Reporting incidents and conducting security investigations

Understand how to report, manage, and investigate security incidents using a consistent, structured approach 

GOV009

These guidelines cover how to manage security incidents as part of the New Zealand government’s protective security requirements. They describe best practice for running security investigations.

What is a security incident?

A security incident is:

  • a violation, breach or infringement of protective security policy or procedure
  • an approach from anybody seeking unauthorised access to official resources
  • an attempt to gain unauthorised access to official resources
  • any other event that harms, or may harm the security of the New Zealand government, its institutions or programmes.

Not all security incidents are significant enough to require investigation. Seek guidance from supporting agencies – the police, NZSIS, GCSB, New Zealand Defence Force, or other relevant agencies.

If foreign officials seek unauthorised access to official resources, Contact Reporting has separate advice.

Your organisation’s role

Your organisation must assess the harm from any security incident. Determine the impact on the New Zealand government of actual, potential, or suspected loss, compromise or disclosure.

You must:

  • identify whether the incident is minor (an infringement or breach) or major (a violation, which you must report)
  • report the incident to any other relevant agencies, like the New Zealand Security Intelligence Service (NZSIS), Government Communications Security Bureau (GCSB), CERT, Privacy Commissioner or Government Chief Digital Officer (GCDO).

What kinds of security incident must be reported?

Your people and contractors must report:

  • crimes like theft or attempted theft, burglary, damage e.g. vandalism, fraud or assault
  • natural events like fire or storm damage which may compromise security
  • incorrect handling of information that is protectively marked.

Who is involved in reporting security incidents?

Your organisation must have a policy for security incident reporting. It should cover the roles and responsibilities of people who handle security incidents and run security investigations.

Chief Executives or Agency heads

Your chief executive or agency head should ensure there are:

  • processes for staff, contractors and contractor’s employees to report security incidents
  • records of the organisation’s security performance and requirements.

Senior managers

Senior managers are responsible for the procedures for security incident reporting and recording — in their areas, and for the organisation overall. The Chief Security Officer (CSO), or their delegate, should help them.

In security investigations, a senior manager, who is independent of the incident, should approve the terms of reference and objectives. They should also get regular reports on the investigation’s progress.

Managers

Your managers should ensure security incidents are reported to the CSO, and work closely with them on any security concerns.

If an incident involves your ICT system, you may also need to report to the Chief Information Security Officer (CISO).

Managers have an important role to play. As they work closely with staff, they could be the first to detect a security incident or notice suspicious behaviour.

Chief Security Officer (CSO)

Your CSO, or their delegate, receives and actions information about security incidents.

They should record security incidents and the outcome of investigations, and report regularly to senior management on security performance.

Chief Information Security Officer (CISO) / Information Technology Security Manager (ITSM)

Your CISO or ITSM receives and actions information about incidents involving ICT systems. These include denial of service attacks, targeted malicious email attacks, and loss of ICT assets or information.

They should report major ICT security incidents to the National Cyber Security Centre (NCSC).

They should tell your CSO about any ICT security incidents and the likely impacts. The CISO may have a role in investigating ICT security incidents.

Employees

Everyone that works for your organisation must know about and follow your processes for reporting security incidents.

Your organisation must provide security awareness training for employees, contractors, and contractors’ employees.

Processes for reporting security incidents

GOV010

Your organisation should have formal processes for responding to and reporting protective security incidents. You must make everyone aware of their responsibilities and the reporting processes.

They should be aware of the need to report anyone who seeks access to information they’re not authorised to access.

For reporting breaches of cyber security, find advice in the New Zealand Information Security Manual - Cyber Security Incidents.(external link)

Report weaknesses in security

Your people must report security weaknesses they see or suspect, and threats to processes, policies, systems, or services. They should report weaknesses as soon as possible.

Your people should never attempt to prove a suspected weakness. This is for their own protection. Testing a weakness might be seen as misusing the system.

Learn from incidents

Your organisation should have processes for monitoring and measuring the types, volumes, and costs of incidents and malfunctions. Use the information to:

  • identify recurring or high-impact problems
  • check whether you need more or better measures to limit problems
  • review the security policy.

