PHY055
It's important that you consider the following good practices when designing your physical security.
Deter, Detect, Delay, Respond, Recover
PHY015
| Deter | Deter or discourage unauthorised people from attempting to gain unauthorised access to your facility. Implement measures that unauthorised people perceive as too difficult or needing special tools and training to defeat. |
| Detect | Detect unauthorised access as early as possible. Implement measures to work out whether an unauthorised action is occurring or has occurred. |
| Delay | Delay an unauthorised access attempt for as long as possible to allow an effective security response to be activated. Implement measures to slow the progress of a harmful event. |
| Respond | An effective response counters the anticipated activity of an unauthorised person within a time appropriate to the delay measures. Prepare measures to prevent, resist, or mitigate the impact of an attack or event. |
| Recover | Take the steps required to recover from a security incident. Plan to restore operations to as near normal as possible in a timely manner following an incident. |
Crime prevention through environmental design
PHY016
Crime Prevention Through Environmental Design (CPTED) should be an integral part of your facility planning.
To apply the principles of CPTED, identify which aspects of the physical environment could affect people’s behaviour and then use that knowledge to design an environment which minimises crime.
Always base your security measures on your organisation’s risk assessment, as CPTED alone might not meet all your security needs.
More information on CPTED:
Many publications deal with CPTED in the domains of private housing and public areas, but the principles apply equally to government organisations.
-
Crime Prevention through Environmental Design (3rd edition, 2013) by Timothy Crowe M.S. Criminology - Florida State University, revised by Lawrence Fennelly.
Physical protection of information
PHY019
Protecting single items or limited amounts of information
Your organisation must protect individual documents in line with the Management protocol for information security and its associated requirements.
Material with a compartmented marking, such as a codeword or SCI, may need additional mandatory security controls.
Provide physical protection for hardcopy and electronic information according to its Business Impact Level (BIL).
A ‘limited amount of information’ means a grouping of information that doesn’t result in a higher BIL or need a higher protective marking than the information collection that it comes from.
The relationship between BILs and classification levels
At times, there may be a relationship between security classifications for official information and BILs. The security classifications directly match the BILs when considering the confidentiality of individual documents or files. However, this does not necessarily apply to collections of assets. For example, within a collection of assets with a aggregated business impact level of 4, each individual item might not be marked as CONFIDENTIAL.
However, a protective marking, or confidentiality, of an asset isn’t the only factor to consider when you work out a BIL. You need to consider all factors affecting the security of an asset before you apply a BIL. BILs also need to consider integrity and availability.
The following tables summarises the likely links between protective markings and BILs of individual documents or limited amounts of information.
| Individual document marking | Business impact level |
| UNCLASSIFIED (may not be marked) | 1 Low |
| IN-CONFIDENCE | 2 Medium |
| SENSITIVE or RESTRICTED | 3 High |
| CONFIDENTIAL | 4 Very high |
| SECRET | 5 Extreme |
| TOP SECRET | 6 Catastrophic |
Protecting aggregated information
Aggregated information means collections of protectively-marked or unclassified official information. For example, collections of electronic information.
When information is aggregated, it often becomes more valuable and needs greater protection.
Your organisation must implement physical security measures to mitigate the risks associated with aggregated information.
Protecting information with a catastrophic BIL
TOP SECRET or aggregated information that could cause catastrophic damage to New Zealand’s national security if its security was breached, can only be stored in an area certified by the New Zealand Security Intelligence Service (NZSIS). You need their certification before you first use an area and after any modifications to it.
You can arrange for another agency to hold your TOP SECRET information if you don’t have suitable facilities or the cost of establishing facilities is not justifiable. However, if your organisation owns the information, you must provide security containers for holding the information and control access into the containers.
Relevant legislations and standards
PHY020
The design of your physical security measures must comply with the following acts and any associated regulations or codes:
- the Health and Safety at Work Act 2015(external link)
- the Privacy Act 2020(external link)
- the Building Act 2004(external link).
When your organisation is implementing physical security measures, use the following standards, handbooks, and codes to guide you.
Australian and New Zealand Standards (AS and NZS)
- AS/NZS 2343:1997 Bullet-resistant panels and elements (under review)
- AS 1725:1-2010 Chain link fabric security fences and gates
- AS/NZS 3016:2002 Electrical installations - Electric security fences (under review)
- AS/NZS 2201.5:2008 Intruder alarm systems - Alarm transmission systems
- AS/NZS 2201.1:2007 Intruder alarm systems - Client's premises- Design, installation, commissioning and maintenance
- AS 2201.3:1991 Intruder alarm systems - Detection devices for internal use
- AS 2201.2:2004 Intruder alarm systems - Monitoring centres
- AS 4145.2:2008 Locksets and hardware for doors and windows - Mechanical locksets for doors and windows in buildings
- AS/NZS ISO 450001:2018 Occupational health and safety management systems - Requirements with guidance for use
- AS/NZS IEC 60839-11-1:2019 Electronic access control systems - System components requirements (Part 11-1)
- AS/NZS IEC 60839-11-1:2019 Electronic access control systems - Application guidelines (Part 11-2)
British Standards (BS)
- PAS 69:2013 Guidelines for the specification and installation of vehicle security barriers
- BS EN 1143-1:2019 Secure storage units. Requirements, classifications and methods of test for resistance to burglary. Secure safe cabinets
- BS 1722–14:2016 Fences – Specification for open mesh steel panel fences
- BS 1722–12:2016 Fences – Specification for steel palisade fences
International Organization for Standardization (ISO)
- ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management
- AS/NZS ISO 45001:2018 Occupational health and safety management systems - Requirements with guidance for use
- ISO 31000:2018 Risk management - Guidelines(external link)
Japanese Industrial Standard (JIS)
- JIS S 1037 – Standard Fire Test
UL Standards
- UL 72 – Tests for fire resistance of records protection equipment
- UL 687 – Burglary-resistant safes
American and Canadian standards
- US FIPS 201
Handbooks
- HB 327:2010 Communicating and Consulting About Risk
- Designing out Crime: Crime Prevention Through Environmental Design
- IES-G-1-03 Guidelines on Security Lighting for People, Property, and Public Spaces
- HB 328:2009 Mailroom Security
- Privacy and CCTV: A guide to the Privacy Act for businesses, agencies and organisations(external link)
- New Zealand Information Security Manual (NZISM) – Product sanitisation and disposal – media disposal
- NZISM – Telephones and telephone systems
- HB 167:2006 Security risk management
Codes
- The New Zealand Building Code
Guidance for establishing zone 3, 4, or 5 areas
The following classified material will guide you when you’re establishing zone 3, 4 or 5 areas. Contact us for more information.
- NZSIS Approved Products List (APL)
- NZSIS Technical Note – Class A Secure Room
- NZSIS Technical Note - Class B Secure Room
- NZSIS Technical Note - Class C Secure Room
- NZSIS Technical Note – Physical Security of Intruder Resistant Areas
- NZSIS Technical Note – Physical Security of Secure Areas
- NZSIS Technical Note – Physical Security of Zone 5 Areas