• Access

    Obtaining knowledge or possession of information (including verbal, electronic and hard copy information) or other resources, or obtaining admittance to an area.

  • Access control system

    A system designed to limit access to facilities to authorised people whose identify has been verified.

  • Accountable

    Required or expected to justify actions or decisions; answerable and responsible.

  • ACCOUNTABLE MATERIAL

    The ACCOUNTABLE MATERIAL endorsement marking is used to indicate that the information requires strict control over its access and movement, as well as regular auditing, to ensure its safe custody. What constitutes ACCOUNTABLE MATERIAL will vary from agency to agency. A risk assessment will determine the frequency of auditing practices.

    (Note: TOP SECRET information is ACCOUNTABLE MATERIAL by default.)

  • Accreditation

    The process by which an approving authority gives formal recognition and approval that appropriate levels of security have been implemented to protect facilities and/or systems.

    Accreditation is designed to ensure minimum standards are met and maintained throughout the lifespan of facilities and Information and Communications Technology (ICT) systems, and that any residual risks are appropriately managed.

  • Adverse security vetting recommendation

    A written assessment from the New Zealand Security Intelligence Service (NZSIS) containing a recommendation of prescribed administrative action that would be prejudicial to the interests of the candidate. For example, a recommendation that a candidate should not be given access to protectively marked material.

  • Aftercare (personnel security)

    See Security clearance management.

  • Agency (or New Zealand government agency)

    All New Zealand government departments, authorities, agencies or other bodies established in relation to public purposes, including departments and authorities staffed under the State Sector Act 1988 and Public Finance Act 1989. This includes the State Services Commission, tertiary education institutions, state-owned enterprises and mixed ownership model companies, as well as agencies operating as instruments of the legislative branch of government.

  • Agency head

    The head of an agency as outlined above. Endorses and is accountable for all protective security within the agency.

  • Agency security management personnel

    Employees who are responsible for the day-to-day protective security functions within that agency. Duties may include: security risk reviews and audits, security awareness programmes for agency staff, preparation of agency security plans and security risk management advice.

  • Agency security plan

    The plan of action the agency uses to address its security risk, based on the context in which the agency operates and a thorough threat and risk review.

  • Agency-specific character checks (fit and proper person checks and personnel security)

    Personnel or employment checks other than the security clearance vetting process, undertaken by agencies as part of their personnel security management to address specific agency risks.

  • Aggregation

    A term used to describe collections of protectively marked or UNCLASSIFIED official information or assets where the business impact from the compromise of confidentiality, loss of integrity or unavailability of the combination of the information or assets is greater than its component parts and may require a higher level of protection.

  • Agreement (information sharing)

    An instrument, agreement or treaty between the New Zealand Government and another government. An arrangement or Memorandum of Understanding (MOU) between a New Zealand government agency and a foreign agency for the exchange and protection of information. Also see bilateral agreement and multilateral agreement.

  • AOG

    All of Government

  • APL

    Approved Products List

  • APPOINTMENTS

    The APPOINTMENTS endorsement marking is used when the actual or potential appointments have not yet been announced, and for the deliberation during the recommendation–approval process. 

  • Approved Products List (APL)

    A list of all security products that have been tested and evaluated by the NZSIS and approved for use in the protection of national protectively marked information or material.

  • Asset

    An item that has a value to an agency – including personnel, information, physical assets and services. Also see Official resources.

  • Attached staff

    Government employees from any agency who are posted overseas and who work mainly from the chancery premises (building or office of a diplomatic or consular mission) managed by the Ministry of Foreign Affairs and Trade (MFAT).

  • Audit

    An independent examination and verification of an agency’s systems and procedures, measured against predetermined standards.

  • Authentication

    The process of confirming a claimed identity or information.

  • Authorised persons (specified persons)

    Specified persons who are authorised by the agency to have access to carry out work or perform duties. 

  • Availability (of information)

    The desired state that allows authorised users to access defined information for authorised purposes at the time they need to do so.

  • BCM

    Business Continuity Management

  • BCP

    Business Continuity Plan

  • BIL

    Business Impact Level 

  • Bilateral agreement

    An agreement between the New Zealand government or a New Zealand government agency and the government or agency of another country that provides for the reciprocal exchange of official information. Also see Multilateral agreement and Foreign Government Information (FGI).

  • BMS

    Building Management System

  • Breach

    See Security breach.

  • Briefings

    Additional specific training required before a person is given access to certain compartmented marking information or sensitive sites.

  • BUDGET

    The BUDGET endorsement marking is used for proposed or actual measures for the Budget before its announcement.

  • Business Continuity Planning (BCP)

    The development, implementation and maintenance of policies, frameworks and programmes to assist agencies in managing a business disruption, as well as build agency resilience. It is the capability that helps in preventing, preparing for, responding to, managing and recovering from the impacts of a disruptive event.

  • Business Impact Level (BIL)

    The level of impact on an agency’s ability to operate or on the national interest, resulting from the compromise of confidentiality, loss of integrity or loss of availability of people, information or assets.

  • CABINET

    The CABINET endorsement marking is used for material that will be presented to, and/or require decisions by, Cabinet or Cabinet committee.

  • Candidate (personnel security)

    An individual undergoing security vetting is known as the candidate.

  • CCTV

    Closed-Circuit Television

  • CDR

    Classified Document Register

  • Certification

    A procedure by which a formal assurance statement is given that functions, goods or services conform to a specified standard.

  • Change of circumstance

    A relevant change to an employee’s personal circumstances subsequent to a security vetting being conducted and an assessment made.

  • Chief Information Security Officer (CISO)

    A senior executive who is responsible for coordinating communication between security and business functions. The CISO also oversees the application of controls and security risk management processes within an agency.

  • Chief Security Officer (CSO)

    The CSO is an agency executive with overall responsibility for security. The CSO is answerable to, and must have free access to, the agency head on all security-related matters. See New Zealand Government Protective Security Requirements – Security Structure and Agency Responsibilities.

  • CISO

    Chief Information Security Officer

  • Classification system

    See Security classification system.

  • Classified Document Register (CDR)

    A register that includes details of all accountable material, including TOP SECRET protectively marked documents and copies received.

  • Clear desk policy

    A policy requiring an individual to ensure that protectively marked or UNCLASSIFIED official information and other valuable resources are secured appropriately when the person is absent from the workplace.

  • Clear screen policy

    A supplementary policy to the clear desk policy that requires a person to ensure that information on ICT equipment is secured appropriately when the person is absent from the work station, for example, by locking the ICT equipment.

