Physical security zones | Protective Security Requirements

PHY017

On this page

Extra security measures apply to areas where protectively-marked information and other official or valuable resources are processed, handled, discussed, and stored. These areas are called ‘security zones’. Security zones are based on the business impact levels (BILs) and each has minimum security controls that your organisation must implement.

If your organisation faces increased threat levels, use your risk assessments to work out what extra measures you need in each affected zone. Increased threat levels can be due to foreign interference, politically motivated violence, criminal activity, or cyber-attacks.

The zone requirements provide a minimum level of assurance against:

information being compromised, damaged, or unavailable
physical assets being compromised, lost, or damaged.

Meeting the minimum zone standards gives assurance to other organisations when you are sharing information or assets.

However, these minimum requirements may not be enough to protect your people, information, and physical assets. Use your risk assessments to work out which additional mitigations you need. Your organisation must use the right security controls to treat the risks you identify.

Zone 1

Public access areas

These are unsecured areas including out-of-office working arrangements. They provide limited access controls to information and physical assets where any loss would result in a low to medium business impact. They also provide limited protection for people.

Examples of public access areas are:

building perimeters and public foyers
interview and front-desk areas
temporary out-of-office work areas where the agency has no control over access.
field work, including most vehicle-based work
public access parts within multi-building facilities (for example cafes or shops).

In zone 1, you can:

store information and physical assets needed to do business with low-to-medium BILs
use information and physical assets with a high or very high BIL (storage is not recommended but is permitted if unavoidable)
use information and physical assets with a BIL above very high only under exceptional circumstances with approval of the originating agency (no storage is permitted).

Zone 2

Work Areas

These are low-security areas with some controls. They provide access controls to information and physical assets where any loss would result in a business impact up to very high. They also provide some protection for people.

Zone 2 areas allow unrestricted access for your people and contractors. Public or visitor access is restricted.

Examples of work areas are:

normal office environments
normal out-of-office or home-based worksites where you can control access to areas used for your business
interview and front-desk areas where your people are separated from clients and the public
military bases and airside work areas with a security fence around the perimeter and controlled entry points
vehicle-based work where the vehicle is fitted with a security container, alarm and immobiliser
exhibition areas with security controls and controlled public access.

In zone 2, you can:

store information and physical assets with a BIL up to very high
use information and physical assets with an extreme BIL, (but this information should not normally be stored in the area and you must use approved security containers)
use information and physical assets with a catastrophic BIL only under exceptional circumstances to meet operation imperatives with approval of the originating agency. No storage is permitted.

Zone 3

Restricted work areas

These are security areas with high security controls. They provide access controls to information and physical assets where any loss would result in a business impact up to extreme. They also provide protection for people.

Access for your people and contractors is limited to those with a need to access the area. People with ongoing access must hold an appropriate security clearance. Visitors must be escorted, or closely controlled, and have a business need to access the area.

Examples of restricted areas are:

secure areas within your building that have extra access controls for your people (such as IT server rooms)
exhibition areas with very valuable assets
areas with high-value items or items of cultural significance when not on display.

In zone 3, you can:

store information or physical assets with a BIL up to extreme
use information with a catastrophic BIL (but this information should not normally be stored in the area).

Zone 4

Security areas

These are security areas with higher levels of security. They provide access controls to information where any would result in a business impact up to extreme, and physical assets where any loss would result in a business impact up to catastrophic. They also provide protection for people.

Access for your people is strictly controlled with ID verification and card access. People with ongoing access must hold an appropriate security clearance. Visitors and contractors must be closely controlled and have a business need to access the area.

Examples of security areas are:

secure areas within your building that have extra access controls for your people
exhibition areas with very valuable assets with specific item asset protection controls and closely controlled public access
areas used to store high-value items or items of cultural significance when not on display.

In zone 4, you can:

store information with a BIL up to extreme
use information with a catastrophic BIL (but this information should not normally be stored in the area).

Zone 5

High-security areas

These are security areas with the highest level of security controls. They provide access controls to information where any loss would result in a business impact up to catastrophic.

Examples of high-security areas are:

areas storing TOP SECRET, sensitive, or compartmented information
New Zealand Intelligence Community facilities.

In zone 5, you can store information marked TOP SECRET, compartmented information, or large quantities of information that when aggregated have a catastrophic BIL.

Security in depth

PHY018

Design a multi-layered system of security measures to increase protection.

Layering your physical security measures means the security of your people, information, and assets is not significantly reduced with the loss or breach of any single layer. By designing security measures that combine to support and complement each other, you will make it difficult for an external intruder or an employee to gain unauthorised access. This method is called ‘security in depth’.

To ensure security in depth, your organisation must:

use a combination of measures to protect and control access to your people, information, physical assets, and premises
select physical security products that provide the right levels of protection (as determined by your risk assessment).

Achieving security in depth

To achieve security in depth, layer the zones, working in from Zone 1 and increasing the protection with each new zone.

The following diagram shows a possible combination of security zones to achieve security in depth.

Because the security levels increase in line with the zones, you will be creating longer delays with each new layer you add. The cumulative delay gives you more time to respond to any attempts at unauthorised entry to the inner zones.

