Planning and assigning responsibilities for protective security

GOV005

Introduction

Purpose

Use this guidance when planning and assigning responsibilities for protective security.  It includes information about roles in your organisation and across government, as well as security policy.

Who this information is for

This information is primarily for Chief Executives, Chief Security Officers, and Security practitioners. It is also a useful reference for contractors that offer protective security advice.

Legislative requirements

Where legislative requirements are higher than controls identified in the Protective Security Requirements, the legislative requirements take precedence and should be applied.

Security policy at your organisation 

Why security policy matters 

The appropriate application of protective security measures by government agencies ensures the operational environment necessary for the confident and secure conduct of government business.  

Managing security risks proportionately and effectively enables government agencies to protect people, information and assets. 

Overall responsibility for protective security 

The Government is responsible for the protective security of New Zealand. Agency heads are responsible for securing the operation of their agencies. 

Agency heads are responsible for the protection of agency functions, official resources, employees (including contractors) and visitors. 

An agency head may, in writing, delegate to another person any of the powers or functions prescribed in the PSR but retains overall accountability for agency security. 

Protective security principles 

Each agency head is responsible for establishing and maintaining an appropriate environment to: 

• safeguard people and clients from foreseeable risks 
• facilitate the appropriate sharing of official information for government to conduct business effectively 
• limit the potential for compromise of the confidentiality, integrity and availability of its official information and assets, recognising risks such as those associated with information aggregation 
• protect official assets from loss or misuse 
• support the continued delivery of the agency’s essential business regardless of disruptions caused by all types of hazards. 

Agency heads must understand, prioritise and manage security risks to prevent harm to official resources and disruption to business objectives. Effective protective security and business continuity management underpin organisational resilience. 

Agencies must ensure security is part of their organisational culture, practices and operational plans.   

Agency heads are responsible for implementing and managing effective security policy within their agencies. 

They must create and maintain appropriate security environments to adequately protect personnel, official information,  protectively marked equipment and other assets. 

The level of protection must correspond to the assessed level of risk. 

Protective security usually incorporates the following measures: 

• personnel security 
• physical security 
• information security, including Information and Communications Technology (ICT) security. 

The PSR provides mandatory controls, compliance requirements and advice on best practice. 

An appropriate security environment requires a systematic and coordinated approach. 

Government agencies responsible for providing security advice may produce their own specific documentation (tier four guidance) to supplement the PSR. 

An agency must first identify and assess its risk environment, then develop a security plan. To be effective, planning for the management of security risks should become an integral part of an agency’s culture. 

Security should be integrated into the agency’s philosophy, practices and plans. It should be treated as a business enabler rather than a separate activity. All managers should be encouraged to recognise risk management and good security practices are a fundamental part of management. 

While each agency’s security plan will relate directly to its culture, environment, geographic location, functions and corporate structure, all government agencies must demonstrate a commitment to the Government’s security policy, principles and minimum standards. 

Security policy document 

The agency head must approve, promulgate and implement a security policy that sets out management's approach and commitment to security. 

The policy's security framework should: 

• be based on robust risk analysis 
• support agency operations and business continuity 
• be practical and useable while providing adequate security 
• be cost effective. 

The agency’s security policy must include: 

• guidance on security roles and responsibilities 
• clear definitions of security processes 
• where necessary, more detailed guidance for individual sites, systems or services 
• clear definitions of responsibility for the handling of protectively marked material, whether in electronic or hard copy form 
• an ongoing programme of user awareness and education. 

Review and evaluation 

The policy review process should be triggered by any changes affecting the basis of the original security risk assessment. 

For example, after: 

• significant security incidents 
• the introduction of new vulnerabilities 
• changes to the agency’s functions, structure or technical infrastructure. 

Schedule periodic reviews of: 

• the policy’s effectiveness, gauged by the nature, number and impact of recorded security incidents 
• the cost and impact of security controls 
• effects on the policy of changes to technology 
• level of user compliance. 

---

Roles and responsibilities in your organisation 

Your responsibilities 

Each agency should have a clear security approach with clear allocation of responsibility for all aspects of security. 