  • Clearance (personnel security clearance)

    See Security clearance.

  • Clearance process

    In the context of personnel security clearances, the process of assessing a person’s suitability for access to protectively marked information (see Protective marking).

  • CNI

    Critical National Infrastructure

  • Codeword

    A type of compartmented marking. A codeword indicates that the information it covers is in a special need-to-know category. Those with a need to access the information will be cleared and briefed about the significance of this type of information. See also Source codeword.

  • Combined Threat Assessment Group (CTAG)

    The CTAG is a fully seconded multi-agency intelligence centre. Its role is to mitigate the risk of the government receiving un-coordinated or conflicting threat assessments in relation to terrorist and criminal threats posing physical harm to New Zealand, its citizens and interests both domestically and overseas.

  • COMMERCIAL

    The COMMERCIAL endorsement marking is used for commercially sensitive processes, negotiations of affairs.

  • Communications Security (COMSEC)

    All measures (including the use of cryptographic security, transmission security, emission security and physical security measures) applied to protect government telecommunications from unauthorised interception and exploitation and to ensure the authenticity of such telecommunications.

  • Compartmented marking

    A marking to indicate that the information is in a specific need-to-know compartment, and it is often necessary to take precautions beyond those normally indicated by the security classification to protect that information. Compartmented markings must follow a security classification and cannot be applied to UNCLASSIFIED information. Such markings may include Codeword or SCI material. 

  • Competitive Tendering and Contracting (CTC)

    A process of selecting the preferred provider of goods and services from a range of bidders by seeking offers and evaluating these against predetermined selection criteria.

  • Compromise or misuse (especially of information resources)

    The means by which harm could be caused to assets, especially loss, damage, corruption or disclosure of information, whether deliberate or accidental.

  • COMPUSEC

    Computer Security

  • Computer Security (COMPUSEC)

    The measures taken to ensure the security of information stored on and accessed by computer, for example, access passwords, login information or anti-virus software.

  • COMSEC

    Communications Security

  • COMSEC officer

    The person in an agency who is responsible for authorising and controlling cryptographic access.

  • CONFIDENTIAL (security classification)

    A security classification that shows that compromise of official information would damage National interest in a significant manner.

  • Confidential information

    Information provided with an expectation of confidentiality and that it will only be used by and made available to people with a genuine need to know. The meaning is broader than the information designated by the CONFIDENTIAL security classification.

  • Confidentiality (of information)

    The limiting of access to official information to authorised users for approved purposes. The confidentiality requirement is determined by reference to the likely consequences of unauthorised disclosure of official information. The New Zealand Government Security Classification System has been developed to help agencies identify information that has confidentiality requirements.

  • Conflict of interest

    An interest or obligation, either inside or outside New Zealand, that could interfere with, or hinder, a person’s performance of their duties, or be perceived to interfere or hinder a person’s performance of their duties.

  • Contact

    See Security contact.

  • Contract

    A legally enforceable agreement in which the parties to the contract set out the terms and conditions of the agreement, the rights and obligations or responsibilities of each party and the agreed outcomes of the relationship.

  • Contracted service provider (contractor)

    A person or business entity that has contracted with an agency for the performance of services for, or supply of goods to, that agency.

  • Control

    A measure used to protect official information from compromise of confidentiality, integrity and availability, or mitigate an identified threat to an agency’s people, information or assets. 

  • Countermeasures

    Barriers, including procedural, logical or physical countermeasures, used to protect official resources.

  • CPNI

    Centre for the Protection of National Infrastructure (UK Government)

  • CPTED

    Crime Prevention through Environmental Design 

  • Crime Prevention through Environmental Design (CPTED)

    A multi-disciplinary approach to deterring opportunistic criminal behaviour through environmental design using features including natural surveillance (includes direct and indirect presence), access control and territorial reinforcement, that is, the design of clear boundaries and use of landscaping features to define desired movement areas and delineate borders.

  • CRYPTO

    Cryptographic Information

  • Cryptographic Information (CRYPTO)

    Information relating to keying material and cryptosystems used for the protection of information. See the New Zealand Information Security Manual for further details on cryptographic requirements.

  • CSO

    Chief Security Officer

  • CTAG

    Combined Threat Assessment Group (NZSIS)

  • CTC

    Competitive Tendering and Contracting

  • Culture of security

    See Security culture.

  • Cyber espionage

    Espionage using ICT equipment.

  • Data

    See Electronic information.

  • DCCS

    Departmental Committee on Computer Security

  • Deed of Confidentiality

    An undertaking by an individual to comply with confidentiality obligations. 

  • Delegate

    A person authorised by another person to act on their behalf. In most cases, a delegate is a senior person authorised to act on an agency head’s behalf.

  • Denial of service

    Deliberate compromise of availability of information technology systems.

  • Departmental Committee on Computer Security (DCCS)

    The DCCS is responsible for formulating national COMPUSEC doctrine and standards for protecting protectively marked official information stored or processed in government or contracted private computer systems. 

  • Departmental Security Officer (DSO)

    The predecessor role of the CSO. 

  • DIA

    Department of Internal Affairs

  • Disaster Recovery Plan (DRP)

    Planning and implementation of procedures for the recovery of essential systems that have a significant impact on an agency’s ability to deliver its key outcomes. DRPs may be the first part of a business continuity plan.

  • Document

    Anything on which information is recorded by any means, including words, symbols, images or electro-magnetic impressions.

  • Double enveloping

    The use of two unused opaque envelopes (an inner and an outer envelope) to help protect protectively marked information in transit from unauthorised access and, in the event of unauthorised access, provide evidence of this to the recipient.

  • DPMC

    Department of the Prime Minister and Cabinet

  • DRP

    Disaster Recovery Plan

  • DSAP

    Designated Security Assessment Position

  • DSO

    Departmental Security Officer

  • Duress alarm

    An alarm that enables people to call for a security or police presence in response to a threatening incident.

  • EACS

    Electronic Access Control System

  • EIS

    External Integrated System

  • Electronic Access Control System (EACS)

    An electronic system to control access to agency facilities, which includes access control devices, control panel, monitoring station and the policies and procedures to limit access to personnel with verified identities.

  • Electronic information

    Data or information stored or generated electronically including metadata.

  • EMBARGOED FOR RELEASE

    The EMBARGOED FOR RELEASE endorsement marking is used on material before a designated time at which an announcement or address will be made, or the information will be disseminated.

