Understanding the physical security lifecycle

Understand and follow the physical security lifecycle to protect your organisation’s people, information, and assets 

PHY008

Establish and maintain robust physical security by following the physical security lifecycle:

 

PHYSEC lifecycle 
PHY009

Understand what you need to protect

Before you can put the right physical security measures in place, you must understand what you need to protect (PHYSEC1). Think about the value of the people, information, and assets in your environment.

You may need to protect:

  • your people, information, and assets
  • the public and customers
  • cultural holdings.

How will your facilities be used?

You need to understand how your facilities will be used, who will use them, who may visit them, and what will be stored in them.

Remember to include any classified information or assets you store, and legislative requirements you need to meet.

Are your people working away from the office?

Consider the situations that your people might face when they are working away from the office.

Will they be working at home? In remote-locations? In someone else’s building? Overseas?

Have you taken health and safety needs into account?

Under the Health and Safety at Work Act 2015(external link), organisations must:

  • take all reasonable steps to minimise the risk of harm to employees, clients, and the public
  • ensure their physical security plans address the risk of harm to clients and the public.

Is your organisation co-locating?

If you’re co-locating, work in partnership with the other parties to build a shared understanding of physical security issues and each other’s security requirements.

Assess your physical security

PHY010

When you assess your organisation’s unique risks, you can work out which physical security measures you need to reduce those risks to an acceptable level.

Know your vulnerabilities

You need to know where you are vulnerable and how your organisation would be affected by breached security.

Here are some questions to answer.

  • What hours will people be working at each site? When will they be arriving and leaving?
  • How many people will be working at each site?
  • Which third parties have access to your facilities?
  • What are the risks associated with collections of information and physical assets you hold?
  • What are the risks associated with higher concentrations of people in certain areas?
  • Which activities does your organisation undertake at each site?
  • Are there threats that arise from your activities?
  • What threats arise from your location and neighbours?

Evaluate the likelihood and impact of each risk to help you understand where you need to take further action. For any risks you can’t accurately assess internally, call on external sources such as local police or other authorities.

Build physical security into plans for sites and buildings

Consider physical security in the concept and design stages to make sure it’s cost-effective and robust. Apply this strategy any time you’re:

  • planning new sites or buildings
  • selecting new sites
  • planning alterations to existing buildings.

For high-risk sites or buildings, you might need to consult early with specialist organisations, such as the New Zealand Security Intelligence Service (NZSIS) and the Government Communications Security Bureau (GCSB).

Evaluate physical security risks before you select a site

Evaluate the following factors to work out if a site is suitable:

  • the neighbourhood
  • the size of the stand-off perimeter
  • site access and parking
  • building access points
  • security zones.

Identify risks to people

Under the Health and Safety at Work Act 2015, organisations must:

  • take all reasonably practicable precautions to minimise the risk of harm to employees, clients, and the public
  • ensure their physical security plans address the risk of harm to clients and the public.

To comply with the Act, identify any risks to people that could arise from your measures for protecting information and physical assets. For any risks you identify, put measures in place to reduce them to an acceptable level.

Protect clients and the public from harm

Under the Health and Safety at Work Act 2015 organisations must:

  • protect clients and the public from injury arising from their activities
  • take reasonably practicable measures to protect all people within, and in the immediate vicinity of, their premises.

Sometimes the security measures you use to protect your people may also protect your clients and the public.

If you’re a manager responsible for safety and emergency responses, seek advice from your security staff to ensure you design safety measures that complement your organisation’s security needs.

Identify risks to cultural holdings

If your organisation has culturally significant holdings, you may have to deal with security risks that are not present for other organisations.

As well as conducting a risk assessment, contact similar government and non-government organisations to check whether you’ve considered the full range of risks and controls.

Assess risks from co-locating with other organisations

If you’re co-locating or co-tenanting with other organisations, consider the combined security risks and work together to assess them. Then apply protective security measures collaboratively to address the collective risks. Remember to also consider the risks to your organisation.

Feed into your organisation’s security planning

Use your physical security risk assessments to inform the physical security components of your organisation’s overall security plan.

Remember to:

  • assess the risks of each site you use separately, as you need to develop site-specific security plans
  • consider the different threat profiles of separate business units within your organisation
  • include physical security risks in your organisation’s risk register(s).

PHY012

Assess your physical security threats so you can put the right controls in place.

Threats may affect your whole organisation or be specific to one site or area. Specific threats could apply to your people, clients, and the public. Remember to also assess any threats to individual assets.

Use your threat assessments to inform your organisation’s overall risk assessment.

Call on experts when you need to

When you don’t have the right expertise to assess a threat, call on external sources, such as your local police and other authorities to help you.