The following diagram shows how security in depth can provide enough delay for an effective security response.

Security incident timeline

As the zone levels increase, your protective security measures should progressively change to protect information and physical assets.

The number of zones you need depends on the different levels of assurance and segregation required.

Sometimes, it isn’t possible for higher zones to be located fully within lower zones. In those cases, consider strengthening the external walls of the higher zones.

Zone 1 should include perimeter protection measures. For example, blast mitigation, counter-terrorism protection and so on.

You should work out the minimum and maximum zones required in your facilities. For example, organisations with:

BILs of low to medium may only need zone 1 or zone 2
BILs up to, and including, high to very high may need zone 1 and zone 2
BILs up to, and including, extreme may need zones 1 to 4*
BILs up to, and including, catastrophic may need zones 1 to 5**

* Use zones 3 or 4 for all general staff access areas rather than zone 2.

**Use zone 4 for all general staff access.

For more on the BILs, go to Applying the Business Impact Levels.

Diagram 3 shows some of the different ways that you can layer zones to provide increased protection.

Combining security zones to increase protection

Securing protectively-marked information and assets in security zones

Your organisation must comply with the minimum security requirements for protectively-marked information and assets.

Zones 3 to 5

Refer to the requirements set out in Table 1: Security zone requirements to protect marked information and assets with a BIL of extreme or catastrophic to national security.

You must also comply with ‘NZSIS Technical Note - Physical Security of Zone 5 Areas’ when constructing security areas to store TOP SECRET information or aggregated information with a catastrophic BIL. The information in the technical note is classified.

If for any reason your organisation can’t meet these requirements, you must get approval for each site from the originator of the material to hold any TOP SECRET information or aggregation of information with a catastrophic BIL.

When you’re constructing zone 3 or 4 areas that will store protectively-marked information, you must comply with ‘NZSIS Technical Note - Physical Security of Secure Areas’. This information is classified.

Certifying and accrediting security zones

PHY039

Certification and accreditation is the process for granting approval to operate a facility or specific security zone. This is a two step process where:

Certification provides confirmation that the security controls specified in the design have been correctly implemented.
Accreditation is the formal approval to operate and acceptance of any residual risks.

Accreditation is the responsibility of your organisation head but this may be delegated, typically to your Chief Security Officer (CSO).

Responsibility for certification should be assigned to someone appropriate in your organisation who is not responsible for accreditation. Typically this would be your Property Manager, or equivalent.

You must accredit your facilities from Zone 1 to Zone 5.This confirms that approval to operate has been given based on the certification requirements being met and any residual risks accepted.

Zone 5 areas used to access or discuss Sensitive Compartmented Information (SCI) or codeword information must also be accredited by the GCSB.

Certification requirements

The person certifying your facility or zone needs to sight and be satisfied with the following documentation.

Document needed	Additional things to consider
A threat assessment for the facility or zone	This may be informed by external parties. For example, the NZ Police or NZSIS
A security risk assessment for the facility or zone
Site security plan
Certification from the designer / installer that your alarm system: Meets the technical note requirements relevant to the zone Has been installed as per the design and tested to ensure it operates correctly	Use of an alarm system in Zone 1 and Zone 2 is your organisation’s choice
Certification from the designer / installer that your electronic access control system: Meets the technical note requirements relevant to the zone
Has been installed as per the design and tested to ensure it operates correctly
Certification that any additional controls have been correctly installed and tested to ensure they function correctly	See Table 2 – Additional Controls
Results of a site inspection	For Zone 5 NZSIS will perform the site inspection

Accreditation requirements

The person accrediting your facility or zone needs to sight and be satisfied with the following documentation.

Document needed	Things to consider
Certification that the security controls specified in the security plan have been correctly implemented	For Zone 5 NZSIS will provide certification
Identification of any residual risks

Table 2 - Additional controls

These physical security measures may be used to address specific threats. This list is not exhaustive.

Measure	Specific risk addressed
Hidden and/or fixed duress alarm	Personnel safety concerns for reception areas and meeting rooms. May be of value for home-based workers.
Individual duress alarm	Personal safety concerns for personnel in the field or unpatrolled public areas.
Individual item alarm and, or alarm circuit	Provide additional protection to valuable physical assets in premises. Provide protection for physical assets on display.
Vehicle alarm	Deter vehicle theft or theft of information and physical assets from vehicles.
Two-person access system	Protection of extremely sensitive information.
Vehicle safes	Deter theft of information and physical assets from vehicles.
Vehicle immobilisation	Prevent vehicle theft.
Front counters and interview or meeting rooms	Restrict access by aggressive clients or members of the public. Allow interactions without accessing security areas.
Mailrooms and delivery areas	Provide a single point of entry for all deliveries. Control mail-borne threats from entering a facility without screening.
Technical surveillance counter and audio security	Reduce vulnerability to, or detect, the unauthorised interception of sensitive or protectively marked information. Reduce vulnerability to electronic eavesdropping on sensitive conversations.
Conference security	Extra measures taken for a conference to prevent unauthorised people gaining access to protectively marked information and ensure the proceedings are conducted safely and without disruption.