Managing specific scenarios

Plan for robust security to meet the specific needs of different scenarios

Working away from the office

PHY043

Consider the situations that your people might face when they are working away from the office.

Will they be working at home? In remote-locations? In someone else’s building? Overseas?

People are using portable computing and mobile communications devices to work remotely in a variety of ways and places, such as:

  • taking work home
  • working in the field
  • working from vehicles
  • working from hotels or conference venues
  • visiting client offices
  • working while on public transport.

 Mobile and remote working is now the norm, yet many people are unaware of the threats that they face.

Your organisation must take all reasonable steps to ensure the personal security of your employees when they’re working away from the office.

Use your risk assessments to work out when your need increase protection for your people. In some cases, you may need to extend protection to family members and others.


Event security

PHY058

Whether your organisation is hosting or attending events, you must assess physical security and safety risks and put measures in place to reduce them.

Event organisers have common law duties and statutory obligations under New Zealand legislation to protect people attending events.

Events are many and varied but include New Zealand Government events and overseas events.

Some government events are in the national interest, such as the Commonwealth Games and the Pacific Islands Forum.

PHY044

Consider protective security and safety requirements in the earliest stages of event planning.

You have common law duties and statutory obligations under New Zealand legislation to protect people attending events. You may also need to protect information and assets.

To plan an event well, you need to:

  • appoint qualified people to security roles
  • consider the threats
  • develop a security plan
  • inspect possible venues
  • manage event preparation.

Appoint an event manager and event security officer

The event manager is responsible for overall event security. The manager must appoint an event security officer (ESO) as early as possible, so they can be included in the planning process.

The ESO is responsible for implementing security for the event and the event venue, and should be competent in security management. 

Your ESO should:

  • be senior enough to exercise the necessary authority
  • have direct access to the event manager
  • have a sound knowledge of protective security.

For a large or long-running event, the ESO might need a support team.

Common duties of an ESO

The duties of the ESO should include, but are not limited to:

  • seeking advice on possible threats to the event
  • completing a security risk assessment for the event or venue(s)
  • preparing any security plans based on the risk assessment activity
  • making necessary security preparations for the event
  • coordinating security during the event
  • liaising with appropriate people from your organisation, or external agencies and authorities before, during, and after the event.

Consider the possible threats

Considering possible threats to the event and preliminary work on the event plan usually happen at the same time.

The ESO should seek advice on possible threats from:

  • the part of your organisation that is coordinating the event and any other relevant parts
  • external agencies, such as the New Zealand Security Intelligence Service (NZSIS) and the New Zealand Police when relevant.

You should identify, assess, and manage the risks to an event in line with the principles in:

Assessing threats to national security 

The ESO should seek a threat assessment from the NZSIS’s Combined Threat Assessment Group (CTAG) if:

  • the event could be the subject of terrorism or violent protest
  • previous similar events have been subject to terrorism or violent protest
  • the information to be discussed at the event is protectively marked SECRET or above, and there may be a risk of compromise
  • previous experience indicates this is appropriate. 

If you request for a threat assessment, include enough details on the event to enable CTAG to carry out a robust and thorough assessment.

If you become aware of any additional relevant information after the original threat assessment is issued, advise CTAG and they will publish an updated threat assessment. 

CTAG may also issue updated threat assessments if it becomes aware of any relevant information.

Protecting high-level and foreign guests

New Zealand's obligations under the following conventions and legislation may impact on event security:

When to contact specialist agencies

If you’re planning a non-routine event that high-level officials will attend, contact The Visits and Ceremonial Office of the Department of Internal Affairs(external link).

Examples of high-level officials are:

  • New Zealand holders of high office — for example, the Prime Minister or the Governor-General
  • members of the diplomatic or consular corps at ambassador level.

If you’re planning an event that high-level foreign dignitaries or controversial visitors who could attract protest activity will attend, contact the Ministry of Foreign Affairs and Trade’s Protocol Division.

Email: prd@mfat.govt.nz

Examples of foreign dignitaries are heads of state, heads of government, foreign ministers or other senior level ministers.

Develop an event security plan

Your ESO should develop a security plan based on a risk assessment of the event.

The plan will evolve as details of the event become clearer, and preparations for the event develop. It will also depend on the duration, location, and size of the event.

Remember to include any event security arrangements in the event costings.

If an event will be held overseas, consult with the Ministry of Foreign Affairs and Trade (MFAT) in the early planning stages to work out if the proposed location and venue is suitable. This consultation is particularly important if:

  • protectively-marked or commercially sensitive information will be accessed or used at the event
  • New Zealand dignitaries will attend the event.

Use the following questions to prompt your thinking and planning. Add any special requirements you have to the plan.

What do you need to protect and when?

Think about the need to protect the proceedings themselves, any documents (both those provided and notes taken during the event), and people who attend.

What kinds threats are there? What is the appropriate level of security for the event?

How long will the event last? Will the protection needs stay constant throughout the event or vary? When might you need to increase protective measures?

Will attendees be making visits to other sites or activities as part of the event?

Which is the best site for the event?

