Physical security

PHY004

Meet the mandatory requirements for physical security

Keep your organisation secure with robust physical security by following the mandatory requirements and the associated physical lifecycle stages explained below.

Understand what you need to protect

Before you can put the right physical security measures in place, you must understand what you need to protect. You may need to protect:

  • your people, information, and assets
  • the public or customers
  • cultural holdings.

How will your facilities be used?

You need to understand how your facilities will be used, who will use them, who may visit them, and what will be stored in them. Remember to include any classified information or assets you store, and legislative requirements you need to meet.

Are your people working away from the office?

Consider the situations that your people might face when they are working away from the office.

Will they be working at home? In remote locations? In someone else’s building? Overseas?

Have you taken health and safety needs into account?

Under the Health and Safety at Work Act 2015, organisations must:

  • take all reasonable steps to minimise the risk of harm to employees, clients, and the public
  • ensure their physical security plans address the risk of harm to clients and the public.

Is your organisation co-locating?

If you’re co-locating, work in partnership with the other parties to build a shared understanding of physical security issues and each other’s security requirements.


Assess your physical security risks

When you assess your organisation’s unique risks, you can work out which physical security measures you need to reduce those risks to an acceptable level.

You need to know where you are vulnerable and how your organisation would be affected by breached security. Here are some questions to answer.

  • During what hours will be people be arriving, departing, and working at each site?
  • How many people will be working at each site?
  • Which third parties have access to your facilities?
  • What are the risks associated with collections of information and physical assets you hold?
  • What are the risks associated with higher concentrations of people in certain areas?
  • Which activities does your organisation undertake at each site?
  • Are there threats that arise from your activities?
  • What threats arise from your location and neighbours?

Evaluate the likelihood and impact of each risk to help you understand where you need to take further action. For any risks you can’t accurately assess internally, call on external sources such as local police or other authorities.

If you’re co-locating with other organisations, consider the combined security risks and work together to assess them.

Remember to:

  • assess the risks of each site you use separately, as you need to develop site-specific security plans
  • include physical security risks in your organisation’s risk register(s). 


PHYSEC2 - Design your physical security

Consider physical security early in the process of planning, selecting, designing, and modifying facilities.
Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with relevant health and safety obligations.

Design physical security early in your processes

Since physical security measures can be more expensive and less effective if they’re introduced later, consider your physical security requirements at the earliest stages — preferably during the concept and design stages. Apply this strategy any time you’re:

  • planning new sites or buildings
  • selecting new sites
  • planning alterations to existing buildings.

For high-risk sites or buildings, you might need to consult early with specialist organisations, such as the New Zealand Security Intelligence Service (NZSIS) and the Government Communications Security Bureau (GCSB).

Evaluate physical security risks before you select a site

Evaluate the following factors to work out if a site is suitable:

  • the neighbourhood
  • the size of the stand-off perimeter
  • site access and parking
  • building access points
  • security zones.

Prepare site security plans

Use your site-specific risk assessments to help you:

  • prepare site-specific security plans
  • include security requirements within other site development plans. 

Your organisation needs to have a site security plan for all new sites, facilities under construction, and facilities undergoing major refurbishments. This plan should align with any minimum security standards your organisation has agreed for specific types of facility.

For each site security plan, ensure that physical security measures:

  • provide enough delay to allow planned responses to take effect
  • meet business needs
  • complement and support other operational procedures
  • include any necessary measures to protect audio and visual privacy
  • do not unreasonably interfere with the public.

Use security zones to reflect business impact levels

Extra security measures apply to areas where protectively-marked information and other official or valuable resources are processed, handled, and stored. These areas are called ‘security zones’. Security zones are based on the BILs and each has minimum security controls that your organisation must implement.

If your organisation faces increased threat levels, use your risk assessments to work out what extra measures you need in each affected zone. Increased threat levels can be due to foreign interference, politically motivated violence, criminal activity, or cyber-attacks.

