PHY004
Keep your organisation secure with robust physical security by following the mandatory requirements and the associated physical lifecycle stages explained below.
Understand what you need to protect
Before you can put the right physical security measures in place, you must understand what you need to protect. You may need to protect:
- your people, information, and assets
- the public or customers
- cultural holdings.
How will your facilities be used?
You need to understand how your facilities will be used, who will use them, who may visit them, and what will be stored in them. Remember to include any classified information or assets you store, and legislative requirements you need to meet.
Are your people working away from the office?
Consider the situations that your people might face when they are working away from the office.
Will they be working at home? In remote locations? In someone else’s building? Overseas?
Have you taken health and safety needs into account?
Under the Health and Safety at Work Act 2015, organisations must:
- take all reasonable steps to minimise the risk of harm to employees, clients, and the public
- ensure their physical security plans address the risk of harm to clients and the public.
Is your organisation co-locating?
If you’re co-locating, work in partnership with the other parties to build a shared understanding of physical security issues and each other’s security requirements.
Assess your physical security risks
When you assess your organisation’s unique risks, you can work out which physical security measures you need to reduce those risks to an acceptable level.
You need to know where you are vulnerable and how your organisation would be affected by breached security. Here are some questions to answer.
- During what hours will be people be arriving, departing, and working at each site?
- How many people will be working at each site?
- Which third parties have access to your facilities?
- What are the risks associated with collections of information and physical assets you hold?
- What are the risks associated with higher concentrations of people in certain areas?
- Which activities does your organisation undertake at each site?
- Are there threats that arise from your activities?
- What threats arise from your location and neighbours?
Evaluate the likelihood and impact of each risk to help you understand where you need to take further action. For any risks you can’t accurately assess internally, call on external sources such as local police or other authorities.
If you’re co-locating with other organisations, consider the combined security risks and work together to assess them.
Remember to:
- assess the risks of each site you use separately, as you need to develop site-specific security plans
- include physical security risks in your organisation’s risk register(s).
Design physical security early in your processes
Since physical security measures can be more expensive and less effective if they’re introduced later, consider your physical security requirements at the earliest stages — preferably during the concept and design stages. Apply this strategy any time you’re:
- planning new sites or buildings
- selecting new sites
- planning alterations to existing buildings.
For high-risk sites or buildings, you might need to consult early with specialist organisations, such as the New Zealand Security Intelligence Service (NZSIS) and the Government Communications Security Bureau (GCSB).
Evaluate physical security risks before you select a site
Evaluate the following factors to work out if a site is suitable:
- the neighbourhood
- the size of the stand-off perimeter
- site access and parking
- building access points
- security zones.
Prepare site security plans
Use your site-specific risk assessments to help you:
- prepare site-specific security plans
- include security requirements within other site development plans.
Your organisation needs to have a site security plan for all new sites, facilities under construction, and facilities undergoing major refurbishments. This plan should align with any minimum security standards your organisation has agreed for specific types of facility.
For each site security plan, ensure that physical security measures:
- provide enough delay to allow planned responses to take effect
- meet business needs
- complement and support other operational procedures
- include any necessary measures to protect audio and visual privacy
- do not unreasonably interfere with the public.
Use security zones to reflect business impact levels
Extra security measures apply to areas where protectively-marked information and other official or valuable resources are processed, handled, and stored. These areas are called ‘security zones’. Security zones are based on the BILs and each has minimum security controls that your organisation must implement.
If your organisation faces increased threat levels, use your risk assessments to work out what extra measures you need in each affected zone. Increased threat levels can be due to foreign interference, politically motivated violence, criminal activity, or cyber-attacks.
Apply good practice for physical security design
Security by design
Physical security measures are capable of mitigating a range of risks. However, given enough time and determination, an unauthorised person can compromise almost any physical security measure.
