Building security awareness

GOV008

Providing security awareness training is part of meeting the Protective Security Requirements (PSR). It helps your organisation to create a strong security culture that protects your people, information, and assets.

Work out your organisation’s training requirements

If you’re responsible for security training or advice, use a consistent and structured approach to work out your organisation’s training requirements.

Design your security awareness training to:

• address the risks your organisation identifies during its risk review
• ensure your organisation’s security policies and processes are followed
• promote personal responsibility for effective security by all staff and contractors,  regardless of role or level of access.

Get the scope right

Facilities and places to include

Your training needs to cover security measures in:

• your facilities
• other facilities that handle your information and assets
• places where your employees or contractors are working.

Security measures to cover

Your training should cover policies and processes for:

• maintaining personal safety
• protecting assets
• protecting official information
• reporting (security incidents, changes of personal circumstances, and any mandatory or legislative reporting requirements)
• attending security briefings (when required).

People to involve

Provide security awareness training or briefings to the following people:

• all employees, secondees, and contractors based in your facilities
• all employees, secondees, contractors, and other people who have access to your official information
• all holders of a New Zealand Government security clearance.

Set training goals

Everyone in your organisation needs to understand your security rules, and any specific responsibilities that apply to their roles or work areas.

Aim to give your people the knowledge they need to perform their security duties effectively. They need to understand the threats your security measures are designed to counter, so they can help maintain security.

Ensure you provide quality training

Your training programmes should use a mixture of delivery methods and follow the principles of adult education.

When appropriate, use a security training provider approved by the New Zealand Qualification Authority (NZQA).

Implement your security awareness training

Security awareness training should be an ongoing, regular part of your organisation’s operations.

Make security training part of induction

Start security awareness training as soon as new people join your organisation — make it a part of your organisation’s induction programme.

Provide refresher training regularly

Hold regular refresher sessions to remind your people about security measures and let them know about any new measures.

Provide targeted training when the threat environment changes

When your organisation’s threat environment changes or there’s an increased risk of a security breach, provide targeted security awareness training.

Provide training for people in emergency, safety, or security roles

You must keep your people and visitors as safe as possible. Design extra training for people with emergency, safety, or security roles, so they can help to keep everyone safe in times of danger or threat. Carry out exercises to help them practise their skills and confirm their ongoing competency.

For more information, refer to:

• Health and Safety at Work Act 2015(external link)
• relevant regulations
• codes and standards, such as AS/NZS 4804:2001 - Occupational Health and Safety Management System.

Communicate effectively to enhance your security culture

To support your security awareness training and culture, you need to keep communicating about your security measures. Some ways to keep security awareness high include:

• using security campaigns to address ongoing security needs or specific needs to do with sensitive areas, activities, or periods of time
• promoting security processes and tips through publications, electronic bulletins, and visual displays such as posters
• carrying out security drills and exercises
• including security questions in job interviews
• including security attitudes and performance in your performance management programme.

Develop an employee safety handbook

Create an employee safety handbook and make it readily available to everyone in your organisation.

Your handbook should include:

• emergency response guidelines and contacts
• safety requirements and procedures
• safety measures for areas of heightened risk, such as public areas.

The standards relevant to these safety requirements are AS/NZS 4804:2001 - Occupational Health and Safety Management System.

Give advice about how to protect assets

Make sure everyone knows how to keep your organisation’s assets secure. Before you allow access to assets, give training about:

• using access control systems and other measures to protect assets
• meeting legal requirements to protect assets
• reporting lost, damaged, or stolen assets
• auditing and stocktaking requirements for assets.

Provide training for protecting official information

Everyone in your organisation needs to understand what harm could be caused if your official information is lost, damaged, or compromised. They must also be aware of how your valuable resources might be vulnerable to compromise or misuse.

Provide training about protective marking and handling requirements, such as:

• protective markings for information and communications technology (ICT)
• special arrangements for producing documents that are protectively marked above the ICT systems’ capability
• audit and accountability requirements for material marked as needing high protection.

Train your people to report security concerns

Create an internal process for reporting security concerns and then train everyone to report any security risks they encounter. For example, encourage your people to report:

• suspicious behaviour
• threatening behaviour communicated through letters, bomb threats, and phone calls
• lost, stolen, or broken ICT and security equipment
• security infringements and breaches
• full secure waste bins
• lost identity or credit cards
• lost protectively- marked or official material
• serious wrongdoing (within your organisation or another).

Your reporting requirements should also include any protected disclosure (‘whistleblowing’) provisions. You also need to comply with the Protected Disclosures Act 2000.

Reporting resources

Your organisation should have templates for reporting security concerns.

• Reporting changes of circumstances [PDF, 275 KB]
• Contact reporting [PDF, 202 KB]

Provide additional security briefings when necessary

In some circumstances, you’ll need to provide security briefings that go beyond your regular training and awareness activities. Examples include briefings (and debriefings) for:

• overseas and New Zealand travel (for official business or personal purposes)
• access to TOP SECRET material
• access to protectively-marked information or resources that have an endorsement, are compartmented or have codeword protection
• high-risk destinations
• specific categories of employment, for example, the unique security issues for IT staff, scientists, and others
• contractors, temporary employees, visitors, and families
• an individual’s security needs, as part of a continuing management plan.