Governance

GOV005

Protective security roles and responsibilities

Guidelines for planning and assigning responsibilities for protective security.


Introduction


Purpose

Use this guidance when planning and assigning responsibilities for protective security. 

It includes information about roles in your organisation and across government, as well as security policy.


Who this information is for

This information is primarily for Chief Executives, Chief Security Officers, and Security practitioners. It is also a useful reference for contractors that offer protective security advice.


Legislative requirements

Where legislative requirements are higher than controls identified in these requirements the legislative controls take precedence and should be applied.

Security policy at your organisation


Why security policy matters

The appropriate application of protective security measures by government agencies ensures the operational environment necessary for the confident and secure conduct of government business. 

Managing security risks proportionately and effectively enables government agencies to protect people, information and assets.


Overall responsibility for protective security

The Government is responsible for the protective security of New Zealand. Agency heads are responsible for securing the operation of their agencies.

Agency heads are responsible for the protection of agency functions, official resources, employees (including contractors) and visitors.

An agency head may, in writing, delegate to another person any of the powers or functions prescribed in the PSR but retains overall accountability for agency security.


Protective security principles

Each agency head is responsible for establishing and maintaining an appropriate environment to:

  • safeguard people and clients from foreseeable risks
  • facilitate the appropriate sharing of official information for government to conduct business effectively
  • limit the potential for compromise of the confidentiality, integrity and availability of its official information and assets, recognising risks such as those associated with information aggregation
  • protect official assets from loss or misuse
  • support the continued delivery of the agency’s essential business regardless of disruptions caused by all types of hazards.

Agency heads must understand, prioritise and manage security risks to prevent harm to official resources and disruption to business objectives. Effective protective security and business continuity management underpin organisational resilience.

Agencies must ensure security is part of their organisational culture, practices and operational plans.  

Agency heads are responsible for implementing and managing effective security policy within their agencies.

They must create and maintain appropriate security environments to adequately protect personnel, official information,  protectively marked equipment and other assets.

The level of protection must correspond to the assessed level of risk.

Protective security usually incorporates the following measures:

  • personnel security
  • physical security
  • information security, including Information and Communications Technology (ICT) security.

The PSR provides mandatory controls, compliance requirements and advice on best practice.

An appropriate security environment requires a systematic and coordinated approach.

Government agencies responsible for providing security advice may produce their own specific documentation (tier four guidance) to supplement the PSR.

An agency must first identify and assess its risk environment, then develop a security plan. To be effective, planning for the management of security risks should become an integral part of an agency’s culture.

Security should be integrated into the agency’s philosophy, practices and plans. It should be treated as a business enabler rather than a separate activity. All managers should be encouraged to recognise risk management and good security practices are a fundamental part of management.

While each agency’s security plan will relate directly to its culture, environment, geographic location, functions and corporate structure, all government agencies must demonstrate a commitment to the Government’s security policy, principles and minimum standards.


Security policy document

The agency head must approve, promulgate and implement a security policy that sets out management's approach and commitment to security.

The policy's security framework should:

  • be based on robust risk analysis
  • support agency operations and business continuity
  • be practical and useable while providing adequate security
  • be cost effective.

The agency’s security policy must include:

  • guidance on security roles and responsibilities
  • clear definitions of security processes
  • where necessary, more detailed guidance for individual sites, systems or services
  • clear definitions of responsibility for the handling of protectively marked material, whether in electronic or hard copy form
  • an ongoing programme of user awareness and education.


Review and evaluation

The policy review process should be triggered by any changes affecting the basis of the original security risk assessment.

For example, after:

  • significant security incidents
  • the introduction of new vulnerabilities
  • changes to the agency’s functions, structure or technical infrastructure.

Schedule periodic reviews of:

  • the policy’s effectiveness, gauged by the nature, number and impact of recorded security incidents
  • the cost and impact of security controls
  • effects on the policy of changes to technology
  • level of user compliance.

Roles and responsibilities in your organisation


Your responsibilities

Agency security arrangements must be designed to ensure the PSR’s requirements are translated into effective and uniform agency-specific practices throughout the agency. 

Agency heads are responsible and accountable for all aspects and elements of security within their agency. 

The Government requires agency heads have in place effective protective security programmes that ensure:

  • their agency’s capacity to function
  • the public can have confidence in government
  • official resources and information the government holds on trust, both from and for the public, and those
  • provided in confidence by other countries, are safeguarded
  • the safety of people employed to carry out the functions of government and those who are clients of government.

Each agency must have a security structure with clear allocation of responsibility for all aspects of security. 


Chief Security Officer

Overall responsibility for security must be assigned to a senior person designated as the CSO who is answerable to, and must have free access to, the agency head on security-related matters.

For most agencies the CSO role will be a part time addition to an existing senior role rather than a full time position.

The CSO’s responsibilities include:

  • oversight of agency protective security
  • circulating and implementing protective security policy
  • providing guidance to the agency head on security matters
  • managing and reporting security incidents
  • implementing a security awareness programme
  • liaison with security agencies in relation to protective security requirements.

Where the size of an agency allows, the CSO should not hold operational responsibilities for corporate services such as ICT, human resource or finance, ensuring the CSO can provide independent advice and assurance within the agency.

It may be necessary to create a specialist protective security unit and/or appoint specialist security personnel reporting to and/or supporting the CSO depending on an agency's size, risk profile and the amount of protectively marked material held and equipment operated by the agency.

Security personnel and/or the protective security unit should work in close association with other business units to ensure that security requirements are managed appropriately.

Security personnel other than the CSO should be designated as a security manager or officer with the specialist role descriptor if this is deemed necessary, for example, Information Technology Security Manager.