You might have different sites to choose from — some within your facilities and others at external venues. Questions to answer include:

  • How much control do you need to have over the event? (The less control you have, the more likely it is that extra security measures will be needed.)
  • How sensitive is the information that will be present?
  • What are the unique risks posed by each site?
  • How will the flow of the event affect your choice?
  • What are the transport options?
  • Will you be able to protect the attendees?

Inspect possible venues before you decide.

For events where sensitive and protectively-marked information will be present, it’s best to choose a venue controlled by a New Zealand Government organisation.

To assess a venue, your ESO should refer to Assess your physical security risks.

Who will be involved in running the event and what are their roles?

How will you manage communication between different parts of your organisation, or with other organisations involved in running the event?

What are the roles and responsibilities of event staff?

Who is responsible for liaising with the New Zealand Police if necessary? For example, if the event might attract protest action.

Who will attend the event?

Who are the attendees? Who do they work for or represent? Will any overseas people attend? Any New Zealand or overseas office holders? Any media representatives or members of the public?

Are there any security clearance or character check requirements for attendees?

Will any VIPs attend and need personal protection?

Do you need to arrange accommodation for VIPs or other attendees? What are their accommodation security requirements?

What are your contingency plans?

Contingency plans might include communications, command and control arrangements, and alternative venues for incidents (for example, bomb alerts and public demonstrations or protests).

How will you protect the event?

Detail the threats you’ve identified and the measures you plan to use to manage the risks.

Think about any special protective security measures you might need. For example, audio countermeasures, or security containers and other security equipment.

If your event will involve TOP SECRET, SECRET, or certain protectively-marked information, your ESO should seek advice from the New Zealand Security Intelligence Service based on your risk assessment. Then state in your event plan what measures you will put in place. For example, you might need to:

  • strictly limit the number of invitees to the overall event
  • strictly limit the number of invitees to particular sessions
  • limit the duration of the event to as short a period as practicable
  • keep handouts to a minimum
  • secure the meeting room from audio-visual recording devices.

If necessary, your chief security officer can seek advice from the Government Communication Security Bureau (GCSB) on technical surveillance counter measures.

Inspect possible venues

Inspect possible venues at the earliest opportunity. Find out what security is already available and what you might have to put in place. Note any potential risks you haven’t already identified.

Your ESO should accompany the event organiser during a preliminary inspection or provide advice on security requirements if they can’t attend.

If protest activity is a possibility, involve the local police at an early stage of your event planning. A more detailed inspection might be required later, once you’ve chosen a venue. At both stages contact with local police and venue management can be useful for gaining local knowledge.

When you inspect a venue, consider the following questions.

What might adversely affect physical security?

Would it be easy or hard to fix problems? For example, door locks and window catches, curtain fittings, exterior lights, and light fittings.

Can you control access to the venue?

Include entry to the venue, rooms within the venue, and any onsite parking.

Is there an area where you can examine suspicious articles?

If you needed to detonate an explosive device, it would need to be done in an area where it caused minimal damage to property and no injury to anyone.

How vulnerable is the venue to overhearing, overlooking, and electronic eavesdropping?

Your risk assessment will inform the level of security you need for these aspects.

Once you’ve selected a venue, a more detailed survey might be needed.

Manage event preparation

Based on your security plan and inspection of the venue, you may need to address several matters before the event.

These include processes, arrangements, security controls, and logistical matters.

You may need processes for:

  • controlling keys
  • controlling entry
  • managing an emergency evacuation
  • reporting security incidents
  • receiving and escorting visitors
  • storing, handling, and disposing of official or protectively-marked information.

You may also need to arrange or prepare:

  • event set up schedules
  • a communication plan
  • event security instructions
  • supply and delivery of security containers and other security equipment
  • event access and identity passes
  • security clearances
  • event security exercises
  • technical surveillance counter measures
  • employees or guards to control access
  • searches to sanitise the premises.

PHY045

The event security officer oversees security and is responsible for many important tasks during the event.

Responsibilities during the event

As well as overseeing security arrangements at the event, the event security officer (ESO) may have to conduct or oversee many tasks to ensure event security is well managed.

Communication, awareness, and advice

The CSO may need to:

  • liaise with the event manager on communications, command, and control issues
  • maintain awareness of, and consistency with, health and safety requirements
  • provide event attendees and venue employees with security advice, including security and emergency procedures
  • advise attendees of the protective marking of the subject matter and the security arrangements and facilities available (the security classification of topics to be discussed should be displayed at the start of the event and again before each protectively-marked segment of the event).

ID and entry control

The CSO may need to:

  • ensure accredited attendees are issued access and identity passes, including ensuring identities are verified if necessary
  • control entry to ensure that no unauthorised persons gain access to the building or event, or can observe or listen to proceedings
  • supervise security aspects of visitor control

Safety of protectively-marked information

The CSO may need to manage arrangements for protectively-marked information used and produced at the event, including how it is received, recorded, distributed, transmitted, returned, and stored. Ensuring its secure storage may include coordinating: 

  • the use of security containers
  • waste collection and disposal.

For more information, see Handing requirements for protectively-marked information and equipment [PDF, 342 KB].

