Governance

GOV009

Reporting incidents and conducting security investigations

Understand how to report, manage, and investigate security incidents using a consistent, structured approach.

These guidelines cover how to manage security incidents as part of the New Zealand government’s protective security requirements. They describe best practice for running security investigations.

Reporting security incidents – an overview

A security incident is:

  • a violation, breach or infringement of protective security policy or procedure
  • an approach from anybody seeking unauthorised access to official resources
  • an attempt to gain unauthorised access to official resources
  • any other event that harms, or may harm the security of the New Zealand government, its institutions or programmes.

Not all security incidents are significant enough to require investigation. Seek guidance from supporting agencies – the police, NZSIS, GCSB, New Zealand Defence Force, or other relevant agencies.

If foreign officials seek unauthorised access to official resources, Contact Reporting has separate advice.

Your organisation’s role

Your organisation must assess the harm from any security incident. Determine the impact on the New Zealand government of actual, potential, or suspected loss, compromise or disclosure.

You must:

  • identify whether the incident is minor (an infringement or breach) or major (a violation, which you must report)
  • report the incident to any other relevant agencies, like the New Zealand Security Intelligence Service (NZSIS), Government Communications Security Bureau (GCSB), CERT, Privacy Commissioner or Government Chief Digital Officer (GCDO).


Always report these kinds of security incidents

Your people and contractors must report:

  • crimes like theft or attempted theft, burglary, damage e.g. vandalism, fraud or assault
  • natural events like fire or storm damage which may compromise security
  • incorrect handling of information that is protectively marked.

The people and tasks involved in reporting security incidents

Your organisation must have a policy for security incident reporting. It should cover the roles and responsibilities of people who handle security incidents and run security investigations.

Chief Executives or Agency heads

Your chief executive or agency head should ensure there are:

  • processes for staff, contractors and contractor’s employees to report security incidents
  • records of the organisation’s security performance and requirements.

Senior managers

Senior managers are responsible for the procedures for security incident reporting and recording — in their areas, and for the organisation overall. The Chief Security Officer (CSO), or their delegate, should help them.

In security investigations, a senior manager, who is independent of the incident, should approve the terms of reference and objectives. They should also get regular reports on the investigation’s progress.

Managers

Your managers should ensure security incidents are reported to the CSO, and work closely with them on any security concerns.

If an incident involves your ICT system, you may also need to report to the Chief Information Security Officer (CISO).

Managers have an important role to play. As they work closely with staff, they could be the first to detect a security incident or notice suspicious behaviour.

CSO

Your CSO, or their delegate, receives and actions information about security incidents.

They should record security incidents and the outcome of investigations, and report regularly to senior management on security performance.

CISO / Information Technology Security Manager (ITSM)

Your CISO or ITSM receives and actions information about incidents involving ICT systems. These include denial of service attacks, targeted malicious email attacks, and loss of ICT assets or information.

They should report major ICT security incidents to the National Cyber Security Centre (NCSC).

They should tell your CSO about any ICT security incidents and the likely impacts. The CISO may have a role in investigating ICT security incidents.

Employees

Everyone that works for your organisation must know about and follow your processes for reporting security incidents.

Your organisation must provide security awareness training for employees, contractors, and contractors’ employees.

 

Page last modified: 4/05/2022