Have a formal process

Your organisation should have a formal  process for staff who breach your security policies and processes. It may be part of your process for handling misconduct.

It ensures that anyone suspected of breaching security is treated fairly.

Cover the process as part of staff inductions and in your security awareness training.

Make sure staff report security incidents

Your organisation’s security policy and processes should:

  • require that your staff and contractors report security incidents
  • include formal procedures and mechanisms to make reporting easy
  • require the CSO to keep records of incidents.

Your organisation’s security awareness training must include how to report incidents, and state that staff must report incidents.

Record security incidents

Develop methods for recording incidents that suit your organisation’s security environment and operations.

In your records of security incidents, include:

  • the time, date, and location
  • the type of official resources involved
  • a description of the incident’s circumstances
  • whether the incident was deliberate or accidental
  • an assessment of the degree of compromise or harm
  • a summary of immediate and long-term action you will take.

Recording security incidents gives valuable insights into an organisation’s security environment and performance. For instance, if you have many minor security incidents, it could show there is poor staff awareness and that you need more security awareness training.

CSOs should regularly report details of security incidents and any trends to your agency head.

Develop your own processes for minor security incidents

Your organisation is unique, so you should develop your own processes for investigating minor security incidents.

Tell the NZSIS(external link) about security incidents involving holders of security clearances
You must tell the New Zealand Security Intelligence Service (NZSIS) about:

  • repeated minor security incidents 
  • major security incidents that relate to a person’s suitability to hold a security clearance
  • the outcome of any security investigation that relates to a person’s suitability to hold a security clearance. 

Report contact with foreign officials

Any staff who hold a security clearance must report unusual or suspicious contacts with foreign officials, or requests from foreign officials for access to your assets or protectively-marked information. More information is in Contact Reporting.

Develop formal procedures for major security incident

Your policies and processes for dealing with major security incidents must be more formal.

When another organisation is involved

If a suspected major security incident involves resources from another organisation, seek advice from that organisation before beginning an investigation. The organisation may have operational security requirements. It may be more appropriate for the originating or responsible organisation to perform the investigation. Apply the 'need-to-know' principle.

Report major security incidents to security agencies

You must report to the right security agency any incidents of suspected:

  • espionage (NZSIS)
  • sabotage (NZSIS, NZ Police, or both)
  • acts of foreign interference (NZSIS)
  • attacks on New Zealand’s defence system (New Zealand Defence Force)
  • politically motivated violence (NZSIS, NZ Police, or both)
  • incitement to communal violence (NZSIS, NZ Police, or both)
  • serious threats to New Zealand’s border (Customs and Immigration, Ministry for Primary Industries or both).

Do an initial assessment, then contact the relevant agency or agencies as soon as possible. Only give information on a need-to-know basis until you are told otherwise. Contact your PSR engagement manager if unsure.

Report cyber security incidents to National Cyber Security Centre

Report any suspected cyber security incidents to National Cyber Security Centre including:

  • suspicious or apparently targeted emails with attachments or links
  • any compromise or corruption of information
  • hacking
  • viruses
  • disruption or damage to services or equipment
  • data spills. 

Your organisation’s ICT security policies and plans should require early contact with NCSC to avoid accidentally compromising a cyber security investigation.

Report security incidents involving Cabinet material to the Cabinet Office
Report suspected security incidents involving Cabinet material to the Cabinet Office in the Department of the Prime Minister and Cabinet.

The Cabinet Manual(external link) covers the security and handling of Cabinet documents.

Report criminal incidents to law enforcement bodies

Where the incident may be a criminal offence, you may need to report to the appropriate law enforcement body. Ask the NZ Police for advice.

Get emergency help for critical incidents involving public safety

Where lives or public safety are at risk, contact the emergency services — dial 111.

Critical incidents that may affect public safety include the following types:

Personal attacks:

  • assault
  • use of weapons  including firearms
  • threats of harm to self or others
  • violent demonstration with serious disruption of public order
  • chemical, biological, or radiological (CBR) attack, or suspected CBR attack
  • white powder incidents, including real and significant hoax incidents.