Personnel coordination

The CSO may need to:

  • coordinate security procedures for cleaning and maintenance personnel
  • coordinate the physical security and storage of equipment (for example, cameras, recording devices, audio-recording devices, and mobile phones)
  • supervise people employed on security duties
  • supervising any necessary searches to sanitise the premises.

Note: An ESO should seek advice from their organisation’s chief security officer when needed to help with investigating any security incidents.

Managing event accreditation

Event accreditation documents provide speedy validation of a person's right to attend an event.

Major events should have:

  • a master list of participants, including event management and support staff (where possible, featuring photo identification and information covering roles, contact details, etc)
  • accreditation passes for participants, featuring:
    • photo identification
    • the dates of validity
    • the category of participant
    • any restricted area access rights
  • a design and layout that can be visually checked by guards or event staff.

Accreditation passes should be designed so that they are comfortable for participants and can be worn at all times.

When an event is sensitive and you need to avoid publicity, consider using a unique but unobtrusive identification article, such as a lapel pin or badge.

Controlling access to restricted areas

Your ESO should decide which event areas need to have restricted access —  areas within the venue to which only certain attendees, authorised officials, and security staff will have unescorted access.

Clearly label restricted access areas and control access to them.

Managing information security

Information used at an event could be in a variety of forms, including the proceedings themselves, documents brought to or produced at the event, and audio-visual presentations.

Protectively-marked information

Based on the event risk assessment, the ESO should consider not allowing attendees to bring any protectively-marked information.

If protectively marked information is needed at the event, consider the following protective measures: 

  • distributing the necessary number of copies at the beginning of the event, or if possible, at the session where they’ll be needed
  • increasing accountability by numbering and recording the distribution of each copy
  • arranging for attendees to leave all protectively-marked documents, including any notes taken, at the end of the session or day, and send the documents by safehand to each delegate after the event.

Whether these measures are practical will depend on the circumstances of the event.

Whatever arrangements are made, the ESO should inform attendees of them as early as possible and, if necessary, remind attendees during the event.

Protectively-marked waste

If protectively-marked waste will be generated at the venue, the ESO is responsible for ensuring there are adequate facilities to collect and dispose of it.

For some protectively-marked information, you might need to use an approved shredder or removal/destruction procedure at the venue.

Also refer to Handling requirements for protectively marked information and equipment [PDF, 342 KB].

Security containers

At times, it may be necessary to store protectively-marked information onsite either during the event or between proceedings if the event runs for more than one day.

In this case, the ESO may need to ensure suitable security containers are provided and will be responsible for controlling access to them.  

For help with using the right security containers, go to Security containers and cabinets

Using technical security

You must use technical surveillance countermeasures (TSCM):

  • before and during an event that involves TOP SECRET, SECRET, or codeword information
  • when the security plan or threat assessment indicates the need for them.

Your ESO should contact the Government Communications Security Bureau (GCSB)(external link) for advice before any event that is TOP SECRET.

The ESO should also seek advice from the GCSB if information and communications technology (ICT) equipment will be required for processing protectively-marked information.

Considering guards and guard patrols

Your event risk assessment should tell you whether you need guards and guard patrols during an event.

If an event runs for longer than one day, your ESO should consider regular guard patrols during hours the venue is not attended.

If you need to carry out a TSCM sweep to sanitise the premises, you should consider guarding to minimise the risk of a post-sweep compromise.

Reporting security incidents

Advise event attendees to report any security incident to your ESO or security staff straight away, so the situation can be dealt with swiftly.

Security staff should report any incidents to the ESO as soon as practical after becoming aware of the incident.

The ESO should follow the process in Reporting incidents and conducting security investigations

Issuing security and emergency instructions

Everyone who will be attending or working at the event needs to know what your security and emergency instructions are. However, you might need separate instructions for staff and participants.

Your ESO should issue the security and emergency instructions for attendees at the event either they arrive or on arrival.

Receiving mail

Make sure you’ve considered the necessary requirements for receiving mail or goods that may be delivered to an event, including procedures for scanning and handling suspicious items.  

Controlling demonstrations

The New Zealand Police have ultimate responsibility for controlling demonstrations.

If your event security risk assessment indicates that demonstrators may be a problem, seek advice  from the police at an early stage to ensure they can respond or are available to discuss other mitigation strategies, including the deployment of security guards.

Your ESO is responsible for ensuring proper arrangements are in place before the event begins.  

Handling media attention

Media attention might be focused on the event. This attention could be because of event publicity, attendance by VIPs, or the subject matter.

Developing a media plan

If you’re organising the event, consult your ESO when you’re developing your media plan. The plan may include, based on the risk assessment:

  • accreditation of, and passes for, media representatives
  • a designated room at the venue for media representatives
  • procedures for issuing media releases and statements
  • a requirement that, on arrival, media representatives report to the event security or reception area.

Make sure you:

  • consider carefully whether any media representative is to be permitted into the venue or event rooms at any time while the event is in progress, and if so, under what conditions 
  • ensure any release to the media is in line with your organisation’s media liaison processes
  • ensure any media access is under controlled conditions and with appropriate escort arrangements
  • ensure you take particular care to prevent unescorted access to any room where protectively-marked information could be left unattended (prevent access until the room has been checked for protectively marked information).

