Personnel security

To protect government-held resources, your organisation must ensure that access to information and assets is only given to suitable people.

Your personnel security measures should start at the pre-employment stage and continue throughout the personnel lifecycle.

Taking a risk-based approach

Employ a risk-based approach to personnel security to reduce the risks of government resources being lost, damaged, or compromised.

A risk-based approach helps you make good security decisions, reduces unnecessary costs, and minimises disruption to your people and operations.

Use risk assessments to help you:

• identify the risks associated with each role
• adopt the right security measures for each stage of the personnel lifecycle.

Support your personnel security measures with effective line management, the correct application of the ‘need-to-know’ principle, access controls, and information security measures.

For more information refer to:

• ISO 31000:2018 Risk management - Guidelines
• HB 167:2006 Security risk management

Recruiting the right person

Personnel security helps your organisation to gauge the honesty, trustworthiness, and loyalty of people who might access government resources.

All people employed by the New Zealand Government may be subject to security vetting.

Your organisation should:

• carry out the right pre-employment checks
• set the right expectations about security during induction.

More information

• Management protocol for personnel security
• Guide to personnel security for your organisation

Ensuring their ongoing suitability

Changes in personal circumstances, role requirements, or your organisation’s risk profile can happen at any stage in the personnel lifecycle.

Implement the following processes to ensure your people remain suitable for being employed and having access to your information and assets.

Report and respond to security incidents. Establish incident reporting and response procedures to help you manage security incidents. Aim to contain the effects, manage consequences, and recover quickly.

Carry out extra checks when security risks increase. Report significant changes in personal circumstances or suspicious activity. Report suspected criminal behaviour to the police.

Manage national security clearances. Provide education and briefings, report changes in personal circumstances, manage access and changes to clearance levels. Review clearances when required.

Make security everyone’s responsibility. Raise awareness of your security practices and processes. Make it easy for your people to report suspicious behaviour.

Manage role changes. Carry out the right pre-employment checks before moving people into roles with higher risks.

More information

• Management protocol for personnel security
• Personnel security lifecycle

Managing their departure

When a person leaves your organisation, they retain their knowledge of your business operations, intellectual property, official information, and security vulnerabilities. Managing their departure well will reduce the risk of this knowledge being misused.

Remove access and collect assets

Before a person leaves:

• remove their access to electronic resources, physical resources, and physical sites
• collect all identification cards and access passes, including any tools that allow them remote access to your information management systems
• make sure all assets are returned (take care with your intellectual property or official information).

Protect your organisation and others

To learn from the departure process and manage risks, you should also:

• conduct exit interviews
• assess and manage any risks you identify (for example, when someone leaves feeling unhappy)
• use a deed of confidentiality if the risk is high
• provide honest and accurate references.

More information 

• Management protocol for personnel security
• Personnel security lifecycle
• Manage their departure

Managing national security clearances

The process of gaining a national security clearance ensures your people can be trusted to safeguard classified information, assets, or work locations. Once cleared, your organisation is responsible for managing their ongoing suitability to hold a clearance.

 

Get a recommendation from the NZSIS first

Before your organisation grants a national security clearance, you must receive a security vetting recommendation from the NZSIS.

The NZSIS is responsible for the security vetting process and for making recommendations on security trustworthiness.

The security vetting process is intrusive. However, the NZSIS must conduct the process with care and sensitivity, and in line with government policy.

All vetting decisions are based on an assessment of the whole person, and the principles of natural justice and procedural fairness are followed throughout the process.

Even when your people have clearances, only grant access to protectively-marked resources when there is a legitimate need — do not give access based on convenience or someone’s role in your organisation. 

Know and meet your responsibilities for national security clearances

The following responsibilities are mandatory if you manage national security clearance holders. Your organisation must:

• identify, record, and review positions that require access to CONFIDENTIAL, SECRET, and TOP SECRET information, assets, or work locations
• check that the person has the right level of clearance before you grant them access
• ensure the ongoing suitability of all clearance holders to continue to hold a national security clearance. 

Your organisation must also notify the NZSIS of any:

• decision to grant or decline a national security clearance
• decision resulting in a change to a national security clearance
• concerns that may affect the suitability of a person to obtain or maintain the appropriate level of clearance
• clearance holder who leaves your organisation or ends a contract with you.

More information

• Guide to managing national security clearance holders

Page last modified: 12/06/2020