Hostage taking, actual or suspected:

  • hostage situation
  • hijacking

Attacks to property or information:

  • arson or suspected arson
  • bombing
  • mail bomb, or suspected mail bomb
  • attack on the national information infrastructure or critical infrastructure that uses it.

Report major occupational health and safety incidents to WorkSafe

You must report health and safety incidents involving serious injury or death to WorkSafe New Zealand(external link).

Include these details when you report major security incidents

When reporting suspected major security incidents, cover these details:

  • the date and time of the incident, or when it was reported or discovered
  • location
  • brief details
  • what may have been compromised (and the type and level of protective marking, if relevant)
  • the names of those involved in the incident if you know
  • the name and contact details of the agency for follow-up
  • an initial assessment of the harm or damage
  • what action you have already taken.

If you’ve reported a major incident, ensure you also report any updates and changes to the situation.

You are responsible for circulating information about incidents within your own organisation.

Investigating security incidents

GOV011

A security investigation establishes what caused the incident and how far it compromised or threatened the security of people, information, or assets. 

Apply the principles of fairness

The principles of procedural fairness apply to all investigations. People whose rights, interests or expectations are affected should be told the case against them, and given an opportunity to be heard by an unbiased decision-maker.

The actions that result from an investigation must be fair. More information is in Procedural fairness requirements.

Understand the likely outcomes of an investigation

Outcomes of an investigation may include:

  • dismissal of the disciplinary charge(s)
  • training/education
  • changes to administrative or security policies, procedures or practices
  • security outcome, including potential loss of security clearance
  • referral to an outside agency for further investigation or prosecution
  • disciplinary action.

Interim measures while an investigation is underway

In some circumstances it will be appropriate to take interim security measures while an investigation is underway.  What is appropriate will be different in every case.  You need to balance the need to protect your people, information, or assets with your employment obligations of natural justice.

Interim measures you may consider include:

  • conducting an audit of relevant information
  • monitoring computer usage
  • monitoring building access
  • limiting computer access
  • removing computer access
  • limiting after hours access to place of work
  • removing access to a place of work (following decision to suspend having followed due process).

Any response must be justifiable and proportional to the concern held, and appropriately directed to protect any people, information, or assets potentially at risk. It must be an interim step to protect your people, information, or assets while the security investigation is underway.

In most circumstances it will be appropriate to tell the employee what interim measures are being taken, particularly where the employee remains in the workplace. For example, limiting access to a building or a system should be clearly explained. The employee should be told that security measures are being taken, that they are interim while the security investigation is ongoing, and do not signal predetermination. The measures must be targeted to the concerns held and not arbitrarily applied.

However, there will be instances where notifying the employee about the interim measures is not appropriate. For example, when monitoring of computer use is considered necessary, notifying the employee might compromise the purpose of the monitoring. 

Early engagement with HR is essential to ensure appropriate security measures are taken while also balancing employment obligations of natural justice.

Who needs to be involved?

If you initiate a security investigation, get advice from the police or NZSIS when a violation may involve national security or criminal behaviour.

If an incident requires more than one type of investigation, work with the other agency(ies) to determine priorities and an investigative approach.

The role of a criminal investigation

A criminal investigation gathers evidence that may lead to bringing offenders before the courts.

You may need to hold a criminal investigation in cases such as fraud, theft, and unauthorised disclosure of official information.

Information gathered in a security investigation may not be satisfactory in a criminal investigation.

The role of a security investigation

The purpose of a security investigation is to establish what has happened and how. It is not to establish whether a criminal offence has been committed, to aid prosecution, or to resolve employment or code of conduct disputes.

A security investigation focuses on establishing:

  • the nature of the incident
  • how the incident occurred
  • what circumstances led to the incident
  • who was involved
  • the degree of damage to national security interests
  • procedures needed to prevent a similar event or reduce its likelihood.

If a security investigation gives way to a criminal investigation, from then on you need to use procedures for a criminal investigation and for gathering evidence that is admissible in court.

Set procedures for investigating security incidents

Your organisation should set policy and procedures for investigating security incidents. Cover these requirements.