PHY046

Your event security officer carries out tasks that ensure the event is wrapped up securely.

Post-event responsibilities

Following the event, the event security officer (ESO) completes the following tasks when necessary:

Retrieving or disabling access and identity passes

If event access and identity passes give unescorted access to your organisation’s venue, the ESO coordinates retrieving all passes. If that is not possible, the ESO must disable any access provided by the passes.

Searching the venue

The ESO coordinates a thorough search of the venue to ensure no official information or assets that belong to your organisation have been left behind.

For example, items such as documents, audio-visual recordings, whiteboards, projection equipment, and electronic media equipment.

Returning security containers (if used)

The ESO coordinates the return of any security containers used at the event, including changing combination settings for container travel and storage.

Submitting a security report

The ESO submits a security report to the event organiser.

Reporting any unreported security incident

For any security incidents that occurred during the event that have not already been reported, the ESO reports in line with Reporting incidents and conducting security investigations.

Returning protectively-marked material

The ESO arranges the secure transmission of any protectively-marked event papers and documentation to all attendees.


Physical security for ICT systems

PHY059

This section sets out the mandatory requirements for the physical security of ICT systems.

PHY050

Physical security measures for ICT equipment help to ensure your organisation stays operational.

ICT equipment is essential for processing, storing, and communicating your organisation’s information.

Which ICT equipment you need to protect

ICT equipment that requires protection includes any device that can store information electronically, such as:

  • computers — desktop, laptop, or tablet
  • photocopiers, multi-function devices (MFDs), and printers
  • fax machines
  • mobile phones
  • digital cameras
  • personal electronic devices
  • storage media — for example, portable hard drives, USB sticks, CDs, DVDs, radio frequency identification (RFID) tags and systems
  • network equipment — for example, routers, switches
  • voice systems — for example, PABX.

For information about protecting servers, other communications network devices, supporting network infrastructure, and gateway devices, go to Secure your ICT system equipment.

Where to locate ICT equipment

You should locate ICT equipment in a security zone that is suitable for protecting either the aggregate of information stored on the equipment, or the value of the equipment, whichever requires the greater protection. 

How much protection to give ICT equipment

Base the level of protection you give to ICT equipment on the highest Business Impact Level (BIL) that would result from:

  • the compromise, loss of integrity or unavailability of the aggregate of electronic information held on the equipment, or
  • the loss or unavailability of the ICT equipment itself.

Using tamper-evident seals

You can seal access to ICT equipment using New Zealand Security Intelligence Service (NZSIS) approved tamper-evident wafer seals suitable for application to hard surfaces.

Seals may give a visual indication of unauthorised access into the equipment if the seals are removed or broken.

Refer to the Approved Products List (APL) when selecting wafer seals. This list is classified, contact the PSR team for more information.

Where to store ICT equipment when not in use

When your ICT equipment is stored in dedicated ICT facilities, meet the physical security controls detailed in the supporting documents below.

When your ICT equipment is not stored in dedicated ICT facilities, apply the physical security controls in Security zones.

Add any additional controls when you need to based on your security risk assessment.

If your organisation can’t meet the requirements, seek advice from the Government Communications Security Bureau (GCSB)(external link) on additional logical or technological solutions that may be available to lower the risks to electronic information when your equipment is not in use.

When ICT equipment can’t be kept in security containers or rooms

You may not be able to secure some electronic equipment in security containers or rooms when not in use. For example, desktop computers, printers, and MFDs.

To find an appropriate solution, first assess the BIL of the equipment and the information it holds.

Remember that the logical access controls described in the New Zealand Information Security Manual(external link) don’t constitute sanitisation and reclassification of ICT media. Therefore, the media retains its protective marking for the purposes of reuse, reclassification, declassification, sanitisation, destruction and disposal as specified.

If the following information doesn’t solve your problem, seek advice from the GSCB(external link) on additional logical or technological solutions that may be available to lower the risks to electronic information.

Non-volatile media, such as hard drives

In some circumstances, you may be able to fit removable non-volatile media (such as hard drives) that can then be secured in an appropriate security container when not in use.

If the non-volatile media can’t be removed, work out which zone the equipment can be kept in based on the risk of unauthorised people obtaining information and the sensitivity of the information held in the equipment.

Equipment with solid state drives or hybrid hard drives

Solid state drives and hybrid hard drives can’t be made safe through normal wiping processes when switched off.

If you wish to use equipment fitted with solid state drives or hybrid hard drives, seek advice from the GCSB on other methods for securing these types of equipment (for example, encryption).

Information or equipment with BILs of very high, extreme, or catastrophic

If the BIL of the equipment and/or information it holds is very high or extreme, the equipment should be stored in a zone 3 or above area, unless you are able to apply additional logical controls to lower the risks to a level acceptable to your organisation.

If the BIL is catastrophic, the equipment should be stored in a zone 5 area, unless you are able to apply additional logical controls to lower the risks to a level acceptable to the originator.

How to deal with removing ICT equipment from your premises

Your organisation must have a policy on removing ICT equipment from your facilities that prohibits your people from doing so without permission. 

New Zealand Information Security Manual - Working Off-Site and Working Away from the Office has more information.