Agency heads are responsible and accountable for all aspects and elements of security within their agency.  

The Government requires agency heads have in place effective protective security programmes that ensure: 

• their agency’s capacity to function 
• the public can have confidence in government 
• official resources and information the government holds on trust, both from and for the public, and those provided in confidence by other countries, are safeguarded 
• the safety of people employed to carry out the functions of government and those who are clients of government. 

Each agency must have a security structure with clear allocation of responsibility for all aspects of security.  

Chief Security Officer 

Overall responsibility for security must be assigned to a senior person designated as the CSO who is answerable to, and must have free access to, the agency head on security-related matters. 

For most agencies the CSO role will be a part time addition to an existing senior role rather than a full time position. 

The CSO’s responsibilities include: 

• oversight of agency protective security 
• circulating and implementing protective security policy 
• providing guidance to the agency head on security matters 
• managing and reporting security incidents 
• implementing a security awareness programme 
• liaison with security agencies in relation to protective security requirements. 

Where the size of an agency allows, the CSO should not hold operational responsibilities for corporate services such as ICT, human resource or finance, ensuring the CSO can provide independent advice and assurance within the agency. 

It may be necessary to create a specialist protective security unit and/or appoint specialist security personnel reporting to and/or supporting the CSO depending on an agency's size, risk profile and the amount of protectively marked material held and equipment operated by the agency. 

Security personnel and/or the protective security unit should work in close association with other business units to ensure that security requirements are managed appropriately. 

Security personnel other than the CSO should be designated as a security manager or officer with the specialist role descriptor if this is deemed necessary, for example, Information Technology Security Manager. 

In all cases, there must be a clear allocation of responsibilities for security. 

Security Committees 

In larger agencies it may be necessary to convene a cross-functional group of management representatives to coordinate security controls. This group should be designated the Security Reference Group (SRG). Alternatively the SRG’s role may be filled by an existing Risk and Audit Committee or equivalent. 

The CSO and/or SRG should: 

• agree on specific roles and responsibilities for security across the organisation 
• ensure protective security is integrated into the agency’s risk management, audit and assurance processes 
• agree on the methodologies and specific processes for security, such as risk assessment procedures and 
• systems for protectively marking information and assets 
• assess and coordinate the implementation of specific security controls for new systems or services 
• review security incidents and recommend appropriate process improvements 
• support organisation-wide security initiatives such as awareness programmes 
• ensure the availability of internal support is well advertised. 

---

Roles and responsibilities across government 

Your responsibilities 

Each government agency is responsible for developing and implementing its protective security arrangements in accordance with the PSR.  

The success of this system depends on: 

• effective security arrangements within each agency 
• interagency agreements on security policy and common minimum standards 
• access by agencies to security intelligence records and specialist advice on specific security issues. 

To help agencies meet this responsibility, a number of security agencies and committees decide security policy, provide advice and offer guidance.  

Committees responsible for protective security 

The following committees have protective security responsibilities: 

• Security and Intelligence Board (SIB) 
• Government Communications Security Committee (GCSC).  

For more information, refer to DPMC - New Zealand's National security system(external link) 

Agencies providing intelligence, technical standards and protective security advice 

The following agencies provide specialist advice on intelligence, technical standards and/or protective security. 

New Zealand Security Intelligence Service 

• www.nzsis.govt.nz(external link) 

The NZSIS establishes personnel and physical security standards as authorised by the Intelligence and Security Act 2017.(external link) 

The NZSIS collects, analyses and advises on matters relating to espionage, foreign interference, politically motivated violence, communal violence, sabotage, attacks on New Zealand's defence system and serious threats to New Zealand's border integrity. 

The NZSIS informs the government about matters of concern exposed by intelligence-gathering operations. 

On the request of government agencies, NZSIS vets personnel requiring national security clearances for access to protectively marked material. 

Government Communications Security Bureau (GCSB) 

• www.gcsb.govt.nz(external link) 

The GCSB is the national authority for information systems security. In a government context this is the protection of official information against unauthorised disclosure, manipulation, destruction or alteration. It embraces communications, technical and computer security. 