Zone 1: Public Access Area

These are unsecured areas including out-of-office working arrangements. They provide limited access controls to information and physical assets where any loss would result in a low to medium business impact. They also provide limited protection for people.

Examples of public access areas are:

  • building perimeters and public foyers
  • interview and front-desk areas
  • temporary out-of-office work areas where the agency has no control over access
  • field work, including most vehicle-based work
  • public access parts within multi-building facilities.

Zone 2: Work Area

These are low-security areas with some controls. They provide access controls to information and physical assets where any loss would result in a business impact up to very high. They also provide some protection for people.

These areas allow unrestricted access for your people and contractors. Public or visitor access is restricted.

Examples of work areas are:

  • normal office environments
  • normal out-of-office or home-based worksites where you can control access to areas used for your business
  • interview and front-desk areas where your people are separated from clients and the public
  • military bases and airside work areas with a security fence around the perimeter and controlled entry points
  • vehicle-based work where the vehicle is fitted with a security container, alarm, and immobiliser
  • exhibition areas with security controls and controlled public access.

Zone 3: Restricted Work Area

These are security areas with high security controls. They provide access controls to information and physical assets where any loss would result in a business impact up to extreme. They also provide protection for people.

Access for your people and contractors is limited to those with a need to access the area. People with ongoing access must hold an appropriate security clearance. Visitors must be escorted, or closely controlled, and have a business need to access the area.

Examples of restricted areas are:

  • secure areas within your building that have extra access controls for your people (such as IT server rooms)
  • exhibition areas with very valuable assets
  • areas with high-value items or items of cultural significance when not on display.

Zone 4: Security Area

These are security areas with higher levels of security. They provide access controls to information where any loss would result in a business impact up to extreme, and physical assets where any loss would result in a business impact up to catastrophic. They also provide protection for people.

Access for your people is strictly controlled with ID verification and card access. People with ongoing access must hold an appropriate security clearance. Visitors and contractors must be closely controlled and have a business need to access the area.

Examples of security areas are:

  • secure areas within your building that have extra access controls for your people
  • exhibition areas with very valuable assets, with specific item asset protection controls and closely controlled public access
  • areas used to store high-value items or items of cultural significance when not on display.

Zone 5: High-Security Area

These are security areas with the highest level of security controls. They provide access controls to information where any loss would result in a business impact up to catastrophic.

Access for your people is strictly controlled with ID verification and card access. People with ongoing access must hold an appropriate security clearance. Visitors and contractors must be closely controlled and have a business need to access the area.

Examples of high-security areas are:

  • areas storing top secret, sensitive, compartmented information
  • New Zealand Intelligence Community facilities.


Apply good practice for physical security design


Security by design

Physical security measures are capable of mitigating a range of risks. However, given enough time and determination, an unauthorised person can compromise almost any physical security measure.

Physical security measures aim to protect people, information, and assets from compromise or harm by applying the ‘Deter, Detect, Delay, Respond, Recover’ model.

Deter

Deter or discourage unauthorised people from attempting to gain unauthorised access to your facility. Implement measures that unauthorised people perceive as too difficult or needing special tools and training to defeat.

Detect

Detect unauthorised access as early as possible. Implement measures to work out whether an unauthorised action is occurring or has occurred.

Delay

Delay an unauthorised access attempt for as long as possible to allow an effective security response to be activated. Implement measures to slow the progress of a harmful event.

Respond

An effective response counters the anticipated activity of an unauthorised person within a time appropriate to the delay measures. Prepare measures to prevent, resist, or mitigate the impact of an attack or event.

Recover

Take the steps required to recover from a security incident. Plan to restore operations to as near normal as possible in a timely manner following an incident.

Use multiple layers of security — ‘security in depth’

A key concept in physical security is ‘security in depth’ — a multi-layered system in which security measures combine to support and complement each other. You can apply this concept by placing zones within zones. This layering increases total delay times and creates additional barriers. Any unauthorised person trying to access the higher zones will meet increasing levels of controls.