If you need input from the New Zealand Security Intelligence Service (NZSIS) to complete your threat assessment contact your PSR Engagement Manager.

Assess when your facilities might need extra protection

Some threats to facilities increase the likelihood of harm to people, information, or physical assets. You’ll need to put extra or higher controls in place to mitigate those threats.

Here are some questions to get you thinking about situations when your organisation might need to put extra protection in place at facilities.  

  • How much do the public know about what your facilities are used for? Are any contentious programmes run at your facilities?
  • Is there a high level of crime in the neighbourhood?
  • Are your people at risk of violence from clients?
  • Are your facilities at risk from public violence arising from protests?
  • Is terrorism a possible threat?
  • Do you have any shared facilities? Examples include single-use facilities, co-tenancies with private high-risk tenants, and work areas within your organisation with diverse programmes.
  • How valuable are the information and physical assets in your facilities? Would they be attractive to groups of security concern, including foreign intelligence services, issue-motivated groups, and trusted insiders?

PHY011

Assess your physical security risks during your site selection process.

Involve your chief security officer and other security people early in the process of selecting a site. You need to ensure that a potential site can meet your organisation’s security needs.

Evaluate the site

Evaluate the following physical security factors to work out if a site is suitable. 

Does the neighbourhood pose any risks? 

Examples of neighbourhood-related issues that might affect your decision to use a site are the:

  • level and type of criminal activity in the area
  • impact of risks to or from neighbours (organisations, businesses, and residents)
  • impact from over-sight of your organisation’s operations.

Is there enough space for a standoff perimeter?

You might need a certain standoff distance to protect a building from threats. In some urban environments, it can be hard to achieve an effective standoff distance.

Remember to consider any threats pedestrians and vehicles may cause.

Does the site meet your access and parking needs?

Check and evaluate access through the standoff perimeter and into the facility.

  • What is access like for pedestrian traffic, delivery vehicles, and cars?
  • Does the site easily accommodate normal business?
  • How will you control and monitor parking within the perimeter?


Can you secure all access points?

Make sure all building access points can be secured, including:

  • entries
  • exits
  • air intakes and outlets
  • service ducts.

Does the site accommodate your security zones? 

Can the site provide the security zones you need (the zones you identified in your risk assessment)?
Can you implement security in depth at the site?

Is the site at risk in a natural disaster?

Seek specialist advice about the risks of natural disasters in the area, and which mitigation strategies to apply. Contact your local territorial authority for information on natural hazards for a site.

If your organisation chooses a site that is at risk from a natural disaster, select security products that protect against the associated physical security risks.

Design physical security early in your processes

PHY013

Physical security measures can be more expensive and less effective if they’re introduced later. So consider your physical security requirements at the earliest stages – preferably during the concept and design stages.

Site planning

PHY014

Organisations must assess whether the physical security environment is acceptable as part of their regular security risk assessment.

Use your site-specific risk assessments to help you:

  • prepare site-specific security plans
  • include security requirements within other site development plans. 

Consult with security experts early in the planning process

Since physical security measures may be more expensive and less effective if introduced at a later stage, evaluate your security requirements in consultation with your chief security officer (CSO) at the earliest stages of planning new sites or buildings, or alterations to existing buildings.

For high-risk sites or buildings, consult early with relevant agencies, such as the New Zealand Security Intelligence Service (NZSIS), the Government Communications Security Bureau (GCSB), or other specialist agencies.

Create site security plans

Consider security measures for new buildings and sites as early as possible, preferably during the concept and design stages.

A site security plan documents measures to counter identified risks to your organisation’s functions and resources at the site.

Your organisation must prepare site security plans for any:

  • new sites
  • greenfield sites
  • facilities under construction
  • facilities undergoing major refurbishment.

For each site security plan, you need to ensure that your physical security measures:

  • provide enough delay to allow planned responses to take effect
  • meet business needs
  • complement and support other operational procedures
  • include any necessary measures to protect audio and visual privacy
  • do not unreasonably interfere with the public.

Remember to think about where different functions of your organisation will be sited within a facility, so these locations can be constructed to provide appropriate protection.

What to include in a site security plan

In your plan, document the answers to the following groups of questions.

Location and ownership

  • What is the location and nature of the site?
  • Does your organisation have sole or shared ownership, or tenancy of the site?

People

  • What hours will your people work at the site?
  • Who else will visit the site (for example, the public, service providers)?
  • What hours are you open to the public or other visitors?

Protectively-marked information

  • What protectively-marked information will be stored, handled, processed, or otherwise used in each part of the site? Which protective measures will you need for that information?
  • Which protective measures are needed for sensitive discussions and meetings (including those that involve protectively-marked information)?