GCSB continually monitors the threat environment and conducts research into the security impact of emerging trends.   

GCSB's responsibilities include: 

• circulating national information security policy and standards for government 
• advising government agencies on applying national information security policies and standards 
• providing an information security inspection service for government 
• providing an information security education and training programme for government personnel. 

Ministry of Foreign Affairs and Trade (MFAT) 

• www.mfat.govt.nz(external link) 

MFAT is responsible for protecting and promoting New Zealand's interests overseas.  

MFAT is the government's lead source of advice on foreign and trade policy, and diplomatic and consular issues.  

Internationally, MFAT works to ensure that New Zealand's security and economic interests are advanced and protected and that the rights and safety of New Zealanders abroad are protected. 

 New Zealand Police 

• www.police.govt.nz(external link) 

The New Zealand Police has functions in keeping the peace, maintaining public safety, law enforcement, crime prevention, community support and reassurance, national security, emergency management and participation in policing activities outside New Zealand. 

 Office of the Privacy Commissioner 

• www.privacy.org.nz(external link) 

The Office of the Privacy Commissioner works to develop and promote a culture in which personal information is protected and respected.  

The Privacy Commissioner monitors and advises on how personal information can be collected, used, stored and disclosed and the freedom of information.  

 Office of the Auditor-General (OAG) 

• www.oag.govt.nz(external link) 

The Auditor-General is responsible for audit and assurance work to improve the performance of, and the public's trust in, the public sector. 

 Ministry of Justice 

• www.justice.govt.nz(external link) 

The Ministry of Justice exists to create a fairer and safer New Zealand, administers legislation and contributes to a more credible and effective justice system. 

 Government Chief Digital Officer (GCDO) 

• www.digital.govt.nz(external link) 

As functional leader for government ICT, the GCDO (previously called the Government Chief Information Officer GCIO) is responsible for ICT-enabled transformation across government agencies to deliver better services to citizens. 

 New Zealand Security Association Inc. (NZSA) 

• www.security.org.nz(external link) 

The NZSA is an independent organisation established to promote a professional security industry. The NZSA: 

• sets minimum standards for its members published in its Codes of Practice (also available to non-members) 
• develops security education and training programmes 
• fosters contact with similar international agencies. 

 American Society of Industrial Security (NZ) Inc. (ASIS) 

• www.asis.org.nz(external link) 

ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programmes and materials that address broad security interests as well as specific security topics. 

ASIS also advocates the role and value of the security management profession to business, the media, government entities and the public. 

---

Roles and responsibilities for information security

GOV055 

Agency heads, chief information security officers (CISOs), information technology security managers (ITSMs), system owners, and system users all play a part in ensuring that information security is robust. This section outlines and describes the responsibilities for people in these roles. 

When you see the word ‘should’, it means the task or activity is best practice. When you see the word ‘must’, it means the task or activity is mandatory. Information security is stronger when you combine best practice and mandatory tasks and activities. 

Overall responsibility lies with the agency head

GOV056 

If you’re an agency head, you’re accountable for information security within your agency. You are also the accreditation authority for your organisation. 

Note: The person responsible for an organisation may have a different title. For example, chief executive officer (CEO), director-general, director, or similar. 

Delegate accreditation authority carefully 

When you choose to delegate your accreditation authority, you should carefully consider all the associated risks, as you remain responsible for the decisions your delegate makes. 

Your delegate should be a senior executive and hold specialised knowledge in information security and security risk management, preferably your chief information security officer (CISO). 

If your delegate is not the CISO, they must at least be a member of the senior executive team or in an equivalent management position. 

If you delegate authority to a board, committee, or panel, the requirements of this section apply to the chair or head of that body. 

When your organisation is small, and duties can’t be fully separated 

If you can’t satisfy all separation of duty requirements because of the size of your organisation, you should ensure that potential conflicts of interest are clearly identified, declared, and actively managed. 

Support information security throughout your organisation 

Without your full support, your people might not have access to enough resources and authority to successfully implement information security within your organisation. 