  • Emergency access

    Supervised access to protectively marked material one level above an individual’s current security clearance, when there is an urgent and critical operational need to do so.

  • Emergency management

    A range of measures designed to manage risks to agencies from disasters and emergencies. Emergency management involves developing and maintaining arrangements to prevent or mitigate, prepare for, respond to and recover from emergencies and disasters.

  • Employee (or staff)

    See Personnel.

  • Employee undertaking

    See Deed of Confidentiality.

  • Encryption

    The process of transforming data into an unintelligible form to enable secure transmission.

  • Endorsement marking(s)

    An endorsement marking is used alongside a security classification to identify that there is a clear need for special care of the material, over and above that indicated by the security classification alone. Endorsement markings must appear with a security classification. See Protective marking.

  • EPL

    Evaluated Product list

  • ESO

    Event Security Officer

  • Espionage (spying)

    A government, organisation or individual attempting to obtain information that is considered secret, confidential or intellectual property without the permission of the holder of the information. Espionage is inherently clandestine, as it is taken for granted that it is unwelcome and, in many cases, illegal.

  • Evaluated Product List (EPL)

    A list of ICT security products, certified against internationally recognised common criteria.

  • EVALUATIVE

    The EVALUATIVE endorsement marking is used for material relating to competitive evaluations such as interview records and tender assessments.

  • Event

    Includes both planned and unplanned events run by, or on behalf of, a New Zealand government agency.

  • Event attendees

    All people attending an event including delegates, speakers, visitors and support staff.

  • Event manager

    The person in overall control of an event – this may be an agency employee or outsourced provider.

  • Event Security Officer (ESO)

    The agency officer, or contractor, responsible for the security of people (attendees, staff and the public) or information and assets at an event.

  • Exceptional circumstances

    Circumstances where the exception is critical to the agency meeting its outcomes, and the risks to the agency can be mitigated or managed in another way.

  • Exposure

    The degree to which a resource is open to, or attracts, harm.

  • External Integrated System (EIS)

    A system that may be integrated or interoperable with a security alarm system, for example, closed-circuit television, building management systems and EACSs.

  • Facility

    A building, part of a building or complex of buildings, in which an agency, or a particular agency function, is located. This can include contractors’ premises.

  • Facility security inspection

    An inspection of a contractor’s premises addressing the criteria established in the contract between the contractor and the New Zealand government, to ensure that a secure environment appropriate to the performance of the contracted function can be provided by the contractor.

  • FGI

    Foreign Government Information

  • Firewall

    A programme or device designed to prevent unauthorised access to or from a network or system by filtering incoming and outgoing network data based on a series of rules.

  • Fit and proper person checks

    See Agency-specific character checks.

  • Foreign government

    Any government external to New Zealand (including an individual, organisation or agency acting on behalf of this government) or an intergovernmental organisation. This also includes multi-national or supra-national government and non-governmental organisations, for example, the Asia-Pacific Economic Cooperation, North Atlantic Treaty Organization, European Union, United Nations and Interpol.

  • Foreign Government Information (FGI)

    Information received by the New Zealand government from foreign governments and government agencies in support of strategic and operational objectives. In most cases, New Zealand provides the assurance to safeguard this information under the terms of a bilateral and multilateral agreement, Security of Information Agreement or Arrangement (SIA) or MOUs.

  • GCIO

    Government Chief Information Officer

  • GCSB

    Government Communications Security Bureau

  • GCSC

    Government Communications Security Committee

  • Government Chief Information Officer (GCIO)

    The GCIO provides advice on government ICT. 

  • Government Communications Security Bureau (GCSB)

    The GCSB ensures the integrity and confidentiality of government information, and investigates and analyses cyber incidents against New Zealand’s critical infrastructure. The GCSB also collects foreign intelligence bearing on New Zealand’s interests, and assists other New Zealand government agencies to discharge their legislatively mandated functions.

  • Government Communications Security Committee (GCSC)

    The GCSC is responsible for formulating and reviewing New Zealand’s COMSEC doctrine and standards.

  • Government information

    See Official information.

  • Harm

    Any negative consequence, such as the compromise of, damage to, or loss of, an asset.

  • Hazard

    A source of potential harm – a hazard might include a threat.

  • Home-based work

    An agency may approve or authorise an employee to carry out their duties while based at their place of residence.

  • HONOURS

    The HONOURS endorsement marking is used for material relating to the actual or potential award of an honour before the announcement of the award, and for the deliberations during the recommendation-approval process or the consideration of honours policy matters involving the exercise of the Royal prerogative.

  • IA

    Information Assurance

  • ICS

    Interdepartmental Committee on Security

  • ICT

    Information and Communications Technology

  • ICT equipment

    Any device that can process, store or communicate electronic information, for example, computers, multi-function devices and copiers, landline and mobile phones, digital cameras, electronic storage media and other radio devices.

  • ICT facility

    A building, floor of a building or designated space on the floor of a building used to house or process large quantities of data, for example, server and gateway rooms, data centres, back-up repositories, storage areas for ICT equipment and communications and patch rooms.

  • ICT system

    A related set of hardware and software used for the processing, storage or communication of information and the governance framework in which it operates.

  • ICT system equipment

    A subset of ICT equipment that is used to maintain an ICT system, for example, servers, communications network devices, such as PABX, and gateways and network infrastructure, such as cabling and patch panels. This equipment is normally continuously operational.

  • ID

    Identity 

  • IN CONFIDENCE (security classification)

    A security classification that shows that compromise of official information would be likely to prejudice the maintenance of law and order, impede the effective conduct of government in New Zealand or adversely affect the privacy of its citizens.

  • Incident reporting

    A scheme whereby security incidents (which can include security infringements, breaches, violations, contacts or approaches) are reported to a central point in the agency (usually the CSO). This enables the agency to undertake investigations, monitor the effectiveness of security controls, advise other affected agencies and collect statistics on its security vulnerabilities.

  • Information and Communications Technology (ICT)

    Describes any device or application used to communicate, record, process, store and/or transfer information, including data storage devices (for example, magnetic disk/tape, compact disks or digital video disks (CD/DVD), flash memory) mobile telephones and mp3 players, and the operating systems, hardware and software applications used to operate networks and systems.

  • Information Assurance (IA)

    Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection and reaction capabilities.

  • Information Privacy Principles (IPPs)

    Contained in the Privacy Act 1993, part 2, IPPs regulate the collection, storage, access, use and disclosure of personal information by New Zealand government agencies.