Keeping ICT equipment secure when it’s offsite

You must apply physical security measures to off-site equipment that address the risks to the equipment and the information it holds. Apply the logical controls detailed in the New Zealand Information Security Manual - Working Off-Site(external link).

How to audit your ICT equipment

For asset control of ICT equipment, record the location and authorised custodian, and audit periodically.

The period between audits should be based on your risk assessment, with higher risk items audited more regularly.

If your risk assessment suggests it is warranted, consider visually inspecting your ICT equipment as part of you asset control audit to ensure non-approved devices have not been installed.

You should have processes that your people can use to report the loss of ICT equipment.

PHY049

Meet your obligations to protect information when you outsource ICT facilities.

Your organisation must ensure that outsourced ICT facilities meet the physical security requirements for ICT systems.

Preparing to use a data centre

Before you use a data centre, you must assess the aggregated (combined) value of the official information you plan to store in it. Information can increase in value when it is combined and therefore need greater protection.

If you have a shared data centre arrangement, work with the other organisations to assess the Business Impact Level (BIL) of the aggregated information before you use the datacentre operationally.

Protect data storage devices in line with the business impact of the compromise of the aggregated of the information stored on the devices.

Data centres can provide security for your information and ensure your information is continuously available.

ANSI/TIA-942 Telecommunications Infrastructure Standard for Data Centers(external link) gives information on the levels (tiers) of availability.

Using a commercial data center

If your organisation plans to use a commercial data centre to hold official information with BIL of catastrophic, you must seek advice from the New Zealand Security Intelligence Service (NZSIS). They will advise you on the certification requirements for the physical security measures that you must meet before the data centre is used.

Supply chain security guides you on including security requirements in contracts for outsourced functions.

PHY047

ICT systems are protected by a combination of physical and logical controls. Logical access controls are detailed in the New Zealand Information Security Manual(external link).

In some cases, the increased level of protection logical controls provide may mean you can reduce your use of physical controls.

Make sure you refer to security requirements for ICT systems and electronic information in your organisation’s business continuity plans, and other disaster response and recovery plans.

You may need to consult the Government Communications Security Bureau (GCSB)(external link) before you install ICT systems.

Exceptions come with conditions

If your organisation doesn’t apply the logical controls identified in the New Zealand Information Security Manual(external link), you must meet or exceed (based on your risk assessment) the controls identified in the Design physical security early.

You should also:

  • ensure your chief security officer (CSO) is involved in planning processes for ICT systems, so that the physical security requirements are suitable for the ICT equipment and operations
  • restrict access to ICT equipment used to store or process official information to authorised people with a need-to-know
  • provide physical security to all components of your ICT systems, including cabling, taking into account the level of protection given by any encryption.

More guidance:

For more guidance on ICT system security, refer to the following documents.

PHY051

Protect your information lifelines.

Which ICT system equipment needs physical security

As well as the ICT equipment mentioned above, you need to have physical security in place for:

  • servers, including dedicated devices and laptops used as servers
  • other communication network devices — for example, PABX
  • supporting network infrastructure — for example, cabling and patch panels
  • gateway devices — for example, routers, and network access devices.

Where to locate servers and network devices

Servers and network devices must be located in security rooms, or in containers that are in security rooms and protected in line with their Business Impact Level (BIL).

It’s best to keep servers and communication network devices in dedicated ICT facilities. If any of your servers and network devices not held in dedicated ICT facilities, apply the controls identified in Security zones.

For more information, refer to:

Protecting network infrastructure

Your organisation can lose control of their information when it is communicated over an unsecured public network infrastructure or over infrastructure in unsecured areas. 

Protect network infrastructure using a mixture of physical security measures and encryption.

If you apply GCSB-approved encryption, the physical security requirements can be lowered.

You must use Security zones suitable for the highest BIL of the information being communicated over the network infrastructure.

As it may not be possible to secure all network infrastructure in security containers or rooms, you should also meet any system encryption requirements in the NZISM(external link).

Protecting ICT system equipment with containers

Work out the level of container required for patch panels, fibre distribution panels, and structured wiring enclosures based on:

  • the business impact of the information passing over the connections
  • any other controls in place to protect the information.

Panels should, at a minimum, be in locked containers and/or rooms to prevent tampering.

Applying encryption standards

When the BIL of the information transmitted over public network infrastructure is high or above, your organisation must use the encryption standards identified in the NZISM(external link).

The encryption will give enough protection to allow the information to be transmitted on an unclassified network. Encryption is normally applied at your gateway.

In unsecured areas, you must apply the encryption standards identified in the NZISM(external link) to protect information on your network infrastructure.

Keeping cabling secure

To keep cabling secure, apply the cabling security controls in the NZISM - Infrastructure(external link).

Maintaining equipment

To ensure the availability and integrity of your information, maintain equipment in line with the manufacturer’s directions.

Protecting deployable ICT systems

It can be difficult to apply suitable physical security measures when you use deployable ICT systems, particularly if they’re deployed into high-risk environments.

You should seek advice from the GCSB(external link) or Department of Internal Affairs (DIA)(external link) on suitable logical controls to help mitigate any risks you identify.

DIA(external link) should be consulted for items classified as restricted or below. GCSB(external link) should be consulted for items classified as confidential and above.