Physical security measures aim to protect people, information, and assets from compromise or harm by applying the ‘Deter, Detect, Delay, Respond, Recover’ model.
| Deter | Deter or discourage unauthorised people from attempting to gain unauthorised access to your facility. Implement measures that unauthorised people perceive as too difficult or needing special tools and training to defeat. |
| Detect | Detect unauthorised access as early as possible. Implement measures to work out whether an unauthorised action is occurring or has occurred. |
| Delay | Delay an unauthorised access attempt for as long as possible to allow an effective security response to be activated. Implement measures to slow the progress of a harmful event. |
| Respond | An effective response counters the anticipated activity of an unauthorised person within a time appropriate to the delay measures. Prepare measures to prevent, resist, or mitigate the impact of an attack or event. |
| Recover | Take the steps required to recover from a security incident. Plan to restore operations to as near normal as possible in a timely manner following an incident. |
Use multiple layers of security — ‘security in depth’
A key concept in physical security is ‘security in depth’ — a multi-layered system in which security measures combine to support and complement each other. You can apply this concept by placing zones within zones. This layering increases total delay times and creates additional barriers. Any unauthorised person trying to access the higher zones will meet increasing levels of controls.
The following diagram shows a possible combination of security zones.
Use NZSIS-approved product
Government organisations must use items from the NZSIS Approved Products List (APL) for the protection of people, information, and assets.
The information in the list is classified. Contact the PSR team for more information.
Address all points where your physical security could be breached
Design your security measures to address your critical physical security risks and vulnerabilities, including cyber-security threats, your physical security culture, and security products and processes.
Know and comply with all relevant laws and standards
The design of your physical security measures must comply with the Health and Safety at Work Act 2015, the Privacy Act 2020, the Building Act 2004, and any associated regulations. The design must comply with any relevant international conventions (for example, the United Nations Convention against Torture, and Other Cruel, Inhuman or Degrading Treatment or Punishment).
Your design must also comply with the NZSIS Technical Notes (for Zone 3, 4, or 5 areas) and the New Zealand Information Security Manual (NZISM).
You must also work out whether any safety hazards could arise from your security measures, and then have a plan to manage those hazards in line with relevant legislation.
Add to your business continuity and disaster recovery plans
The physical security requirements you identify during the design phase should also be in your business continuity and disaster recovery plans, to ensure ongoing security in the event of a business disruption.
Apply ‘Crime prevention through environmental design’ (CPTED)
Make CPTED an integral part of your facility planning. Use CPTED to identify which aspects of your physical environment could affect people’s behaviour, and then design your physical environment to minimise crime.
Collaborate to make shared facilities secure
If your organisation shares accommodation or facilities with other organisations, conduct a risk assessment and apply physical security measures collaboratively to address collective risks.
Evaluate the risks of co-tenancies in any shared facility when you carry out your risk assessment.
Consider how security measures for one area could affect other areas
Consider the threat profiles of different areas within your organisation when you develop physical security measures. For example, do physical security measures in one area affect the security or operations of any other areas?
Assess physical security risks for people working away from the office
When you develop policies and procedures for people working remotely, consider any increased security risks to your people, information, and physical assets.
Accept: Get your physical security design accepted
Before you can implement your physical security measures, your Chief Security Officer (CSO) or other delegated person must accept that the proposed security design:
- is fit for purpose
- will address your organisation’s specific requirements.
Consider whether you have mitigated your risks and vulnerabilities in all the areas you identified in the risk assessment phase before you submit your physical security plan for sign-off.
Implement your physical security measures
During this phase, you implement the agreed physical security measures, including policies, processes, and technical measures.
Build physical security into your business relationships and contracts
Work with your suppliers, co-tenants, and landlords to ensure they understand and can meet your security requirements. Build good physical security into your contracts and partnerships.
Remember to include all relevant measures or outcomes identified in your site security plans in building design briefs, requests for tender, and contracts.
Manage your planning and building processes
You need to account for the risks involved in the planning and building lifecycle. Make sure your physical security measures are implemented when there are new builds, refurbishments, or assets shifted from one workplace or area to another. Take the implementation process right through to when assets and information are retired or destroyed.
