Personnel security (PERSEC)

Protect government held resources by ensuring access to information and assets is only given to suitable people 

PER001, ABOUT008

To protect government-held resources, your organisation must ensure that access to information and assets is only given to suitable people.

Your personnel security measures should start at the pre-employment stage and continue throughout the personnel lifecycle.

 

Taking a risk-based approach

Employ a risk-based approach to personnel security to reduce the risks of government resources being lost, damaged, or compromised.

A risk-based approach helps you make good security decisions, reduces unnecessary costs, and minimises disruption to your people and operations.

Use risk assessments to help you:

  • identify the risks associated with each role
  • adopt the right security measures for each stage of the personnel lifecycle.

Support your personnel security measures with effective line management, the correct application of the ‘need-to-know’ principle, access controls, and information security measures.

PERSEC1

Recruit the right person

Ensure that all people working for your organisation (employees, contractors, and temporary staff) who access New Zealand Government information and assets:

  • have had their identity established
  • have the right to work in New Zealand
  • are suitable for having access
  • agree to comply with government policies, standards, protocols, and requirements that safeguard people, information, and assets from harm.

Personnel security helps your organisation to gauge the honesty, trustworthiness, and loyalty of people who might access government resources.

All people employed by the New Zealand Government may be subject to security vetting.

Your organisation should:

  • carry out the right pre-employment checks
  • set the right expectations about security during induction.

PERSEC2

Ensure their ongoing suitability

Ensure the ongoing suitability of all people working for your organisation. This responsibility includes addressing any concerns that may affect the person’s suitability for continued access to government information and assets.

Changes in personal circumstances, role requirements, or your organisation’s risk profile can happen at any stage in the personnel lifecycle.

Implement the following processes to ensure your people remain suitable for being employed and having access to your information and assets:

  • Report and respond to security incidents – Establish incident reporting and response procedures to help you manage security incidents. Aim to contain the effects, manage consequences, and recover quickly.
  • Carry out extra checks when security risks increase – Report significant changes in personal circumstances or suspicious activity. Report suspected criminal behaviour to the police.
  • Manage national security clearances – Provide education and briefings, report changes in personal circumstances, manage access and changes to clearance levels. Review clearances when required.
  • Make security everyone’s responsibility – Raise awareness of your security practices and processes. Make it easy for your people to report suspicious behaviour.
  • Manage role changes – Carry out the right pre-employment checks before moving people into roles with higher risks.

PERSEC3

Manage their departure

Manage people’s departure to limit any risk to people, information and assets arising from people leaving your organisation. This responsibility includes ensuring that any access rights, security passes, and assets are returned, and that people understand their ongoing obligations.

When a person leaves your organisation, they retain their knowledge of your business operations, intellectual property, official information, and security vulnerabilities. Managing their departure will reduce the risk of this knowledge being misused.

 

Remove access and collect assets

Before a person leaves:

  • remove their access to electronic resources, physical resources, and physical sites
  • collect all identification cards and access passes, including any tools that allow them remote access to your information management systems
  • make sure all assets are returned (take care with your intellectual property or official information).

 

Protect your organisation and others

To learn from the departure process and manage risks, you should also:

  • conduct exit interviews
  • assess and manage any risks you identify (for example, when someone leaves feeling unhappy)
  • use a deed of confidentiality if the risk is high
  • provide honest and accurate references.

PERSEC4

Manage national security clearances

Ensure people have the appropriate level of national security clearance before they are granted access to CONFIDENTIAL, SECRET and TOP SECRET information, assets or work locations.

Manage the ongoing suitability of all national security clearance holders to hold a clearance and notify NZSIS of any changes regarding their clearance.

The process of gaining a national security clearance ensures your people can be trusted to safeguard classified information, assets, or work locations. Once cleared, your organisation is responsible for managing their ongoing suitability to hold a clearance.

 

Get a recommendation from the NZSIS first

Before your organisation grants a national security clearance, you must receive a security vetting recommendation from the NZSIS.

The NZSIS is responsible for the security vetting process and for making recommendations on security trustworthiness.

The security vetting process is intrusive. However, the NZSIS must conduct the process with care and sensitivity, and in line with government policy.

All vetting decisions are based on an assessment of the whole person, and the principles of natural justice and procedural fairness are followed throughout the process.

Even when your people have clearances, only grant access to protectively-marked resources when there is a legitimate need — do not give access based on convenience or someone’s role in your organisation.

 

Know and meet your responsibilities for national security clearances

The following responsibilities are mandatory if you manage national security clearance holders. Your organisation must:

  • identify, record, and review positions that require access to CONFIDENTIAL, SECRET, and TOP SECRET information, assets, or work locations
  • check that the person has the right level of clearance before you grant them access
  • ensure the ongoing suitability of all clearance holders to continue to hold a national security clearance. 

Your organisation must also notify the NZSIS of any:

  • decision to grant or decline a national security clearance
  • decision resulting in a change to a national security clearance
  • concerns that may affect the suitability of a person to obtain or maintain the appropriate level of clearance
  • clearance holder who leaves your organisation or ends a contract with you.