Protecting ICT system gateway devices

In addition to the logical controls required in the NZISM(external link), you must use physical security measures for your ICT system gateway devices to mitigate the higher business impact from:

  • the loss of the devices
  • the compromise of the aggregated information arising from physical access to the devices.

If you’re using shared gateways, you must apply controls to the gateway appropriate to the highest level of information passing through the gateway.

You must prevent unauthorised access to gateway devices. It’s best to locate these devices in dedicated ICT facilities.

Protecting equipment from power disruptions

Protect ICT equipment from power failures and other disruptions. Aim to achieve an uninterrupted power supply to ICT systems, particularly servers, so your organisation can continue operating. If that’s not achievable, aim for enough power to at least close down systems.

PHY048

Protect your ICT facilities and the information held within them.

ICT facilities that need physical security

Your organisation should have dedicated ICT facilities to house your ICT systems, components of your ICT systems, or ICT equipment. These facilities might include, but are not limited to:

  • server and gateway rooms
  • data centres
  • back-up repositories
  • storage areas for ICT equipment that hold official information
  • communications and patch rooms.

Pay particular attention to the security of any access points to an ICT facility. For example, cabling and ducting.


Accreditation of ICT facilities

Your ICT facilities must be:

  • within accredited security zones
  • appropriate for the value of the aggregated (combined) information held within them
  • in security zones dedicated to these ICT facilities and separate to other functions.

When you outsource your ICT facilities or use shared facilities, you must ensure your information is held in a security zone appropriate to the value of the aggregated information.

Managing information in outsourced and offshore arrangements for ICT gives you more information on the requirements you must meet.

Securing containers used to house ICT equipment

Containers used to house ICT equipment in an ICT facility may be at a lower level when the ICT facility is in a separate security zone within an existing security zone that is suitable for the aggregation of the information held.

Storage requirements for electronic information in ICT facilities [PDF, 73 KB] tells you more.

Securing ICT facilities for information with TOP SECRET or compartmented markings

ICT facilities that hold information with TOP SECRET or compartmented markings must be in a separate zone 5 that is within a zone 5 work area, both of which must be certified by the New Zealand Security Intelligence Service (NZSIS).

ICT facilities for TOP SECRET information must have both:

  • a separate zone on your organisation's electronic access control system (EACS) and
  • an NZSIS-approved security alarm system (SAS).

The Government Communications Security Bureau (GCSB) must certify all ICT systems that hold TOP SECRET information.

Controlling access to ICT facilities and equipment

Your organisation must control access to ICT facilities in line with Security zones.

Access to ICT facilities holding information with a Business Impact Level (BIL) lower than catastrophic should be controlled by:

  • a dedicated section of the SAS or EACS, where used
  • a person provided with a list of people with a ‘need-to-know’ or need to go into the ICT facility.

Your organisation must keep ICT facilities secured when they are not occupied, including security containers within the facilities that hold ICT equipment.

When people need security clearances

Anyone who can access your ICT servers, work in areas that contain ICT servers, or work in areas where your ICT assets are stored must have a security clearance. The level of security clearance depends on the BIL of the aggregated information.

Refer to the Guide to personnel security for your organisation [PDF, 706 KB].

Your organisation should supervise access to ICT servers, restricting access to a need-to-know basis. 

Using technical surveillance countermeasures (TSCM)

If you have an ICT facility that holds information with TOP SECRET and compartmented markings and regular discussions at a TOP SECRET level are held within it, a technical surveillance countermeasures (TSCM) inspection is required.

A TSCM inspection may also be required to provide a high level of assurance that hardware and cabling infrastructure within an ICT facility has not been compromised.

When your organisation doesn’t require its ICT facilities to handle TOP SECRET information, base the requirement for a TSCM inspection and the interval between inspections on your risk assessment.

Refer to the Using technical surveillance countermeasures and audio security in Other physical security measures.

For more advice on TCSM inspections, contact GCSB(external link).

PHY052

Protect ICT systems and equipment from disasters.

Including ICT in your business continuity plans

Your organisation’s disaster recovery and business continuity plans should include availability requirements for information held in ICT equipment.

The impact of the information not being available will influence the measures you take to protect ICT equipment against environmental and human threats.

For more information, refer to section 4.7 of HB 292-2006: A Practitioner's Guide to Business Continuity Management(external link).

Preserving ICT equipment

ICT equipment may require a controlled atmosphere to:

  • ensure the integrity of the information held within it
  • prevent failure of the equipment and potential loss of information.

Controlling the atmosphere may include controlling:

  • temperature
  • humidity
  • air quality — for example, smoke and dust
  • water

 Make sure you meet the requirements identified by the manufacturer when you apply atmosphere controls.

Advice on preserving electronic information for the future is available online from Archives New Zealand(external link).

Using uninterruptible and auxiliary power supplies

If your ICT systems are unexpectedly shutdown, you may lose information. An uninterruptible power supply (UPS) may allow you to turn off systems in a controlled manner or provide power until power to your ICT system is restored.

Any UPS you use should provide at least enough power to allow:

  • the controlled shutdown of ICT systems
  • the start-up of an auxiliary power supply.