If an incident, breach, or disclosure of official or classified information occurs in preventable circumstances, you will ultimately be held accountable. 

You must provide support for developing, implementing, and maintaining information security processes within your organisation. 

The CISO leads and oversees information security

GOV057 

The CISO’s role is based on good practice in the security industry and in governance. The role ensures that information security is managed at the senior executive level. Without a CISO, your organisation is unlikely to be able to effectively manage information security. 

The CISO’s high-level responsibilities 

Your CISO, if you have one, has the following high-level responsibilities.  

Ensuring the flow of communication supports security objectives 

Your CISO facilitates communication between security, ICT, and business personnel to ensure your organisation's security objectives are aligned. 

 This communication responsibility includes: 

• interpreting information security concepts and language into business concepts and language 
• ensuring that business teams consult with information security teams to determine appropriate security measures when planning new business projects. 

Providing strategic guidance 

Your CISO provides strategic guidance on information security. They’re responsible for: 

• developing your organisation's information security programme at the strategic level 
• overall management of information security within your organisation. 

Ensuring your organisation complies with requirements 

Your CISO ensures that your organisation complies with: 

• national policy, standards, regulations, and legislation for information security 
• internal policies and standards for information security. 

Making sure training is implemented 

Your CISO makes sure that an information security awareness and training programme is developed and maintained. 

Lead information security personnel 

Oversee the management of information security personnel within your organisation. 

Advising and coordinating 

Your CISO is best placed to: 

• advise ICT project leaders on the strategic direction of information security within your organisation 
• provide a recommendation to the accreditation authority on whether to accept residual risks associated with the operation of your organisation’s systems 
• coordinate the use of external information security resources to ensure that a consistent approach is applied across your organisation. 

Your organisation’s responsibilities with the CISO role 

Control your information security budget to ensure that your CISO has enough funding to support information security projects and initiatives. 

Do not expect your CISO to necessarily be a technical expert on information security matters. Rather, expect they will use their knowledge of national and international standards and good practice to communicate with technical experts in your organisation. 

Appointing a CISO 

Your organisation should appoint a CISO or assign the role to someone who already works for your organisation. 

The person you appoint to the CISO role should: 

• be a member of your senior executive team or an equivalent management position (you don’t need to create a new dedicated position) 
• be qualified and experienced enough to bring accountability and credibility to information security management 
• report directly to the agency head on matters of information security within the organisation. 

Before your CISO begins their role, your organisation must: 

• clear them for access to all classified information processed in your organisation’s systems 
• be able to brief them on any compartmented information in your organisation’s systems. 

Managing conflicts of interest 

If your CISO holds another role, such as also being your chief information officer (CIO) or a manager of a business unit, conflicts of interest might arise when operational imperatives conflict with security requirements. Good practice separates these roles. 

When your CISO holds multiple roles, you should: 

• clearly identify potential conflicts of interest 

• implement a mechanism to allow independent decision making in areas where conflict may occur. 

If your organisation outsources the CISO function, you should identify and carefully manage conflicts of interest, availability, and response times, so that your organisation is not disadvantaged. Be alert to possible conflicts of interest when the CISO deals with other vendors. 

Your responsibilities as a CISO 

If you’re a CISO, you should take responsibility for the following tasks. 

Develop and maintain your organisation’s information security programme 

• Develop and maintain a comprehensive and strategic information security and security risk management programme aimed at protecting your organisation’s official and classified information. 
• Lead the development of a communications plan for information security. 
• Create and facilitate your organisation’s information security risk management process. 

Ensure compliance with policies and standards 

• Ensure your organisation complies with its information security policies and standards. 
• Ensure your organisation complies with the New Zealand Information Security Manual (NZISM) by facilitating a continuous programme of certification and accreditation based on security risk management. 
• Ensure information security metrics and key performance indicators are implemented. 

Coordinate and align security with business objectives 

• Facilitate information security and business alignment, and communication about these matters through a steering committee or advisory board which meets formally and regularly, and comprises key business and ICT executives. 
• Coordinate business and information security teams working on information security and security risk management projects. 
• Work with business teams to facilitate security risk analysis and management processes. 
• Ensure methods for identifying acceptable levels of risk are consistent across your organisation. 