  • Information Security (INFOSEC)

    The application of security controls to information systems that are commensurate with the protective marking, sensitivity and/or value of that information and compliant with government policy. See also Communications security.

  • Information Security Manual (ISM)

    See New Zealand Information Security Manual.

  • Information Technology Security Manager (ITSM)

    ITSMs are executives within an agency who act as a conduit between the strategic directions provided by the CISO and the technical efforts of system administrators. The main responsibility of ITSMs is the administrative controls relating to cyber security within the agency.

  • Information, information assets or information resources

    Documents and papers, electronic data, the software or systems and networks on which the information is stored, processed or communicated, intellectual information acquired by individuals and physical items from which information regarding design, components or use could be derived that add value to an organisation.

  • INFOSEC

    Information Security

  • Infringement

    See Security infringement.

  • Insider threat

    An insider threat, or insider, is any person who exploits, or intends to exploit, their legitimate access to an agency’s assets to harm the security of their agency or New Zealand, either wittingly or unwittingly, through espionage, terrorism, unauthorised disclosure of information or loss or degradation of a resource (or capability).

  • Integrity (of information)

    The assurance over the accuracy and consistency of data and that it is authentic and complete. It includes assurance that data and information has been properly created and not has been tampered with, damaged or subject to accidental or unauthorised changes. Information integrity applies to all information, including paper as well as electronic documents.

  • Intruder resistant area

    A superseded term for an area secured so that it is suitable for handling, storing and processing protectively marked material up to and including SECRET. Replaced by security zones.

  • IPPs

    Information Privacy Principles

  • IRP

    Incident Response Plan

  • ISM

    Information Security Manual (New Zealand) 

  • ITSA

    Information Technology Security Adviser

  • ITSM

    Information Technology Security Manager

  • The LEGAL PRIVILEGED endorsement marking is used for material that is subject to legal privilege.

  • Logical access controls

    ICT measures used to control access to ICT systems and their information. This could involve using user identifications and authenticators such as passwords.

  • Malware

    Malicious software

  • Malware (malicious software)

    Software designed to disrupt computer operation, gather sensitive information or gain unauthorised access to computer systems.

  • Mandatory requirements

    The mandatory requirements contained within the PSR require compliance by all New Zealand government agencies. 

  • MBIE

    Ministry of Business, Innovation and Employment

  • MEDICAL

    The MEDICAL endorsement marking is used for material relating to medical reports, records and other material related to them.

  • MFAT

    Ministry of Foreign Affairs and Trade

  • MFDs

    Multi-Function Devices 

  • Ministry of Foreign Affairs and Trade (MFAT)

    MFAT provides advice on the security standards for the New Zealand government presence overseas.

  • Ministry of Justice

    The Ministry of Justice provides policy advice on issues of identity security and firearms, drugs, crime prevention and general law enforcement.

  • Mobile computing and communications

    Work from a non-fixed location using portable computing and/or communications devices, for example, laptops, notebooks, tablets, smart mobile phones and personal digital assistants.

  • Mobile employees

    Employees who work at multiple locations using their laptop, or other mobile computing device, as their primary ICT device – setting it up in hotels, offices, at home or in the field, for example, client support workers who deal with clients outside the regular office environment.

  • MOU

    Memorandum of Understanding

  • MPI

    Ministry for Primary Industries

  • Multilateral agreement

    An agreement between the New Zealand government, or a New Zealand government agency, and the government, or agencies, of multiple countries that provides for the reciprocal exchange of official information. Also see Bilateral agreement and Foreign Government Information.

  • National interest

    The maintenance of New Zealand’s good international reputation and bilateral relations, public confidence in the areas of tourism, trade, the economy and government, and the security and safety of all New Zealanders.

  • National security

    A term used to describe the safety of the nation from espionage, sabotage, politically motivated violence, promotion of communal violence, attacks on New Zealand’s defence system, acts of foreign interference or serious organised crime, as well as the protection of New Zealand’s borders.

  • National security information

    Official information that, if compromised, could affect the security of the nation. National security information could include information about protection from espionage, sabotage or politically motivated violence.

  • Natural justice (procedural fairness)

    See Procedural fairness.

  • NCSC

    National Cyber Security Centre

  • Need to go

    Access to an area should be limited to those who require access to do their work, for example, cleaners – they do not have a need to know but they do have a need to go to do their work.

  • Need-to-know

    Refers to a need to access information based on an operational requirement.

  • Network infrastructure

    The infrastructure used to carry information between work stations and servers or other network devices, for example, cabling, junction boxes, patch panels, fibre distribution panels and structured wiring enclosures.

  • NEW ZEALAND EYES ONLY (NZEO)

    The NEW ZEALAND EYES ONLY (NZEO) endorsement marking indicates that access to information is restricted to appropriately security cleared New Zealand citizens on a need-to-know basis.   

  • New Zealand government agency

    See agency.

  • New Zealand government involvement

    Could include strategic planning advice, tactical support or the deployment of operational elements. All New Zealand government involvement is provided in collaboration with the event organisers, the relevant agency with jurisdictional authority and other agencies.

  • New Zealand Government Protective Security Manual (PSM)

    A precursor to the PSR.

  • New Zealand Government Security in the Government Sector Manual (SIGS)

    The primary precursor to the PSR.

  • New Zealand Information Security Manual (NZISM)

    A practitioner’s manual compiled by the Government Communications Security Bureau (GCSB) designed to support agencies in managing ICT risks, provide baseline controls necessary for basic IT system hygiene, as well as to manage information threats and enable government business. The NZISM is supported by an executive companion that summaries key risks, basic ICT governance and assurance processes and roles and responsibilities for agency heads and other senior executives.

  • New Zealand Security Intelligence Service (NZSIS)

    The NZSIS establishes personnel and physical security standards for the protection of national security information, as authorised by the New Zealand Security Intelligence Service Act 1969. The NZSIS is responsible for providing advice to the New Zealand government relating to New Zealand’s security.

  • NII

    National Information Infrastructure

  • Non-national security information

    Official information that, if compromised, does not threaten national security but could otherwise threaten the security of the national interest or interests of individuals, groups or commercial entities.