ICT equipment also needs protection from power surges (relatively lengthy increases in voltage), and power sags and spikes (short, very large increases in voltage). Most UPSs also give some protection from surges and sags.

As most environmental systems rely on mains electricity, an auxiliary power supply may help you  maintain environmental controls.

Auxiliary power supplies should be maintained in line with the manufacturer's directions.

Assessing risks from disasters

Your organisation should identify any environmental or human-induced threats humans to their ICT equipment in their security risk assessment.

As ICT systems may be more sensitive to environmental factors, you may need extra risk mitigation measures, over and above those used to protect people and physical assets from harm.

Protecting against flooding

Water is one of the major threats to any system that uses electricity, including ICT systems.

Site server rooms should be protected against flooding. Flooding may be from external sources (for example, swollen rivers) or internal sources (for example, burst pipes).

If you’re considering locating any server rooms in basements, assess the risk of flooding from internal or external sources.

Protecting against fire

ICT equipment can be damaged through direct exposure to flames, from the effects of smoke (poor air quality), and increases in temperature in the general environment.

Another concern is the potential for flooding during fire-fighting operations. You may be able to use alternatives to water-based sprinkler systems, such as CO2, or other gaseous agents in critical ICT facilities. Base your decision to use alternatives on your risk assessment.

Using back-up ICT systems

Back-up ICT systems can provide a recovery point if your primary ICT systems fail. Back-up systems can form part of your business continuity and disaster recovery plans.

Any back-up system should be, as far as possible, fully independent of the supporting infrastructure used for the primary system so that if the primary ICT system fails, the back-up system does not also fail.

Back-up ICT systems should be regularly tested to ensure their continued operation.

You may use off-site or commercial back-up facilities. Consider dual redundancy. That is, using two back-up facilities for business-critical information and ICT systems.

Ensure that any commercial ICT facilities you use meet all the mandatory security requirements for protecting New Zealand Government information.

If you use a commercial back-up facility, consider the aggregation of information held in the facility, not just your own information, when you work out the levels of physical and logical security needed at the facility.

Information on including security requirements in contracts for outsourced functions is available in Supply chain security.


Securely transporting sensitive items

PHY053

To protect sensitive items, follow the four stages of secure transportation.

The tasks for securely transporting sensitive items fall into four broad stages:

  • assessing the risks
  • planning security before you move the item
  • managing security during the move
  • confirming the item has arrived safely and wrapping up the transport process.  

Sensitive items can be transported in several ways. For example, when people in your organisation:

  • carry items with them (by hand or in a bag)
  • work remotely or abroad (for example, from home or a hotel)
  • transport items in a vehicle.

Understand the threats you need to manage

Whichever way an item is transported, many potential threats exist. For example, an item could be:

  • accidentally lost or damaged
  • stolen by an opportunistic thief
  • abandoned because of an emergency
  • taken from a hijacked or stolen vehicle
  • attacked by someone inside your organisation
  • targeted through espionage.

Carry out a risk assessment

Use a risk assessment to help you understand:

  • the value of the item you need to transport
  • the business impact on your organisation if the item was lost or damaged
  • the likely threats to the item during transport.

Based on your assessment, consider which security measures will achieve the best balance between robust security and operational effectiveness.

To plan effectively, answer the following questions.

What is the nature of the item?

Describe the item’s size, purpose, value, and any significant features that might affect how it is transported.

If the item has a security classification with associated security requirements, ensure you include those requirements in your plan.

Who is involved?

Identify everyone involved in the transport process and what they are responsible for.

Will the process involve getting sign-off from a manager, liaising with a courier, or arranging an escort? Who will receive the item when it’s delivered?

How and when will the item be moved?

Describe how and when the item will be moved.  

What mode of transport will be used? Which routes will be involved? Are there any waypoints to consider? What is the destination?

When is the move happening? Does the intended date and time pose any risks? Consider things like traffic volumes, predicted weather, and major events.

What are the likely risks to the item?

Based on your risk assessment, consider risks from the local environment and the planned route.

What is security like at the sites the item is moving from and to? What is the terrain like on the planned route? Is traffic a concern? Will border security be involved?

Which security measures will best protect the item?

Detail the security measures you’ll use. Ensure the measures are proportionate to the risks you identified in your assessment, and enable everyone involved to effectively manage the transport process.

What are your contingency plans?

If the item is compromised, how will you respond to and manage the situation? Do you have alternative transport plans?

Does everyone involved know what to do?

Make sure you provide the right training and task-specific briefings to the relevant people. They must know how to protect the item and what to do if anything goes wrong.

Keep the following practices in mind when you’re managing security while items are being moved.

Maintain awareness

Scan your surroundings and be alert to potential threats, especially when escorting others.

Keep a low profile

Be discreet. This practice includes the people involved being discreet and the equipment you use to protect an item being discreet.

Communicate as planned

Be prepared to provide status updates as planned or to call for assistance when you need to.

Check your physical security solutions

Ensure security solutions are working as intended. For example, solutions designed to mitigate threats such as opportunist theft, forced entry, or covert attempts to gain unauthorised access.