ICT assets and resources

  • Which information and communications technology (ICT) assets and resources will be on the site? (Including, but not limited to, data, software, hardware, workstations, servers, frames and cabling, and portable devices such as laptops and tablets.)

Whole site, areas within the site, scalable measures

  • Which protective measures are needed for the site as a whole?
  • Which protective measures are needed for certain areas within the site? For example, part of a floor that will hold information of a higher classification than the rest of the site.
  • How will you scale your security measures to meet increases in threat levels?

Protect your security plans

Remember that your site security plans contain valuable information about your organisation’s security and operations. Assess the impact of any loss or harm to your plan and apply a protective marking if necessary.

Include security requirements in briefs and contracts

Include all relevant security measures from your site security plans in building design briefs and requests for tender and contracts, so they’re included in the completed facilities.

Get your physical security design accepted

PHY036

Before you can implement your physical security measures, your chief security officer (CSO) or other delegated person must accept that the proposed security design:

  • is fit for purpose
  • will address your organisation's specific requirements

Consider if you have mitigated your risks and vulnerabilities in all the areas you identified in the risk assessment phase before you submit your physical security plan for sign off.

Applying good physical security practices

Specific protective security measures

Implement your physical security measures

PHY037

During this phase, you implement the agreed physical security measures, including policies, processes, and technical measures.

Build physical security into your business relationships and contracts

Work with your suppliers, co-tenants, and landlords to ensure they understand and can meet your security requirements. Build good physical security into your contracts and partnerships.

Remember to include all relevant measures or outcomes identified in your site security plans in building design briefs, requests for tender, and contracts.

Manage your planning and building processes

You need to account for the risks involved in the planning and building lifecycle. Make sure your physical security measures are implemented when there are new builds, refurbishments, or assets shifted from one workplace or area to another. Take the implementation process right through to when assets and information are retired or destroyed.

Maintain records

You need to maintain records throughout the build process to support your certification and accreditation processes. These records may include:

  • photographs showing construction techniques
  • certificates confirming equipment has been installed by a certified installer.

Validate your physical security measures

PHY038

 Validating your organisation’s physical security measures means finding out if they’ve been correctly implemented and are fit for purpose (PHYSEC3).

Provide trust and accountability through validation

Your chief security office (CSO) decides whether the measures are right for the risks your organisation faces. These risks may vary from site to site.

The validation step gives senior executives confidence that:

  • physical security is well managed,
  • risks are properly identified and mitigated
  • governance responsibilities can be met.

Ensure you are certified and accredited

Conduct the certification and accreditation process required for the type of physical security measure being implemented.

Ensure security zones are accredited

For physical spaces, follow the certification and accreditation processes required by the security zone. As well as keeping your organisation secure, accreditation gives organisations you work with confidence in your security.

Meet requirements for protectively-marked information

Extra security measures apply to protectively-marked information to help keep this important and valuable information safe.

Make sure you are familiar with the physical security requirements for protectively-marked information and equipment addressed in the requirements for security zones 3 to 5.

Certifying and accrediting security zones

Operate and maintain to stay secure

PHY040

 It is important to operate and maintain your security measures appropriately, so they continue to provide the protection you need (PHYSEC4).

Raise awareness of your physical security measures

An important part of maintaining security is providing security awareness training and support.

Let your people know about any security risks that may affect their personal safety or security.

Communicate your physical security policies to your people and to the people your organisation works with. Let them know when physical security arrangements change, and, when possible, say why.

Encourage your people to report emerging concerns or near misses as part of being good corporate citizens (rather than troublemakers). Make sure they know that if they respond to a security incident, they shouldn’t do anything that unreasonably jeopardises their personal safety.

Give each employee a summary of your emergency and security procedures.

Analyse evolving threats and vulnerabilities

Keeping your people, information, and assets secure involves ongoing activity to detect and manage evolving threats and vulnerabilities.

To manage your vulnerabilities in your physical security, take the following action.

  • Monitor your systems, assets, and people.
  • Observe events and processes to detect suspicious or unauthorised events.
  • Be proactive to stay on top of vulnerabilities or weaknesses in your layers of security.
  • Assess your security measures against best practice and known security threats.
  • Analyse, prioritise, and report on vulnerabilities that pose the most immediate risk to your organisation.
  • Apply and track fixes to completion.

Keep your physical security measures up to date

To be effective, your physical security measures must reflect your actual risks. Stay up to date and prepared by:

  • proactively maintaining your user access control systems (for example, by testing duress alarms and checking batteries every 6 months)
  • testing your procedures to ensure they are fit for purpose.

Respond to physical security incidents

You need to manage security incidents well to reduce their impact. Aim to both reduce the impact of any incident and recover quickly.

Responding to security incidents should be part of your security plan.