The following diagram shows a possible combination of security zones.

Use NZSIS-approved product

Government organisations must use items from the NZSIS Approved Products List (APL) for the protection of people, information, and assets.

The information in the list is classified. Contact the PSR team for more information.

Address all points where your physical security could be breached

Design your security measures to address your critical physical security risks and vulnerabilities, including cyber-security threats, your physical security culture, and security products and processes.

Know and comply with all relevant laws and standards

The design of your physical security measures must comply with the Health and Safety at Work Act 2015, the Privacy Act 1993, the Building Act 2004, and any associated regulations. The design must comply with any relevant international conventions (for example, the United Nations Convention against Torture, and Other Cruel, Inhuman or Degrading Treatment or Punishment).

Your design must also comply with the NZSIS Technical Notes (for Zone 3, 4, or 5 areas) and the New Zealand Information Security Manual (NZISM).

You must also work out whether any safety hazards could arise from your security measures, and then have a plan to manage those hazards in line with relevant legislation.

Add to your business continuity and disaster recovery plans

The physical security requirements you identify during the design phase should also be in your business continuity and disaster recovery plans, to ensure ongoing security in the event of a business disruption.

Apply ‘Crime prevention through environmental design’ (CPTED)

Make CPTED an integral part of your facility planning. Use CPTED to identify which aspects of your physical environment could affect people’s behaviour, and then design your physical environment to minimise crime.

Collaborate to make shared facilities secure

If your organisation shares accommodation or facilities with other organisations, conduct a risk assessment and apply physical security measures collaboratively to address collective risks.

Evaluate the risks of co-tenancies in any shared facility when you carry out your risk assessment.

Consider how security measures for one area could affect other areas

Consider the threat profiles of different areas within your organisation when you develop physical security measures. For example, do physical security measures in one area affect the security or operations of any other areas?

Assess physical security risks for people working away from the office

When you develop policies and procedures for people working remotely, consider any increased security risks to your people, information, and physical assets.

Accept: Get your physical security design accepted

Before you can implement your physical security measures, your Chief Security Officer (CSO) or other delegated person must accept that the proposed security design:

  • is fit for purpose
  • will address your organisation’s specific requirements.

Consider whether you have mitigated your risks and vulnerabilities in all the areas you identified in the risk assessment phase before you submit your physical security plan for sign-off.

Implement your physical security measures

During this phase, you implement the agreed physical security measures, including policies, processes, and technical measures.

Build physical security into your business relationships and contracts

Work with your suppliers, co-tenants, and landlords to ensure they understand and can meet your security requirements. Build good physical security into your contracts and partnerships.

Remember to include all relevant measures or outcomes identified in your site security plans in building design briefs, requests for tender, and contracts.

Manage your planning and building processes

You need to account for the risks involved in the planning and building lifecycle. Make sure your physical security measures are implemented when there are new builds, refurbishments, or assets shifted from one workplace or area to another. Take the implementation process right through to when assets and information are retired or destroyed.

PHYSEC3 - Validate your security measures

Confirm that your physical security measures have been correctly implemented and are fit for purpose.
Complete the certification and accreditation process to ensure that security zones have approval to operate.

 
Validate your physical security measures

Validating your organisation’s physical security measures means finding out if they’ve been correctly implemented and are fit for purpose.

Provide trust and accountability through validation

Your CSO decides whether the measures are right for the risks your organisation faces. These risks may vary from site to site. The validation step gives senior executives confidence that physical security is well managed, risks are properly identified and mitigated, and governance responsibilities can be met.

Ensure you are certified and accredited

Conduct the certification and accreditation process required for the type of physical security measure being implemented.

Ensure security zones are accredited

For physical spaces, follow the certification and accreditation processes required by the security zone. As well as keeping your organisation secure, accreditation gives organisations you work with confidence in your security.

Meet security requirements for protectively-marked information

Extra security measures apply to protectively-marked information to help keep this important and valuable information safe.