In all cases, there must be a clear allocation of responsibilities for security.


Security Committees

In larger agencies it may be necessary to convene a cross-functional group of management representatives to coordinate security controls. This group should be designated the Security Reference Group (SRG). Alternatively the SRG’s role may be filled by an existing Risk and Audit Committee or equivalent.

The CSO and/or SRG should:

  • agree on specific roles and responsibilities for security across the organisation
  • ensure protective security is integrated into the agency’s risk management, audit and assurance processes
  • agree on the methodologies and specific processes for security, such as risk assessment procedures and
  • systems for protectively marking information and assets
  • assess and coordinate the implementation of specific security controls for new systems or services
  • review security incidents and recommend appropriate process improvements
  • support organisation-wide security initiatives such as awareness programmes
  • ensure the availability of internal support is well advertised.


Roles and responsibilities across government


Your responsibilities

Each government agency is responsible for developing and implementing its protective security arrangements in accordance with the PSR. 

The success of this system depends on:

  • effective security arrangements within each agency
  • interagency agreements on security policy and common minimum standards
  • access by agencies to security intelligence records and specialist advice on specific security issues.

To help agencies meet this responsibility, a number of security agencies and committees decide security policy, provide advice and offer guidance. 


Committees responsible for protective security

The following committees have protective security responsibilities:

  • Security and Intelligence Board (SIB)
  • Government Communications Security Committee (GCSC). 

For more information, refer to DPMC - New Zealand's National security system


Security and Intelligence Board (SIB)

The purpose of the Security and Intelligence Board (SIB) is to build a high performing, cohesive and effective security and intelligence sector through appropriate governance, alignment and prioritisation of investment, policy and activity. It focuses on external threats and intelligence issues.

SIB is chaired by the Deputy Chief Executive Security and Intelligence of the Department of the Prime Minister and Cabinet. SIB membership includes the Chief Executives of the Department of the Prime Minister and Cabinet, the Government Communications Security Bureau, the Ministry of Foreign Affairs and Trade, the Ministry of Defence, New Zealand Customs, New Zealand Defence Force, New Zealand Police, and the New Zealand Security Intelligence Service. Other Chief Executives or officials may be invited by the Chair to attend SIB meetings if required.

The SIB's terms of reference are detailed in SIB Terms of Reference


Government Communications Security Committee (GCSC)

The GCSC is responsible for formulating and reviewing New Zealand’s Communications Security doctrine and standards. 

The core committee membership of the GCSC comes from the GCSB, MFAT, NZDF and NZSIS. Additional representatives may be co-opted from other government departments as necessary. 

The GCSC's terms of reference are detailed in GCSC Terms of Reference.


Agencies providing intelligence, technical standards and protective security advice

The following agencies provide specialist advice on intelligence, technical standards and/or protective security.


New Zealand Security Intelligence Service

The NZSIS establishes personnel and physical security standards as authorised by the Intelligence and Security Act 2017. 

The NZSIS collects, analyses and advises on matters relating to espionage, foreign interference, politically motivated violence, communal violence, sabotage, attacks on New Zealand's defence system and serious threats to New Zealand's border integrity. 

The NZSIS informs the government about matters of concern exposed by intelligence-gathering operations. 

On the request of government agencies, NZSIS vets personnel requiring national security clearances for access to protectively marked material.


Government Communications Security Bureau (GCSB)

The GCSB is the national authority for information systems security. In a government context this is the protection of official information against unauthorised disclosure, manipulation, destruction or alteration. It embraces communications, technical and computer security.

GCSB continually monitors the threat environment and conducts research into the security impact of emerging trends.  

GCSB's responsibilities include:

  • circulating national information security policy and standards for government
  • advising government agencies on applying national information security policies and standards
  • providing an information security inspection service for government
  • providing an information security education and training programme for government personnel.


Ministry of Foreign Affairs and Trade (MFAT)

MFAT is responsible for protecting and promoting New Zealand's interests overseas. 

MFAT is the government's lead source of advice on foreign and trade policy, and diplomatic and consular issues. 

Internationally, MFAT works to ensure that New Zealand's security and economic interests are advanced and protected and that the rights and safety of New Zealanders abroad are protected.


New Zealand Police

The New Zealand Police has functions in keeping the peace, maintaining public safety, law enforcement, crime prevention, community support and reassurance, national security, emergency management and participation in policing activities outside New Zealand.


Office of the Privacy Commissioner

The Office of the Privacy Commissioner works to develop and promote a culture in which personal information is protected and respected. 

The Privacy Commissioner monitors and advises on how personal information can be collected, used, stored and disclosed and the freedom of information. 


Office of the Auditor-General (OAG)

The Auditor-General is responsible for audit and assurance work to improve the performance of, and the public's trust in, the public sector.


Ministry of Justice

The Ministry of Justice exists to create a fairer and safer New Zealand, administers legislation and contributes to a more credible and effective justice system.


Government Chief Digital Officer (GCDO)

As functional leader for government ICT, the GCDO (previously called the Government Chief Information Officer GCIO) is responsible for ICT-enabled transformation across government agencies to deliver better services to citizens.


New Zealand Security Association Inc. (NZSA)

The NZSA is an independent organisation established to promote a professional security industry.

NZSA:

  • sets minimum standards for its members published in its Codes of Practice (also available to non-members)
  • develops security education and training programmes
  • fosters contact with similar international agencies.


American Society of Industrial Security (NZ) Inc. (ASIS)

ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programmes and materials that address broad security interests as well as specific security topics.

ASIS also advocates the role and value of the security management profession to business, the media, government entities and the public.

Page last modified: 31/10/2018