Respond and recover

When an incident happens, follow your processes for responding to the incident. Act quickly to reduce the impact, and help your organisation recover as quickly as possible. You might also need to restore the confidence of anyone who has been affected by an incident.

Record and assess

Record the details of any incident or near miss, and assess the degree of compromise or harm.

Communicate

Make sure you communicate security incidents to the affected parties and any relevant authorities. You might need to warn people to avoid further harm or report on the incident.

Investigate, act if necessary, and learn

After a security incident, you need to investigate. If necessary, take further action. Make sure your organisation learns from the incident, so you can improve your security measures.

Transport physical assets securely

When your physical assets are transported outside your premises, you must protect them in line with  the potential business impact of loss, compromise, or damage.

Most physical assets are more at risk from theft during transport than when they’re housed in your facility. Seek advice from your insurers to help you develop robust processes.

Consider control measures such as escorts or guards, or employing secure transport specialists.

Review your physical security measures regularly

PHY041

Undertake regular reviews to ensure your security measures remain fit for purpose. Identify changes in your use of facilities, in your organisation, or your threat environment. Use this information to inform improvements.

Conduct periodic reviews and assure compliance

Regularly monitor, review, and audit your physical security measures.

You need to know if:

  • your physical security policies are being followed
  • your physical security controls are working as planned
  • any changes or improvements are necessary.

Identify changes in your security environment

Be prepared to restart your physical security lifecycle whenever your security environment changes.

Consider these questions to inform changes and improvements:

  • Are you using your information and assets in a different way?
  • Are you using your facilities in a different way?
  • Are your people working in a different way?
  • Are you planning improvements to internal or external security services?
  • Have you identified new security threats and vulnerabilities?
  • Will your existing security measures be effective against the new threats and vulnerabilities?

Retire information and assets securely

PHY042

When your building, facilities, information, or assets are no longer needed, make sure you consider the security implications during the decommissioning phase.

Have a plan for destroying, redeploying, or disposing of your facilities, information, or assets securely. For example:

  • safes or filing cabinets containing classified information
  • printers / multi-function devices.

Plan secure storage and transport

Have a plan for keeping your information or equipment secure while it is being stored (awaiting destruction) and when it is being transported to a destruction facility. 

Destroy protectively-marked information and equipment properly

You must destroy protectively-marked information and equipment, so that the waste can’t be reconstructed or used.

Secure disposal or reuse of ICT equipment

You must sanitise or destroy all ICT equipment and media before disposal in line with the New Zealand Information Security Manual (NZSIM) - Product Security and Media Security(external link). This includes devices such as printers, photocopiers, and faxes.

You may re-use ICT equipment if it has been sanitised correctly.

Use appropriate destruction equipment

Destruction equipment is used to destroy protectively-marked information (paper-based and ICT media) so that the waste cannot be reconstructed.

You must destroy protectively-marked information using appropriate destruction equipment or an NZSIS-approved destruction service or a GCSB-approved destruction facility.

Further information can be found in the NZISM(external link).

You should use one of the following options when destroying paper or ICT media:

  • shredding
  • disintegrating
  • pulping (paper-based only)
  • pulverising (ICT media only).

Also refer to:

Using shredders

You may use shredders to destroy paper and ICT media. For example, CDs, and single and dual layer DVDs.

Paper shredders

Commercial strip shredders are not suitable for destroying of protectively-marked material or sensitive waste. Anybody wishing to access the information will have little difficulty reconstructing the pages from the resultant strips.

Cross-cut shredders produce smaller pieces that are harder to reconstruct. The smaller the particle size the more secure the results.

Manufacturers often grade their shredders based on various international standards that often have differing specifications for each security level.

You should take care when purchasing a shredder to ensure the maximum particle size is suitable for your needs.

You must use the following shredders to destroy paper-based protectively-marked information.

  • Grade 3 shredder, maximum particle size 4 mm x 15 mm, suitable for Business Impact Levels (BILs) up to and including high, or protectively-marked information up to and including RESTRICTED.
  • Grade 4 shredder, maximum particle size 1 mm x 15 mm, suitable for BILs up to and including extreme, or protectively-marked information up to and including SECRET.
  • Grade 5 shredder, maximum particle size 1 mm x 5 mm, suitable for all BILs including TOP SECRET and information with compartmented markings.

When possible, use a commercial cross-cut shredder for paper waste for official information where the compromise has a BIL up to and including medium.

Alternatively, you may use an NZSIS-approved destruction company for all levels of protectively-marked information up to SECRET, or TOP SECRET, when directly supervised by one of your people.

Also refer to NZSIS Security Equipment Guide for Shredders (under development).

ICT media shredders

Ask the GCSB(external link) for advice on approved media shredders and destruction facilities to destroy ICT media.