ABOUT002, ABOUT004, ABOUT007, GOV002
Managing security risks proportionately and effectively enables organisations to protect people, information and assets. To successfully manage security risks organisations must ensure security is part of their organisational culture, practices and operational plans.
The PSR contains eight governance requirements which work together to ensure effective oversight and management of all security areas.
Establish and maintain a governance structure that ensures the successful leadership and oversight of protective security risk. Appoint members of the senior team as:
To implement protective security requirements, your organisation must clearly:
Develop a governance structure that enables you to effectively identify and manage security risks.
Your organisation head is responsible for reviewing and endorsing your proposed security risk management structures, assurance mechanisms, and resource allocations.
Adopt a risk management approach that covers every area of protective security across your organisation, in accordance with the New Zealand standard ISO 31000:2018 Risk Management – Guidelines.
Develop and maintain security policies and plans that meet your organisation’s specific business needs. Make sure you address security requirements in all areas: governance, information, personnel, and physical.
The right risk-management approach will vary from organisation to organisation, but your process should be transparent and justifiable. Risk avoidance is not risk management.
Your organisation’s process for managing security risks should aim to:
Common messages for managing security risks well are:
Your policies and plans for protective security should:
Maintain a business continuity management programme, so that your organisation’s critical functions can continue to the fullest extent possible during a disruption. Ensure you plan for continuity of the resources that support your critical functions.
Critical services and associated assets need to remain available to assure the health, safety, security and economic wellbeing of New Zealanders, and the effective functioning of government.
A business continuity management (BCM) programme should be part of your organisation's overall approach to effective risk management.
BCM planning sets out the processes you should follow in the event of a disruption to business. A key risk for organisations is being unable to remain operational in the event of a crisis or other disruption.
Carry out the following activities to ensure your BCM programme is effective.
Provide regular information, security awareness training, and support for everyone in your organisation, so they can meet the Protective Security Requirements and uphold your organisation’s security policies.
To successfully deliver the PSR, everyone who works for your organisation needs to know and follow your security policies and processes.
To improve awareness of and compliance with your security measures, your organisation should:
Provide everyone who works for you with guidance on the relevant sections of legislation covering the unauthorised disclosure of official information, including the:
The combined effect of the Crimes Act 1961 and the Summary Offences Act 1981 is that the unauthorised disclosure of information held by the New Zealand Government is subject to the sanction of criminal law. Your people need to be aware of whether and how such legislation applies to their role.
Identify and manage the risks to your people, information, and assets before you begin working with others who may become part of your supply chain.
The PSR applies as much to service providers and outsourced services as it does to your internal operations.
When you outsource services or functions, your organisation should:
Make sure every security incident is identified, reported, responded to, investigated, and recovered from as quickly as possible. Ensure any appropriate corrective action is taken.
The purpose of a security investigation is to establish the cause and extent of an incident that has, or could have, compromised your organisation or the New Zealand Government.
The process of investigating and reporting security incidents also helps you to understand your vulnerabilities and reduce the risk of future incidents.
A security investigation should protect both the interests of the New Zealand Government and the rights of affected individuals.
Your organisation must apply the principles of natural justice and procedural fairness to all security investigations.
Your procedures should give due regard to ensuring the integrity of any other current or future investigation by your organisation or that of another.
If an incident is potentially serious, you must consult with the:
Develop plans and be prepared to implement heightened security levels in emergencies or situations where there is an increased threat to your people, information, or assets.
Your organisation must be ready to respond to emergency and increased threat situations.
Your plans for moving up to heightened security levels should integrate and coordinate with other emergency prevention and response plans. For example, plans for responding in case of a fire, bomb threat, hazardous chemical spill, power failure, evacuation, or civil defence emergency.
Use an annual evidence-based assessment process to provide assurance that your organisation’s security capability is fit-for-purpose. Provide an assurance report to Government through the Protective Security Requirements team if requested.
Review your policies and plans every 2 years, or sooner if changes in the threat or operating environment make it necessary.
An annual self-assessment helps your organisation to know if your security measures are right, and to improve security if you need to.
The assessment and reporting process aims to help your organisation check how well you’re ensuring that:
The process comprises internal self-assessment and reporting, and in some cases external reporting to lead security organisations.