Governance

ABOUT002

Mandatory requirements

The 20 mandatory requirements that mandated government agencies must follow and other organisations should consider as best practice.

Governance mandatory requirements

GOV1 - Establish and maintain the right governance

Establish and maintain a governance structure that ensures the successful leadership and oversight of protective security risk. Appoint members of the senior team as:

  • Chief Security Officer (CSO), responsible for your organisation’s overall protective security policy and oversight of protective security practices.
  • Chief Information Security Officer (CISO), responsible for your organisation’s information security.

GOV2 - Take a risk-based approach

Adopt a risk management approach that covers every area of protective security across your organisation, in accordance with the New Zealand standard ISO 31000:2018 Risk Management – Guidelines. Develop and maintain security policies and plans that meet your organisation’s specific business needs. Make sure you address security requirements in all areas: governance, information, personnel, and physical.

GOV3 - Prepare for business continuity

Maintain a business continuity management programme, so that your organisation’s critical functions can continue to the fullest extent possible during a disruption. Ensure you plan for continuity of the resources that support your critical functions.

GOV4 - Build security awareness

Provide regular information, security awareness training, and support for everyone in your organisation, so they can meet the Protective Security Requirements and uphold your organisation’s security policies.

GOV5 - Manage risks when working with others

Identify and manage the risks to your people, information, and assets before you begin working with others who may become part of your supply chain.

GOV6 - Manage security incidents

Make sure every security incident is identified, reported, responded to, investigated, and recovered from as quickly as possible. Ensure any appropriate corrective action is taken.

GOV7 - Be able to respond to increased threat levels

Develop plans and be prepared to implement heightened security levels in emergencies or situations where there is an increased threat to your people, information, or assets.

GOV8 - Assess your capability

Use an annual evidence-based assessment process to provide assurance that your organisation’s security capability is fit-for-purpose. Provide an assurance report to Government through the Protective Security Requirements team if requested. Review your policies and plans every 2 years, or sooner if changes in the threat or operating environment make it necessary.


Personnel security mandatory requirements

Government organisations must comply with the four mandatory personnel security requirements. Businesses should consider adopting these requirements as part of good practice.

PERSEC1 - Recruit the right person

Ensure that all people working for your organisation (employees, contractors, and temporary staff) who access New Zealand Government information and assets: • have had their identity established • have the right to work in New Zealand • are suitable for having access • agree to comply with government policies, standards, protocols, and requirements that safeguard people, information, and assets from harm.

PERSEC2 - Ensure their ongoing suitability

Ensure the ongoing suitability of all people working for your organisation. This responsibility includes addressing any concerns that may affect the person’s suitability for continued access to government information and assets.

PERSEC3 - Manage their departure

Manage people’s departure to limit any risk to people, information and assets arising from people leaving your organisation. This responsibility includes ensuring that any access rights, security passes, and assets are returned, and that people understand their ongoing obligations.

PERSEC4 - Manage national security clearances

Ensure people have the appropriate level of national security clearance before they are granted access to CONFIDENTIAL, SECRET and TOP SECRET information, assets or work locations. Manage the ongoing suitability of all national security clearance holders to hold a clearance and notify NZSIS of any changes regarding their clearance.


Information security mandatory requirements

INFOSEC1 - Understand what you need to protect

Identify the information and ICT systems that your organisation manages. Assess the security risks (threats and vulnerabilities) and the business impact of any security breaches.

INFOSEC2 - Design your information security

Consider information security early in the process of planning, selection, and design. Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with: • the New Zealand Government Security Classification System • the New Zealand Information Security Manual • any privacy, legal, and regulatory obligations that you operate under. Adopt an appropriate information security management framework that is appropriate to your risks.

INFOSEC3 - Validate your security measures

Confirm that your information security measures have been correctly implemented and are fit for purpose. Complete the certification and accreditation process to ensure your ICT systems have approval to operate.

INFOSEC4 - Keep your security up to date

Ensure that your information security remains fit for purpose by: • monitoring for security events and responding to them • keeping up to date with evolving threats and vulnerabilities • maintaining appropriate access to your information.

 
Physical security mandatory requirements

PHYSEC1 - Understand what you need to protect

Identify the people, information, and assets that your organisation needs to protect, and where they are. Assess the security risks (threats and vulnerabilities) and the business impact of loss or harm to people, information, or assets. Use your understanding to: • protect your people from threats of violence, and support them if they experience a harmful event • protect members of the public who interact with your organisation • put physical security measures in place to minimise or remove risks to your information assets.

PHYSEC2 - Design your physical security

Consider physical security early in the process of planning, selecting, designing, and modifying facilities. Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with relevant health and safety obligations.

PHYSEC3 - Validate your security measures

Confirm that your physical security measures have been correctly implemented and are fit for purpose. Complete the certification and accreditation process to ensure that security zones have approval to operate.

PHYSEC4 - Keep your security up to date

Ensure that you keep up to date with evolving threats and vulnerabilities, and respond appropriately. Ensure that your physical security measures are maintained effectively so they remain fit for purpose.

 

 

Page last modified: 4/05/2022