Work with ICT project leaders and managers 

• Provide strategic guidance on your agency’s ICT projects and operations. 
• Liaise with architecture teams to ensure security and organisation architectures are aligned. 

Work with vendors 

• Coordinate your organisation’s use of external information security resources, including contracting and managing the resources. 

Control budgeting 

• Control the information security budget. 

Coordinate disaster recovery 

• Coordinate the development of disaster recovery policies and standards so that your organisation’s critical functions are supported, and information security is maintained in the event of a disaster. 

Oversee training 

• Oversee the development and operation of your organisation’s information security awareness and training programmes. 

Provide security advice 

• Provide authoritative security advice and be familiar with national and international standards and good practice. 

ITSMs implement security measures and provide expertise

GOV058 

ITSMs are executives within an organisation. They’re conduits between the strategic directions provided by the CISO and the technical efforts of systems administrators. While a CISO sets the strategic direction for information security, ITSMs manage the implementation of information security measures.  

ITSMs are generally considered the information security experts within their organisations. 

Core aspects of the ITSM’s role 

ITSMs are responsible for administrative and process controls relating to information security. Core aspects of their work include contributing to: 

• improving the information security of systems 
• providing input to ICT projects 
• assisting other security personnel within their organisation 
• contributing to information security training 
• responding to information security incidents.  

ITSMs can also provide advice for committees, such as information security steering committees, change management committees, or inter-agency committees. 

As ITSMs have knowledge of all aspects of information security, they’re best placed to work with ICT project teams to identify and incorporate appropriate information security measures. 

To ensure your CISO remains aware of all information security issues, and can brief their agency head when necessary, ITSMs need to provide regular reports on: 

• policy developments 
• proposed system changes and enhancements 
• information security incidents 
• any areas of concern. 

While your CISO oversees the development and operation of information security awareness and training programmes, your ITSMs arrange delivery of that training. 

Your organisation’s responsibilities with the ITSM role 

Your organisation must appoint at least one ITSM. If your organisation is spread across several sites in different locations, you should appoint an ITSM at each major site. 

Appointing and clearing ITSMs 

Any ITSMs you appoint should: 

• have enough experience, authority, and training to fulfil the role in an organisation of your size or in their area of responsibility within your organisation 
• be independent of any company that provides ICT services (to avoid conflicts of interest). 

ITSMs must be: 

• cleared for access to all classified information processed in your organisation’s systems 
• hold a national security clearance that allows them to be briefed on any compartmented information in your organisation’s systems. 

ITSMs should not have additional responsibilities beyond those needed to fulfil their role. 

Your responsibilities as an ITSM 

As an ITSM, you must: 

• assist system owners to obtain and maintain accreditation 
• ensure security risk management plans (SRMPs), systems security plans (SecPlan), and any standard operating procedures (SOPs) for your organisation’s systems are developed, maintained, updated, and implemented. 

Working with the CISO 

You should work with your CISO to: 

• develop an information security programme 
• develop information security budget projections and resource allocations based on short-and long-term goals 
• undertake and manage projects to address identified security risks. 

Working with ICT projects and systems 

You should work with ICT project leaders and team members to: 

• identify systems that require information security measures and help with selecting the right measures 
• ensure that information security is included when IT equipment and software is evaluated, selected, installed, configured, and operated. 

You should work with enterprise architecture teams to: 

• ensure security risk assessments are incorporated into system architectures 
• identify, evaluate, and select information security solutions that will meet your organisation’s security objectives. 

You should also work with ICT system owners, certifiers, and accreditors to: 

• work out which information security policies will best protect the systems 
• ensure consistency with Protective Security Requirements, particularly the relevant NZISM components. 

As an ITSM, you should: 

• be included in your organisation’s change management and control processes to ensure that risks are properly identified, and controls are properly applied to manage those risks 
• notify the accreditation authority of any significant change that may affect the accreditation of that system. 