Once an item has been transported, you need to:

  • check the item has arrived intact and hasn’t been compromised
  • confirm its delivery with the recipient or owner (for example, with a receipt)

You also need to:

  • assess the entire procedure to find out if it was carried out safely (or at least risk-managed)
  • record details of the transfer for auditing purposes.

Best practice guidelines for transporting sensitive items

PHY054

Follow these guidelines to keep sensitive items secure when they’re being transported.

Terms and definitions used in these guidelines

  • Sensitive item: Any item which, if compromised, would have an adverse impact on the owner; or any individual, organisation, or nation connected to the item.
  • Owner: The organisation, individual, or author to whom the sensitive item belongs.
  • Custodian: An organisation or individual that the owner entrusts with sensitive items by the owner to act on behalf of the owner.
  • Authorised person: A trusted individual granted unaccompanied access to sensitive items by the owner in accordance with the needs of their job.
  • Transport container: A holding container in which sensitive items are transported between the owner’s site and an external storage or destruction facility.

When you transport sensitive items, they must be in containers that are discreet, opaque, locked, and strong.

Each container must be fitted with a tamper-evident seal and fixed or locked to the vehicle’s chassis before transportation.

If you transport sensitive and non-sensitive items in the same vehicle, they must be in separate containers.

In a closed-bodied or box vehicle, you can use a load compartment that is not accessible from the driver’s cab as a transport container.

You can’t use an open-bodied or curtain-sided vehicle as a transport container, but you can use it to carry containers.

Fit

Before you use a vehicle to transport sensitive items, depending on your assessment of risk, it should be fitted with:

  • an audible anti-theft alarm and immobiliser, which must be armed when the vehicle is unattended
  • a remote tracking device that makes the location of the vehicle available to the owner.

Lock

You must keep the vehicle cab locked, except when allowing the driver or passengers to enter or exit the vehicle.

Attend

While transporting sensitive items, the vehicle must be attended by at least two authorised persons.

Communicate

Your vehicle crew must have a communication device they can use safely and legally while the vehicle is in motion to communicate with the owner, the receiver of the sensitive items (for example, an external destruction facility), and emergency services.

Your custodian must have a documented route plan for the vehicle, including any planned stops and business continuity procedures, which must be agreed in advance with the owner.

Your custodian must record any deviations from the planned route and inform the owner before or on arrival at the destination.

A vehicle transporting sensitive items can stop at a location other than the owner’s site or external destruction facility. However, the vehicle must:

  • stop for less than one hour at each location
  • be attended and observed by at least one authorised person while stopped.

Inspect

At the end of each stop, the crew must visually inspect the exterior of the vehicle for signs that someone has accessed or attempted to access the vehicle or transport containers. If signs are detected, the crew must  immediately notify the owner or custodian and seek their guidance on what action to take.

When sensitive items in multiple sites belong to one owner: In a single journey, you can use a vehicle to collect sensitive items from multiple sites if they belong to one owner. However, you can’t unload anything from the vehicle until it reaches the destruction facility, and you can’t use the vehicle to transport items between the owner’s sites.

When sensitive items in multiple sites belong to different owners: In a single journey, you can’t use a vehicle to transport sensitive items that belong to different owners.

In a single journey, you can use a vehicle to deliver sensitive items to multiple destruction facilities. However, you can’t use the vehicle to:

  • collect anything from a destruction facility
  • transport items between destruction facilities.

At each external destruction facility, your inventory of unloaded items must be verified before the vehicle departs.

You must load and unload sensitive items within a secure perimeter when possible. When it’s not possible to establish a secure perimeter, each person who loads or unloads the sensitive items must be escorted by at least one authorised person who is not carrying anything.

During loading and unloading the vehicle you use must also be attended and observed by at least one authorised person.

Keeping driver hours within legal limits

Your custodian must have a documented process for ensuring that drivers don’t go over the legal limit for driving hours. The plan should also aim to minimise unplanned stops due to drivers exceeding the driving hours limit.

If the anticipated driving time to a destination would result in all planned drivers exceeding the legal limit, the vehicle must not depart from the owner’s site carrying sensitive items.

When unforeseen circumstances mean that all planned drivers have reached the legal limit, you must follow your crew replacement process (see below).

Replacing a crew

Your custodian must have a documented process for minimising unplanned stops due to unforeseen circumstances relating to the crew — unforeseen circumstances such as fatigue, illness, injury, or having exceeded the legal limit for driving hours.

When unforeseen circumstances mean the crew can’t continue transporting sensitive items, a replacement crew must be available to complete the journey.

Both crews must follow the requirements in Stopping while transporting sensitive items.

The owner must be notified of the replacement crew and the reason for it as soon as possible.

Replacing a vehicle

Your custodian must have a documented process that minimises unplanned stops due to unanticipated circumstances related to the vehicle — unanticipated circumstances such as mechanical failure or an accident.

When a vehicle is no longer able to deliver sensitive items, a replacement vehicle must be available.

An authorised person must secure the sensitive items as soon as possible.

The sensitive items must be:

  • loaded into the replacement vehicle within a secure perimeter
  • transported to a secure location agreed with the owner where an inventory must occur.

The owner must be notified of the vehicle replacement and the reason as soon as practicable.