  • NZCSS

    New Zealand Communications Security Standard

  • NZCSS 300

    New Zealand Communications Security Standard No. 300

  • NZCSS 400

    New Zealand Communications Security Standard No. 400

  • NZCSS 500

    New Zealand Communications Security Standard No. 500

  • NZDF

    New Zealand Defence Force

  • NZEO

    New Zealand Eyes Only

  • NZIC

    New Zealand Intelligence Community

  • NZISM

    New Zealand Information Security Manual

  • NZQA

    New Zealand Qualifications Authority

  • NZSIS

    New Zealand Security Intelligence Service

  • OAG

    Office of the Auditor-General

  • ODESC

    Officials Committee for Domestic and External Security Coordination

  • Office of the Auditor-General (OAG)

    The Office of the Auditor-General is responsible for conducting annual audits, performance audits and inquiries into any public entity as per the Public Audit Act 2001

  • Office of the Privacy Commissioner

    The Office of the Privacy Commissioner deals with privacy and the freedom of information. 

  • Official information

    Any information generated, received, developed or collected by, or on behalf of, the New Zealand government through its agencies and external service providers that is not publicly available, including sensitive information and protectively marked information, such as:

    • documents and papers
    • data
    • the software or systems and networks on which the information is stored, processed or communicated
    • the intellectual information (knowledge) acquired by individuals
    • physical items from which information regarding design, components or use could be derived.

    See Official Information Act 1982.

  • Official resources

    Includes official information, people who work for, or with, the New Zealand government, and assets belonging to, or in the possession of, the New Zealand government. Official resources include resources belonging to the New Zealand government but in the possession of contractors.

  • Offshore services

    Services offered from outside of New Zealand that are subject to jurisdictional, sovereignty and privacy risks of that country.

  • OLAs

    Operational Level Agreements

  • Onshore services

    Services offered from within New Zealand.

  • Originator (of information)

    The person, or agency, responsible for preparing or creating official information or for actioning information generated outside the New Zealand government. This person, or agency, is also responsible for deciding whether, and at what level, to protectively mark that information.

  • OSH

    Occupational Safety and Health

  • Outsourcing

    Contracting out of a business process to an outside company.

  • Overwriting (of electronic information)

    Low level reformatting, followed by multiple overwriting with zeroes (0) and ones (1) in random patterns to make the information difficult to recover from electronic media.

  • Paragraph grading indicators

    Markings used to indicate the security classification of individual paragraphs.

  • Partially secure area

    A superseded term for an area secured so that it is suitable for processing and handling protectively marked information up to and including TOP SECRET level. Replaced by security zones.

  • PED

    Portable Electronic Device

  • Perimeter Intrusion Detection System (PIDS)

    A security alarm system, or part of a security alarm system, that covers areas external to a building envelope.

  • PERSEC

    Personnel Security

  • Personal Identity Verification (PIV)

    The method(s) used to verify a person’s identity before being given access to facilities, information or assets. Normally, identity is verified using something a person has (for example, a pass), knows (for example, password) or is (for example, biometrics). 

  • Personal information

    Information or an opinion (including information forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. For further details, see the Privacy Act 1988. Also see Sensitive personal information.

  • Personal Security File (PSF)

    A file containing sensitive personal information used to make a decision on a person’s suitability to hold, and continue to hold, a security clearance. This includes details of any security infringements, breaches or violations by the person.

  • Personnel (employee or staff)

    Any member of an agency’s staff (ongoing and non-ongoing), contracted service providers requiring access to protectively marked information or resources, or other people who provide services to the agency or access agency information or assets.

  • Personnel Security (PERSEC)

    The management of personnel to assist in the protection of an agency’s people, information and assets. It includes the screening and ongoing education and evaluation of employees.

  • Personnel security clearance

    See Security clearance.

  • PHYSEC

    Physical Security

  • Physical asset

    An item of economic, commercial or exchange value that has a tangible or material existence, including assets (for example, computers) that contain official information. 

  • Physical Security (PHYSEC)

    The part of protective security concerned with the provision and maintenance of a safe and secure environment for the protection of agency employees and clients as well as physical measures designed to prevent unauthorised access to official resources and to detect and respond to intruders.

  • PIDS

    Perimeter Intrusion Detection System

  • PINs

    Personal Identification Numbers 

  • PIV

    Personal Identity Verification

  • Planned event

    An event that allows relevant agencies sufficient lead time to consider, discuss and implement security arrangements. Also see Event.

  • POLICY

    The POLICY endorsement marking is used for material relating to proposals for new or changed government policy before publication.

  • Policy and privacy information

    Information (usually protectively marked as SENSITIVE or IN CONFIDENCE) that deals with New Zealand government policy or information but does not warrant a higher security classification.

  • Politically motivated violence

    Includes acts or threats of violence or unlawful harm that are intended or likely to achieve a political objective, whether in New Zealand or elsewhere, including acts or threats carried on for the purpose of influencing the policy or acts of government. 

  • Portable Storage Device (PSD) (electronic information)

    See Removable electronic and optical media.

  • Position of Trust (PoT)

    A position where the duties require a higher level of assurance than normal agency employment screening provides and to which additional screening is specified.

  • PoT

    Position of Trust

  • Privacy (of personal information)

    People have a right to expect that:

    • personal information held about them is accurate and available for their inspection
    • if their personal information is not accurate that it be subject to amendment
    • the information is properly safeguarded and protected.

    They must also be kept fully informed of how the information can be used. For further details, see the Privacy Act 1993 6 Information Privacy Principles: Principle 5 (a) (i) (ii) (iii), Principle 7 (1) (2) and Principle 8.

  • Privacy audit

    An audit that examines personal information handling practices for a particular agency programme at a certain time and in a particular location.

  • Private client facilities

    Facilities belonging to private industry clients that can be used by agency personnel to undertake agency work.

  • Procedural fairness

    Procedural fairness is the right to expect that any decisions being taken about a person are taken by an unbiased decision maker, and are based on open and fair decision-making processes that allow that person the opportunity to respond to those decisions.

  • Protective marking

    An administrative label assigned to official information that not only shows the value of the information but also tells users what level of protection is to be provided during use, storage, transmission, transfer and disposal. Protective markings comprise security classifications, endorsement markings and compartmented markings, as set out under the New Zealand Security Classification System.

  • Protective security

    An organised risk management system of defensive measures used to counter security threats instituted and maintained at all levels across an organisation to reduce the security risk to functions, official resources, assets (people, information, infrastructure, facilities) and services. Protective security should be proportionate to threats and operate in a way that supports business.

  • Protective security audit

    An audit (or system of checking for compliance to predetermined standards) on the protective security arrangements in place in an agency.

  • Protective Security Manual (PSM)

    See the New Zealand Government Protective Security Manual – the precursor to the PSR.

  • Protective security plan

    See Agency security plan.