Responsibilities and actions:

  • Responsibilities of the investigator and senior management
  • What to do when you get a complaint or allegation, including anonymous allegations and reports from whistleblowers
  • Terms of reference for the investigation
  • When to refer security investigations to the NZSIS,  police or other outside agencies.

Procedures:

  • Standards of ethical behaviour by investigators, recording activities, and how you manage investigation cases
  • Procedures for operations like holding interviews.

Requirements for reporting:

  • Maintaining detailed file notes
  • Keeping senior management informed of the progress
  • A final report that includes background information
  • Summary of major findings and recommendations.

Appoint an investigator

Appoint an investigator who is appropriately trained and qualified. They should be impartial. They must not have a conflict of interest, real or apparent, in the investigation.

If the investigator you appoint does not have the power or authority to collect any evidence, or if a conflict of interest comes up, refer the investigation to a person or agency with the necessary delegations.

More information is in Procedural fairness requirements.

Understand the role of an investigator

An investigator’s key tasks should include:

  • understanding the incident and the terms of reference
  • identifying the relevant law, policy or procedures
  • gathering all relevant facts
  • verifying whether the incident is an offence
  • reporting the findings, and the reasons for the findings
  • making recommendations.

Determine the nature of the investigation

At the start, assess:

  • whether the investigation is likely to be a criminal, security or other type of investigation
  • resources needed
  • legal boundaries for the investigation
  • authorisation needed
  • nature of the possible outcome.

Set the terms of reference for investigations

The terms of reference should be clear, comprehensive, and include any limits. They could include:

  • the background
  • resources allocated (for example, people, financial)
  • timeframes
  • types of inquiries to be conducted
  • powers of the investigating officer to collect evidence
  • the format for reporting
  • any special requirements or factors specific to the investigation.

Also cover how the investigator will collect evidence, such as:

  • from policies, processes, and practices
  • from relevant records and material
  • through interviews
  • by search and surveillance.

At the start of an investigation, appoint a senior staff member to approve the terms of reference and the investigation plan.

Set processes for holding investigations

Your organisation’s investigation processes should include:

  • general and organisation-specific legislation and powers
  • inter-agency relationships
  • what to do when you receive an allegation (including process for “whistleblowers” under the Protected Disclosures Act)
  • methods for managing and supporting investigations
  • investigation practices
  • investigation report or brief of evidence
  • Information Privacy Principles (IPPs)
  • investigation result and review
  • recovery actions.

Assess the incident

The investigator should assess:

  • relevant laws
  • the nature of the incident
  • the incident’s seriousness and its possible level of harm to the organisation or government
  • whether the incident shows there is a systemic problem
  • whether it is part of a pattern
  • whether it may breach New Zealand law.

Develop an investigation plan

Use the incident assessment to prepare an investigation plan that identifies:

  • the key issues to be investigated
  • any relevant legislation, provisions of a code of conduct, organisation policy and procedures, standards and requirements
  • required evidence
  • methods for collecting the evidence
  • legal requirements and procedures to be followed in collecting evidence
  • allocation of tasks, resources

If the terms of reference and the investigation plan need to change during the investigation, the investigator should consult the person who authorised the investigation.

Gather information

An investigator identifies, collects and presents information proving or disproving the facts relating to the incident. Types of information are:

  • physical
  • documentary
  • oral
  • expert advice.

Record and store all evidence

Investigators should keep a separate file for each investigation. Store it, and any physical evidence, securely.

The file should be a complete record of the investigation. Document every step, including dates and times, all discussions, phone calls, interviews, decisions, and conclusions. Include how physical evidence was handled.

If any protectively-marked information was gathered or created during the investigation, investigators must meet the standards for storage. More information is in How to protect information.

Prepare the investigation report

The investigator should report findings to the commissioning body or the decision-maker. They should identify the reasons for the findings according to the terms of reference, use supporting material, and make recommendations.

Close and review the investigation

An investigation is closed when all reports are completed and evidence is documented and filed.

An independent person, ideally more experienced than the investigator, should review the closed investigation. They should impartially assess the investigation, and that could identify how to improve requirements for future investigations.