel security procedures to private sector organisations and individuals who have access to New Zealand Government assets
  • ensure government assets, including ICT systems, are safeguarded through specifying security requirements in contract terms and conditions, and visiting providers to assess compliance.

GOV6

Manage security incidents

Make sure every security incident is identified, reported, responded to, investigated, and recovered from as quickly as possible. Ensure any appropriate corrective action is taken.

The purpose of a security investigation is to establish the cause and extent of an incident that has, or could have, compromised your organisation or the New Zealand Government.

The process of investigating and reporting security incidents also helps you to understand your vulnerabilities and reduce the risk of future incidents.

 

Be fair and just when you investigate

A security investigation should protect both the interests of the New Zealand Government and the rights of affected individuals.

Your organisation must apply the principles of natural justice and procedural fairness to all security investigations.

Your procedures should give due regard to ensuring the integrity of any other current or future investigation by your organisation or that of another.

 

Report serious security incidents to the right authorities

If an incident is potentially serious, you must consult with the:

  • New Zealand Police
  • New Zealand Security Intelligence Service (NZSIS)
  • Government Communications Security Bureau (GCSB) or the Government Chief Digital Officer (GCDO), or both. 

GOV7

Be able to respond to increased threat levels

Develop plans and be prepared to implement heightened security levels in emergencies or situations where there is an increased threat to your people, information, or assets.

Your organisation must be ready to respond to emergency and increased threat situations.

Your plans for moving up to heightened security levels should integrate and coordinate with other emergency prevention and response plans. For example, plans for responding in case of a fire, bomb threat, hazardous chemical spill, power failure, evacuation, or civil defence emergency.

GOV8

Assess your capability

Use an annual evidence-based assessment process to provide assurance that your organisation’s security capability is fit-for-purpose. Provide an assurance report to Government through the Protective Security Requirements team if requested.

Review your policies and plans every 2 years, or sooner if changes in the threat or operating environment make it necessary.

An annual self-assessment helps your organisation to know if your security measures are right, and to improve security if you need to.

The assessment and reporting process aims to help your organisation check how well you’re ensuring that:

  • your people are safe
  • your essential resources are retaining their confidentiality, integrity, and availability.

The process comprises internal self-assessment and reporting, and in some cases external reporting to lead security organisations.