  • Protective Security Requirements (PSR)

    The New Zealand government’s policy framework detailing the protective security requirements for the protection of its people, information and assets (replaced the New Zealand Government Protective Security Manual and the Security in Government Sector Manual).

  • PSF

    Personal Security File

  • PSM

    New Zealand Government Protective Security Manual (precursor to the PSR) 

  • PSR

    Protective Security Requirements (replaced the PSM and SIGS manual) 

  • Public domain information

    Information that is authorised for unlimited public access and circulation (for example, agency publications or websites).

  • Qualified security vetting recommendation

    A formal assessment by the NZSIS recommending the security risks that may exist if the agency decides to grant a security clearance to the candidate. A qualified vetting recommendation may include a risk management plan for the individual.

  • Reasonable (in law)

    Just, rational, appropriate, ordinary or usual in the circumstances. It may refer to care, cause, compensation, doubt (in a criminal trial) and a host of other actions or activities. Similarly, a reasonable act is that which might fairly and properly be required of an individual.

  • Regional location

    Any location away from an agency’s central office or major operational centres.

  • REL

    RELEASABLE TO

  • RELEASABLE TO (REL)

    The RELEASEABLE TO, or REL, endorsement marking identifies information that has been released or is releasable to the indicated foreign countries, or citizens of those indicated countries, only. For example, RELEASABLE TO // GBR, NZ or REL // GBR, NZ means that the information may be passed to citizens and the governments of the United Kingdom and New Zealand only.

  • Remote worker

    An employee who undertakes remote work, including:

    • casual remote workers – casual remote workers take advantage of remote working to meet a short term or intermittent requirement, unless there is a formal remote-work agreement then they should be considered mobile employees
    • full time remote workers – full time remote workers operate primarily from a remote, fixed location (this could be either the remote worker’s own home or a remote office or remote centre)
    • part time remote workers – part time remote workers may spend part of their time working in a fixed remote location and part of their time in the office
    • day extenders – day extenders may work a regular day in the office and then may log in from a fixed remote location, normally from home, to continue to work or meet a short term or intermittent requirement.  

     

  • Removable electronic and optical media

    Storage media that is easily removed from a system, designed for removal and is not an integral part of the infrastructure. For example, magnetic tapes, CDs or DVDs, USBs, microfilms and removable hard drives.

  • Request documents

    Documentation issued to a potential service provider when requesting pricing on services or functions or utilised in the procurement process.

  • Request for tender

    A request to suppliers for information and a quote to perform clearly defined works or supply certain goods.

  • Residual risk

    The level of risk remaining after mitigations are applied.

  • Resources

    See Official resources.

  • RESTRICTED

    A security classification that shows that compromise of official information would be likely to affect the national interests in an adverse manner.

  • Review for Cause (personnel security)

    In the personnel security context, a Review for Cause is when a review is undertaken by the NZSIS of a security clearance holder who has had a significant change of circumstance that could affect their suitability to retain a clearance.

  • RFID

    Radio Frequency Identification 

  • RFT

    Request for Tender

  • Right of access (contracting)

    The right of the agency (or its agent, nominee, employee or auditor) to have access, for purposes associated with the contract including security reviews and audit requirements, security performance monitoring and any additional reviews referred to in the contract, to any premises of the contractor, to any site used in connection with the contract and to equipment, software, data, documentation and records maintained by it and relevant to the performance of the contract.

  • Risk

    The chance of something happening that will materially impact the achievement of objectives – it is measured in terms of event likelihood and consequence.

  • Risk acceptance

    An informed decision to accept a risk within the context of any mitigations applied.

  • Risk analysis

    The systematic process to understand the nature, and to deduce the level, of risk. This includes identification and evaluation.

  • Risk appetite

    Statements that communicate the expectations of an agency’s senior management about the agency’s risk tolerance. These criteria help an agency identify risk and prepare appropriate treatments and provide a benchmark against which the success of mitigations can be measured.

  • Risk avoidance

    A decision not to become involved in a risk situation, for instance, through deciding not to start or continue the activity that gives rise to the risk.

  • Risk management

    Coordinated activities to direct and control an organisation with regard to risk.

  • Risk minimisation

    See Risk mitigation.

  • Risk mitigation

    Actions taken to lessen the likelihood, negative consequences, or both, associated with a risk.

  • Risk rating

    A rating that indicates how significant each identified potential risk is to an agency.The risk rating may be expressed qualitatively or quantitatively, based on the risk likelihood and consequence.

  • Risk reduction

    See Risk mitigation.

  • Risk time horizon

    The proximity of when the risk might eventuate. Knowledge of the time horizon, or time to impact should the risk occur, contributes to the risk mitigation decision making.

  • Risk transfer

    Shifting the responsibility or burden for loss to another party through legislation, contract, insurance or other means.

  • Risk treatment

    See Risk mitigation.

  • Sabotage

    An act, falling short of a military operation, or an omission intended to cause physical damage in order to assist a hostile foreign power or further a subversive political aim.

    See section 79 of the Crimes Act 1961.

  • Safe hand

    A method of transferring an article in such a way that the article is in the care of an authorised officer or a succession of authorised officers who are responsible for its carriage and safekeeping. The purpose of sending an article using safe hand is to establish an audit trail that allows the sender to receive confirmation that the addressee received the information.

  • Safety

    Safety is the process of ensuring people involved with the organisation, including employees, customers and visitors, are protected from harm.

  • Sanitisation

    The process of removing certain elements of information that will allow the protective marking that indicates the level of protection required for the information to be removed or reduced. This can refer to both electronic media and hard copy information. Information that is not destroyed needs the originator’s approval to be released at a lower level. Also see overwriting.

  • SAS

    Security Alarm System

  • SCI

    Sensitive Compartmented Information

  • SECRET

    A security classification that shows that compromise of the official information could cause serious damage to the national interest.

  • Secure area

    A superseded term for an area secured so that it is suitable for processing and handling protectively marked information up to and including TOP SECRET level. Replaced by security zones.

  • Security

    • The condition achieved when designated information, material, personnel, activities and installations are protected against espionage, sabotage, subversion and terrorism, as well as against loss or unauthorised disclosure. The term is also applied to those measures necessary to achieve this condition and to the organisations responsible for those measures.
    • A condition that results from the establishment and maintenance of protective measures to ensure a state of inviolability from hostile acts or influences.
    • With respect to protectively marked material, it is the condition that deters unauthorised persons from attempting to gain access to official material affecting national security.
  • Security Alarm System (SAS)

    A SAS is the combination of intrusion detection devices, control panel, monitoring station and the policies and procedures needed to ensure an appropriate response to any alarms.

