Implementing a risk-based approach to protective security

GOV003

These guidelines will help your organisation to:

• manage security risks
• meet security threats
• protect people, information, and assets
• give assurance to other organisations you work with.

How to develop policies, plans and processes – an overview

First, set up a policy framework based on your organisation’s operational needs.

Then identify which assets you need to protect — the assets required for your organisation’s ongoing operations, or for the national interest. Include personnel, information, physical assets, and services.

Next, conduct a risk assessment. Use the Business Impact Levels (BILs) to help you assess risk. BILs enable consistent assessment of the impact if assets are compromised or lost.

Use your risk assessment to inform your policies, plans, and processes — to tell you which security measures you need to implement, how, and when.

Remember to consider other operational policies and outcomes that could be affected by your policies, plans, and processes.

Record your policies, plans and processes in a single document or separate documents. If you choose to use separate documents, make sure you coordinate their development.

Ensure your whole organisation is aware of your security policy, plans and processes. Consider publishing them on your intranet and promoting them. Building security awareness has more information.

Review them regularly to identify gaps and keep up with changes to risk factors — at least every 2 years.

Create security policy that covers governance, personnel, information, and assets

Your protective security policy gives a mandate for your organisation’s protective security plan and processes. It should meet the PSR mandatory requirements.

Your chief executive/agency head, or their delegate, should approve your protective security policy and support its enforcement. Your Chief Security Officer (CSO) should actively monitor the policy.

Protective security policies must cover four key areas – governance, personnel, information, and physical.

Each policy should say why the policy is necessary and who has authorised it. 

Governance arrangements

Governance arrangements cover how protective security relates to other components of operational governance, including:

• employee and public safety
• security requirements in contracts
• assigning security management roles
• Business Impact Levels (BILs)
• audit and compliance reporting
• fraud risk management
• sourcing and handling foreign government information
• processes for policy exceptions
• review and amendment processes.
• Personnel security policy

Make sure your personnel security policy covers:

• security checks for employees and contractors
• security clearance requirements, including managing security clearances
• emergency access to protectively-marked material
• how you will investigate and manage security incidents.

Information security policy

Your information security policy should cover:

• protective marking of documents
• access to ICT and storage
• email and internet use
• remote working and mobile computing
• removal of information from your organisation’s premises
• control of your organisation’s information held by commercial entities
• control of personal and commercial information held by organisations on behalf of other parties. 

Creating a policy for protective marking of documents gives you detailed guidance on this aspect of your information security policy.

You should use the following sources as your primary guidance when developing information security policy:

• Management protocol for information security
• New Zealand Information Security Manual(external link)
• New Zealand Government Security Classification System
• Handling Requirements for protectively marked information and equipment
• AS/NZS ISO/IEC 27002:2013 Information Technology - Security Techniques - Code of Practice for Information Security Management, section 5.

Physical security policy

Your physical security policy should address:

• access to your facilities by your people, visitors, and children — you might need site-specific policies if different facilities have different roles or risks
• the security and safety of your people – ensure your security policy fits with your other safety policies
• working away from your office
• the physical security of your information.

Develop your security plan and processes

Your organisation’s protective security plan and processes must mitigate security risks while allowing secure information sharing.

Protective security processes may form part of your security plan, or be standalone advice to employees.

Your plan should be comprehensive and detailed. Achieve this by:

• consulting with people from every section of your organisation
• involving staff who directly manage security or related work (for example your Chief Security Officer, Chief Information Security Officer, Health &Safety Manager, Information Technology Security Manager, Privacy Officer, property managers and security manager / advisors) when you develop and review the plan.

Also involve senior management and get their support to ensure the plan’s success.

The objectives of a security plan should be to:

• use risk assessments to identify areas of security risk
• outline practical steps to minimise risks.

Develop separate site security plans for each of your individual sites.

Consider carefully how you classify and protect the security plan, and the business impact if the plan’s confidentiality is compromised. Classify individual elements of the plan as appropriate.

Your security plan must cover four key areas – security of governance, personnel, information, and physical assets.

Governance arrangements

• Governance arrangements should include:
• roles and responsibilities for security
• contract service providers and third-party security
• business continuity and disaster recovery planning
• measures to increase security if threats to your organisation increase
• reporting incidents and conducting security investigations
• audit and compliance reporting
• fraud risk management
• review and amendment.

If governance arrangements are standalone plans managed by other sections of your organisation, consult your security management personnel as you develop the individual plans.

Personnel security arrangements

Personnel security arrangements should include:

• personnel security provisions in the recruitment process, working with your human resource management team
• national security vetting and clearance lists
• contact reporting
• security clearance management
• ongoing security awareness training.

Information security arrangements

Information security arrangements should include:

• information handling within the organisation, in transit, and out of the office
• protectively-marked information archives, working with your records management
• ICT access and storage
• ICT network security
• remote working and mobile computing
• hardcopy information storage and handling.

Physical security arrangements

Physical security arrangements should include:

• site security plans
• physical security of your people, visitors and the public, along with safety plans
• physical security of information
• protection of physical assets
• access control systems
• security alarm systems
• security of disaster recovery or alternative sites, along with business continuity plans
• physical security for remote working and working away from the office.

Suggested format for a security plan

Here are suggested headings and sections for your organisation’s security plan.