Self-assessment and reporting

Information and tools to help your organisation assess and report on your protective security capability maturity

The annual Protective Security Requirements (PSR) capability self-assessment round is now open.

Based on agency feedback we have made some additional minor improvements to the current self-assessment reporting for 2023/24.

Minor updates have been made to the PSR self-assessment report template, including in response to agency feedback. These updates are summarised in the template itself, and in the accompanying information sheet.

Capability maturity model

SAR002

The capability maturity model (CMM) assists your organisation to assess your current capability across a number of protective security dimensions, identify capability levels that are appropriate to the security risks you face, and to identify some of the ways in which capability could be lifted.

The Protective Security Compliance Guide provides a simple checklist to help your organisation's security leaders to review your organisation’s security capability. It is based on the mandatory requirements of the Protective Security Requirements and also best practice.

Assurance reporting

SAR003

Guidelines that explain the annual self-assessment and assurance reporting process.

Purpose

Use this guidance to achieve a consistent approach to assessing protective security capability and compliance in organisations. This is to help:

  • identify areas of focus and address these through mitigation and education actions
  • evaluate the effectiveness of their protective security practices
  • improve their protective security policies and procedures.

Who this information is for

This information is primarily for Chief Executives, Chief Security Officers (CSOs), Chief Information Security Officers (CISOs) and other agency security management personnel.  It's also a useful reference for contracted protective security management service providers.

Legislative requirements

Where legislative requirements are higher than controls identified in these requirements, legislative requirements take precedence and need to be applied.

Relevant standards

The standards relevant to these requirements are:

Benefits of reporting

SAR004

Compliance with the mandatory requirements will assist agencies to attain effective and appropriate protective security management in line with the New Zealand government's expectations.

Compliance with the PSR provides benefits to government, portfolios and agencies.

Benefits to the New Zealand government include:

  • providing a mechanism to assure the government that sound and responsible protective security occurs across government
  • enabling the identification of any serious or systemic protective security issues across government, which can then be addressed through policy changes and education programmes
  • enabling the government to identify and implement better practice protective security
  • enabling, where appropriate, the communication to ministers of significant compliance issues within their portfolios
  • promoting intra-portfolio cooperation between agencies to address portfolio-wide issues.

The information provided will be used to inform whole-of-government protective security status reporting.

Benefits to your organisation include:

  • the ability to identify areas of low protective security capability and address any issues on a timely basis
  • knowledge gained by one agency can be captured and issued to all relevant agencies, improving the efficiency and effectiveness of protective security practices
  • assurance about the security of information and asset sharing arrangements.

Accountabilities and responsibilities

SAR005

Agencies

  • are accountable for meeting their protective security obligations and assessing the extent to which they comply with the PSR
  • must assign responsibilities for managing protective security within their organisation to appropriately trained and competent employees
  • must provide employees, including contractors, with the necessary information and assistance to promote compliance and advise of any consequences of non-compliance
  • upon request, must report on their level of protective security capability and significant or systemic protective security issues, including any corrective actions to mitigate the issues
  • must document policy exceptions to provide a record they can use to assess their compliance with the mandatory requirements of the PSR
  • should, where necessary, strengthen existing protective security practices and mechanisms based on their risk assessments.

Employees

Employees should:

  • as a condition of accepting employment within an organisation agree to comply with protective security policies of that organisation
  • be aware of the consequences of failure to comply with organisation policies and the PSR mandatory requirements.

Agency heads

Agency heads should be responsible for:

  • ensuring their agency complies with the PSR and has an appropriate level of protective security capability
  • reporting on the effectiveness of the agency's protective security policies and procedures in complying with the mandatory requirements.

Employees responsible for protective security management

Employees who are responsible for protective security management, including CSOs and CISOs, should:

  • effectively manage their agency's security, including applying appropriate protective security measures based on their risk profile
  • liaise with relevant security, governance and compliance personnel, in particular, where there is a centralised approach to compliance management
  • assist with the organisation and coordination of risk assessments, internal audits, and compliance reviews
  • advise on the compliance requirements relevant to their agency
  • record and manage exceptions
  • identify and arrange for the provision of appropriate training needed to improve or ensure appropriate protective security capability
  • prepare an agency compliance exception report against the mandatory requirements of the PSR, or provide input to the report where the assurance and compliance reporting role is undertaken elsewhere within the agency.

Reporting protective security capability and compliance

SAR007

Certain organisations must report, externally and in writing, on their protective security capability and compliance with the mandatory requirements of the PSR.

External reporting will confirm that:

  • they have undertaken an assessment against the mandatory requirements
  • compliance for each mandatory requirement is being effectively managed
  • any unacceptable risk relating to these mandatory requirements has been treated appropriately
  • they have a plan in place to reach and maintain the appropriate level or protective security capability based on their risk profile
  • their compliance obligations have been met.

The written report from the agency head must:

  • contain a declaration of compliance with the mandatory requirements
  • where not compliant, state any areas of non-compliance, identifying:
    • details on measures taken to mitigate identified risks
    • areas of non-compliance requiring further action
    • any proposed future measures to address non-compliance
    • any residual risks.

Agencies should also advise any non-compliance with specific PSR mandatory requirements to the relevant agencies listed below.

  • The Director - General, Government Communication Security Bureau (GCSB) for matters relating to CONFIDENTIAL and above material and the New Zealand Government Information Security Manual(external link).
  • The Government Chief Information Officer (GCIO) for matters relating to Information and Communications Technology (ICT) risk.
  • The Director - General  of Security New Zealand Security Intelligence Service (NZSIS) for matters relating to national security.
  • The heads of any agencies whose people, information or assets may be affected by the agency's capability and/or non-compliance if not already advised when the non-compliance was first identified.
    Agencies should advise the GCSB, NZSIS or affected agencies, as applicable, at the time of any incident.

Also refer to the Reporting incidents and conducting security investigations.