  • Security approach

    An unsolicited encounter with people or organisations that seek to obtain, through unauthorised means, information not impacting on national security – contrast with Security contact.

  • Security breach

    An accidental or unintentional action that leads or could lead to, the loss or damage of official information or resources. A breach is also a failure to observe the protective security mandatory requirements. See also Security infringement and Security violation. Additional detail is available in the New Zealand Government Protective Security Governance Requirements – Reporting Incidents and Conducting Security Investigations.

  • Security classification system

    A set of procedures for identifying official information, the compromise of which could have a negative impact for the New Zealand government. It is the New Zealand government mechanism for protecting the confidentiality of information it generates or that is provided by other governments and private entities. The security classification system is implemented by assigning protective markings (such as TOP SECRET, RESTRICTED and SENSITIVE). Protective markings not only show the value of the information but also indicate the minimum level of protection the information must be afforded to safeguard it from compromise.

  • Security classified document register

    See Classified Document Register.

  • Security classified information (or resources)

    Official information, or resources, that has been assessed under the New Zealand Security Classification System and afforded a protective marking. If compromised, such information could have a negative impact on the national interest, organisations or individual. See the New Zealand Government Information Security Management Requirements – New Zealand Government Security Classification System.

  • Security clearance

    A security clearance is granted to an individual following a favourable vetting assessment and recommendation provided by the NZSIS. An employee’s suitability to access protectively marked material is dependent on the clearance level granted and the need-to-know principle.

  • Security clearance management (personnel security)

    The process required for comprehensive management of personnel holding security clearances. While security vetting is fundamental, it must be supported by active security risk management by both the organisation and the individual. The security clearance management life cycle consists of preemployment identity and verification checks, NZSIS security vetting, the formal grant of a security clearance by the agency head, management of any risks identified by the NZSIS, reporting notifiable changes in circumstances or foreign contacts, annual security appraisals and security vetting reviews. 

  • Security contact

    An unsolicited encounter with people or organisations whose purpose is to obtain national security information they do not have a need to know – contrast with Security approach.

  • Security container or room

    NZSIS-approved A, B or C class container or room. See the New Zealand Government Physical Security Management Requirements – Security Zones and Risk Mitigation Control Measures.

  • Security culture

    The ready acceptance by people that the securing of official information and other agency resources is an important and integral part of everyday work practices. The culture of a work group describes the patterns of basic assumptions, beliefs, customs and attitudes of the group that shape the behaviour of members of that group.

  • Security executive

    The agency senior executive service officer (or equivalent) responsible for protective security functions in that agency.

  • Security in Government Sector Manual (SIGS)

    See New Zealand Government Security in Government Sector Manual. The precursor to the PSR.

  • Security incident

    A security infringement, breach, violation, contact or approach from those seeking unauthorised access to official resources, or any other occurrence, that results in negative consequences for the New Zealand government.

  • Security infringement

    Any incident that violates internal protective security procedures as outlined in internal agency protective security procedures, other than those that can be categorised as a security breach or security violation. Additional detail is available in the New Zealand Government Protective Security Governance Requirements – Reporting Incidents and Conducting Security Investigations.

  • Security investigation

    An investigation carried out to establish the cause and extent of a security incident that has, or could have, compromised the New Zealand government. The overall purpose of a security investigation is to prevent the incident from happening again by making improvements to the agency’s systems or procedures. Additional detail is available in the New Zealand Government Protective Security Governance Requirements – Reporting Incidents and Conducting Security Investigations.

  • Security of Information Agreement or Arrangement (SIA)

    An agreement or arrangement with a foreign government setting out reciprocal obligations to safeguard exchanged classified information. Signatories make a moral and political commitment to uphold and adhere to the terms of the arrangement. An SIA holds treaty status and includes MOUs.

  • Security plan

    See Agency security plan.

  • Security policy

    A set of rules and practices that specify or regulate how a system or organisation provides security services to protect sensitive or critical resources.

  • Security review

    See Security risk review.

  • Security risk

    Any event that could result in the compromise, loss of integrity or unavailability of official information or resources, or the deliberate harm to people measured in terms of its probability and consequences.

  • Security risk criteria

    Statements that communicate the expectations of an agency’s senior management about the agency’s security environment. These criteria help an agency identify security risk and prepare appropriate security treatments, and provide a benchmark against which the success of the security plan can be measured. Also see risk appetite.

  • Security risk review

    The process used to determine risk management priorities by evaluating risk against predetermined criteria in the context of an agency’s protective security arrangements.

  • Security vetting recommendation

    A formal assessment by the NZSIS recommending that the agency grant a security clearance to a candidate.

  • Security violation

    A deliberate, negligent or reckless action that leads, or could lead, to the loss, damage, corruption or disclosure of official information or resources. Additional detail is available in the New Zealand Government Protective Security Governance Requirements – Reporting Incidents and Conducting Security Investigations.

  • Security zones

    A method of assessing the security of areas used for protecting people, or handling and storing information and physical assets, based on security controls. Security zones range from One to Five.

  • Security-in-depth or defence-in-depth

    A multi-layered, systematic approach to security in which security countermeasures are combined to support and complement each other. This makes unauthorised access difficult, for example, physical barriers should complement and support procedural security measures and vice versa.

  • Selective tendering

    A type of acquisition strategy in which agencies provide a copy of the statement of requirements (SOR) to a small number of potential providers and request a tender from them for the performance of the function. Also see tendering.

  • SENSITIVE

    A security classification that shows that compromise of official information would likely damage the interest of New Zealand or endanger the safety of its citizens.

  • Sensitive Compartmented Information (SCI)

    A compartmented marking. SCI is a category of information that, by virtue of its sensitivity (including, but not limited to, intelligence targets, capabilities and techniques), is specially compartmented. Protection of SCI material requires collective physical, personnel and ICT security measures. Access to SCI is logically controlled to authorised individuals who have a TOP SECRET security clearance, appropriate compartment briefings and a legitimate need-to-know.

  • Sensitive information

    Information that may be exempt from disclosure under sections 6 and 9 of the Official Information Act 1982.

  • SIA

    Security of Information Agreement or Arrangement

  • SIGINT

    Signals intelligence

  • SIGS

    Security in Government Sector Manual (New Zealand Government)

  • Site

    The discrete, separate physical location of an agency’s facility(s). Agencies may occupy more than one site.