Validate your physical security measures
Validating your organisation’s physical security measures means finding out if they’ve been correctly implemented and are fit for purpose.
Provide trust and accountability through validation
Your CSO decides whether the measures are right for the risks your organisation faces. These risks may vary from site to site. The validation step gives senior executives confidence that physical security is well managed, risks are properly identified and mitigated, and governance responsibilities can be met.
Ensure you are certified and accredited
Conduct the certification and accreditation process required for the type of physical security measure being implemented.
Ensure security zones are accredited
For physical spaces, follow the certification and accreditation processes required by the security zone. As well as keeping your organisation secure, accreditation gives organisations you work with confidence in your security.
Meet security requirements for protectively-marked information
Extra security measures apply to protectively-marked information to help keep this important and valuable information safe.
Make sure you are familiar with the physical security requirements for protectively-marked information and equipment addressed in the requirements for security zones 3 to 5.
Operate and maintain
Raise awareness of your physical security measures
An important part of maintaining security is providing security awareness training and support. Communicate your physical security policies to your people and to the people your organisation works with. Let them know when physical security arrangements change, and, when possible, say why.
People should be encouraged to report emerging concerns or near misses, and be seen as good corporate citizens rather than troublemakers.
Analyse evolving threats and vulnerabilities
Keeping your people, information, and assets secure involves ongoing activity to detect and manage evolving threats and vulnerabilities.
To manage your vulnerabilities in your physical security, take the following action.
- Monitor your systems, assets, and people.
- Observe events and processes to detect suspicious or unauthorised events.
- Be proactive to stay on top of vulnerabilities or weaknesses in your layers of security.
- Assess your security measures against best practice and known security threats.
- Analyse, prioritise, and report on vulnerabilities that pose the most immediate risk to your organisation.
- Apply and track fixes to completion.
Keep your physical security measures up to date
To be effective, your physical security measures must reflect your actual risks. Stay up to date and prepared by:
- proactively maintaining your user access control systems (e.g. testing duress alarms, checking batteries every 6 months)
- testing your procedures to ensure they are fit for purpose.
Respond to physical security incidents
You need to manage security incidents well to reduce their impact. Aim to both reduce the impact of any incident and recover quickly.
Responding to security incidents should be part of your security plan.
Respond and recover: When an incident happens, follow your processes for responding to the incident. Act quickly to reduce the impact, and help your organisation recover as quickly as possible. You might also need to restore the confidence of anyone who has been affected by an incident.
Record and assess: Record the details of any incident or near miss, and assess the degree of the compromise or harm.
Communicate: Make sure you communicate security incidents to the affected parties and any relevant authorities. You might need to warn people to avoid further harm or report on the incident.
Investigate, act if necessary, and learn: After a security incident, you need to investigate. If necessary, take further action. Make sure your organisation learns from the incident, so you can improve your security measures.
Review your physical security measures regularly
Undertake regular reviews to ensure your security measures remain fit for purpose. Identify changes in your use of facilities, in your organisation, or your threat environment. Use this information to inform improvements.
Conduct periodic reviews and assure compliance
Regularly monitor, review, and audit your physical security measures. You need to know if:
- your physical security policies are being followed
- your physical security controls are working as planned
- any changes or improvements are necessary.
Identify changes in your security environment
Be prepared to restart your physical security lifecycle whenever your security environment changes. Consider these questions to inform changes and improvements.
- Are you using your information and assets in a different way?
- Are you using your facilities in a different way?
- Are your people working in a different way?
- Are you planning improvements to internal or external security services?
- Have you identified new security threats and vulnerabilities?
Retire securely
When your building, facilities, information, or assets are no longer needed, make sure you consider the security implications during the decommissioning phase.
Have a plan for destroying, redeploying, or disposing of your facilities, information, or assets securely. For example:
- safes or filing cabinets containing classified information
- printers / multi-function devices.
Destroy protectively-marked information and equipment properly
You must use NZSIS-approved destruction equipment or an NZSIS-approved destruction service to destroy protectively-marked information and equipment, so that the waste can’t be reconstructed or used.