Working with vendors 

You should liaise with vendors and with purchasing and legal people in your organisation to establish mutually acceptable information security contracts and service-level agreements. 

Implementing security 

To implement security measures, you should: 

• conduct security risk assessments on any implementation plans for new or updated IT equipment or software, and develop risk mitigation strategies if necessary 
• ensure information security policies are robust by selecting and coordinating the implementation of controls that support and enforce them 
• lead and direct the integration of information security strategies and architecture with business and ICT strategies and architecture 
• provide technical and managerial expertise for the administration of information security management tools. 

Reporting and auditing 

You should: 

• coordinate, measure, and report on technical aspects of information security management 
• monitor and report on your organisation’s compliance with, and enforcement of, information security policies 
• report regularly on information security incidents and other areas of concern to your CISO 
• assess and report on threats, vulnerabilities, and residual security risks 
• recommend remedial actions to reduce risks 
• assist system owners and security personnel to understand and respond to audit failures reported by auditors. 

Assisting with disaster recovery 

You should assist the team responsible for disaster recovery planning with: 

• selecting recovery strategies 
• developing, testing, and maintaining disaster recovery plans. 

Training 

You should: 

• provide or arrange information security awareness and training for everyone in your organisation 
• develop technical information materials and workshops on information security trends, threats, good practices, and control mechanisms as appropriate. 

Providing up-to-date security knowledge 

As an ITSM, you should: 

• maintain an up-to-date security knowledge base comprising of a technical reference library, security advisories and alerts, information on security trends and practices, relevant laws and regulations, and standards and guidelines 
• provide expert guidance on security matters for ICT projects 
• provide technical advice for your information security steering committee, change management committee, and any other committees as required 
• maintain an up-to-date and accurate understanding of the threat environment relating to systems and pass this information to system owners so it’s considered during accreditation activities 
• keep the CISO and system owners informed with up-to-date information on current threats. 

System owners maintain and operate systems

GOV059 

All systems must have an owner.  

All system owners need to ensure IT governance processes are followed and that business requirements are met.  

System owners for large or critical systems should be part of your organisation’s senior executive team or hold an equivalent management position. 

Your responsibilities as a system owner 

As a system owner, you’re responsible for the overall operation and maintenance of a system, including any related support service or outsourced service, such as a cloud service. 

You may delegate the day-to-day management and operation of the system to a system manager or managers. 

Operating the system and maintaining accreditation 

You must ensure the system you own is accredited to meet your organisation’s operational requirements. You are responsible for obtaining and maintaining accreditation. 

If the system is modified, you need to ensure: 

• the changes are done properly and documented 
• that any necessary reaccreditation activities are completed. 

Developing, maintaining, and implementing documentation 

As a system owner, you must ensure that information security documentation for the system is developed, maintained, and implemented. Documentation for the system includes SRMPs, SecPlans, and SOPs. 

You should involve security personnel in the documentation process to ensure a holistic approach to information security can be mapped to your understanding of security risks for your specific system. 

You must ensure the documentation is complete, accurate, and up to date. You must also document the actions you take to develop, maintain, and implement the documentation.  

You must involve your ITSM when you redevelop or update information security documentation. 

For more information see the following chapters of the NZISM: 

• System certification and accreditation(external link) (chapter 4) 
• Information security documentation(external link) (chapter 5). 

System users protect systems by following policies and procedures

GOV060 

Developing and maintaining a security culture helps system users comply with security policies and procedures. System users need to be aware of the risks to any system they use and understand the part they play in reducing those risks. 

Your responsibilities as a system user 

As a system user, whatever your level of access, you must: 

• comply with the security policies and procedures for the system 
• ensure your account authenticators are strong enough to protect the system (for example, passwords and other login details) 
• not share authenticators for accounts without approval 
• take responsibility for all actions under your account 
• only use your access to perform authorised tasks and functions. 

When you want to bypass a policy or procedure 

Security policies and procedures aim to cover all situations that may arise within an organisation. However, sometimes you may have a legitimate reason for wanting to bypass a policy or procedure. If this is the case, you must seek and get formal approval from your CISO or ITSM before you act.