  • Site planning (physical security)

    A determination, as part of the agency’s regular risk review, that the agency’s physical environment is appropriate or inappropriate.

  • Site security plan

    A plan that documents measures to reduce to an accepted level the identified risks to the agency’s functions and resources at a designated site.

  • SLAs

    Service Level Agreements

  • SOP

    Standard Operating Procedure

  • SOR

    Statement of Requirements

  • Source codeword

    A type of endorsement marking. A word or set of letters used to identify the source of certain information without revealing it to those who do not have a need-to-know. People who need to access this information must be cleared and briefed about the significance of this type of information. See also Codeword.

  • Special event

    A planned event of such a nature that the national interest is served by the New Zealand government’s involvement in whole-of-government coordination of security and/or the provision of support to offshore events.

  • Specified persons

    See Authorised persons.

  • Spying

    See Espionage.

  • SRG

    Security and Risk Group

  • SSC

    State Services Commission

  • SSP

    System Security Plan

  • STAFF

    The STAFF endorsement marking may be used for material containing references to named or identifiable staff. Also for use by staff in entrusting personal confidences to management.

  • Statement of Requirements (SOR)

    A description of the activity or function to be contracted out in terms of required outputs and outcomes.

  • Sub-contractor

    A contractor who contracts to provide goods or services to another contractor, so that the latter can perform another contract.

  • Suitability indicators (personnel security)

    Suitability indicators for a security clearance include maturity, responsibility, tolerance, honesty and loyalty, also see the New Zealand Government Personnel Security Management Requirements – Security Assessment Criteria and the Adjudicative Guidelines.

  • Technical Surveillance Countermeasures (TSCM)

    The process of surveying facilities to detect the presence of technical surveillance devices and to identify technical security weaknesses that could aid in the conduct of a technical penetration of the surveyed facility. 

  • Tele-centre

    A location separate to the employee’s home and remote from the agency’s normal business premises that provides access to an office environment and may provide remote access to agency ICT systems. These facilities may be provided on an agency-specific or shared basis.

  • Tele-work (telework, telecommuting)

    Paid work conducted away from an agency’s offices in a fixed location that requires at least periodic connection to the employer’s ICT network. Tele-work is distinguished from mobile computing by having a controlled environment and little need for portability of equipment. Tele-work is subject to a formal agreement between the agency and the employee.

  • TEMPEST

    The investigation of compromising emanations from electronic equipment such as computers. The term is also used for such compromising emanations.

  • Tendering

    The act of a potential contractor offering to perform services or supply goods for a specified cost.

  • Thin client technology

    Technology that allows remote access to information without storing any information on the host computer.

  • Third party interest (in competitive tendering and contracting)

    Any legal or equitable right, interest, power or remedy (no matter the degree) in favour of any person, other than the agency or the contractor, in connection with the contract, including any right of repossession, receivership, control or power of sale and any mortgage, charge, security or other interest.

  • Threat

    A source of harm that is deliberate or has the potential or intent to do harm.

  • Threat assessment

    Evaluation and assessment of the intentions of people who could pose a hazard to a resource or function, how they might cause harm and their ability to carry out their intentions. Threats need to be assessed to determine what potential exists for them to actually cause harm.

  • TO BE REVIEWED ON

    The TO BE REVIEWED ON endorsement marking is used where the classification is to be reviewed at the designated time.

  • TOP SECRET

    A security classification that shows that compromise of the official information could cause exceptionally grave damage to the national interest.

  • Treaty

    A treaty is an agreement between states (countries) that is binding by international law. In some cases, international organisations can be parties to treaties. A treaty may also be called a convention, protocol, covenant or exchange of letters.

  • TSCM

    Technical Surveillance Countermeasures

  • Unauthorised access (to facilities or assets)

    Access to official facilities or assets that is not sanctioned by government policy or agency direction or an entitlement under legislation.

  • Unauthorised access (to information)

    Access to official information that is not based on a legitimate need to know, sanctioned by government policy or agency direction or an entitlement under legislation.

  • Unauthorised disclosure (of official information)

    The communication or publication of official information where it is not based on a legitimate need to know, sanctioned by government policy or agency direction or an entitlement under legislation.

  • Unclassified (information)

    Official information that is not expected to cause harm and does not require a security classification. It may be unlabelled or it may be marked ‘UNCLASSIFIED’. This type of information represents the bulk of official information.

  • Unplanned event

    An event that occurs at short notice, is routine or otherwise does not allow, or require, for detailed planning, including security planning. Also see Event.

  • Unsecured area

    A superseded term for an area that does not meet the required physical security measures to be classified as an intruder resistant, partially secure or secure area. Replaced by security zones.

  • UPS

    Uninterruptible Power Supply

  • Vetting

    A background checking process and assessment action to determine a realistic and informed evaluation of an individual’s suitability for access to protectively marked material and to hold the appropriate security clearance.

  • Vetting officer (NZSIS)

    NZSIS vetting officers assess candidates undergoing security vetting against established criteria that measure and influence their suitability to hold a security clearance. Vetting officers conduct interviews with and assessments on candidates applying for a national security clearance in accordance with the procedures outlined in the PSR.

  • Violation

    See Security violation.

  • Virtual Private Network (VPN)

    The tunnelling of network traffic through another networks, separating the VPN traffic from the underlying network. A VPN can encrypt traffic, if necessary.

  • Virus (ICT systems)

    See Malware.

  • Visitor

    A visitor is any person whose duties do not normally require them to access the area being visited, or who does not qualify for an appropriate pass, but who can demonstrate a legitimate reason for seeking entry to the area.

  • VPN

    Virtual Private Network

  • Vulnerability (ICT systems)

    A flaw, bug or misconfiguration that can be exploited to gain unauthorised access to a network or information.

  • Vulnerability (risk management)

    The degree of susceptibility and resilience of an agency to hazards.

  • Wireless communication

    The transmission of data over a communications path using electromagnetic waves rather than a wired medium.

  • Zone Five

    Security area with the highest level of controls and strict visitor and employee access controls on a needs basis.

  • Zone Four

    Security area with a higher level of security controls and strict visitor and employee access controls on a needs basis.

  • Zone One

    Unsecured area, including out of the office working arrangements.

  • Zone Three

    Security area with high security controls, strict control of visitors on a needs basis and access to employees controlled.

  • Zone Two

    Low security area with some security controls and access control for visitors.

  • [DEPARTMENT(S)] USE ONLY

    The [DEPARTMENT(S)] USE ONLY endorsement marking is used for material that is intended only for use within the specified department(s).