Make sure you are familiar with the physical security requirements for protectively-marked information and equipment addressed in the requirements for security zones 3 to 5.

PHYSEC4 - Keep your security up to date

Ensure that you keep up to date with evolving threats and vulnerabilities, and respond appropriately.
Ensure that your physical security measures are maintained effectively so they remain fit for purpose.

Operate and maintain

Raise awareness of your physical security measures

An important part of maintaining security is providing security awareness training and support. Communicate your physical security policies to your people and to the people your organisation works with. Let them know when physical security arrangements change, and, when possible, say why.

People should be encouraged to report emerging concerns or near misses, and be seen as good corporate citizens rather than troublemakers.

Analyse evolving threats and vulnerabilities

Keeping your people, information, and assets secure involves ongoing activity to detect and manage evolving threats and vulnerabilities.

To manage your vulnerabilities in your physical security, take the following action.

  • Monitor your systems, assets, and people.
  • Observe events and processes to detect suspicious or unauthorised events.
  • Be proactive to stay on top of vulnerabilities or weaknesses in your layers of security.
  • Assess your security measures against best practice and known security threats.
  • Analyse, prioritise, and report on vulnerabilities that pose the most immediate risk to your organisation.
  • Apply and track fixes to completion.

Keep your physical security measures up to date

To be effective, your physical security measures must reflect your actual risks. Stay up to date and prepared by:

  • proactively maintaining your user access control systems (e.g. testing duress alarms, checking batteries every 6 months)
  • testing your procedures to ensure they are fit for purpose.

Respond to physical security incidents

You need to manage security incidents well to reduce their impact. Aim to both reduce the impact of any incident and recover quickly.

Responding to security incidents should be part of your security plan.

Respond and recover: When an incident happens, follow your processes for responding to the incident. Act quickly to reduce the impact, and help your organisation recover as quickly as possible. You might also need to restore the confidence of anyone who has been affected by an incident.

Record and assess: Record the details of any incident or near miss, and assess the degree of the compromise or harm.

Communicate: Make sure you communicate security incidents to the affected parties and any relevant authorities. You might need to warn people to avoid further harm or report on the incident.

Investigate, act if necessary, and learn: After a security incident, you need to investigate. If necessary, take further action. Make sure your organisation learns from the incident, so you can improve your security measures.

GOV8 - Assess your capability

Use an annual evidence-based assessment process to provide assurance that your organisation’s security capability is fit-for-purpose. Provide an assurance report to Government through the Protective Security Requirements team if requested.
Review your policies and plans every 2 years, or sooner if changes in the threat or operating environment make it necessary.

Review your physical security measures regularly

Undertake regular reviews to ensure your security measures remain fit for purpose. Identify changes in your use of facilities, in your organisation, or your threat environment. Use this information to inform improvements.

Conduct periodic reviews and assure compliance

Regularly monitor, review, and audit your physical security measures. You need to know if:

  • your physical security policies are being followed
  • your physical security controls are working as planned
  • any changes or improvements are necessary.

Identify changes in your security environment

Be prepared to restart your physical security lifecycle whenever your security environment changes. Consider these questions to inform changes and improvements.

  • Are you using your information and assets in a different way?
  • Are you using your facilities in a different way?
  • Are your people working in a different way?
  • Are you planning improvements to internal or external security services?
  • Have you identified new security threats and vulnerabilities?


Retire securely

When your building, facilities, information, or assets are no longer needed, make sure you consider the security implications during the decommissioning phase.

Have a plan for destroying, redeploying, or disposing of your facilities, information, or assets securely. For example:

  • safes or filing cabinets containing classified information
  • printers / multi-function devices.

Destroy protectively-marked information and equipment properly

You must use NZSIS-approved destruction equipment or an NZSIS-approved destruction service to destroy protectively-marked information and equipment, so that the waste can’t be reconstructed or used.

Page last modified: 19/09/2019