Glossary | Protective Security Requirements

A

Access

Obtaining knowledge or possession of information (including verbal, electronic and hard copy information) or other resources, or obtaining admittance to an area.

Access control system

A system designed to limit access to facilities to authorised people whose identify has been verified.

Accountable

Required or expected to justify actions or decisions; answerable and responsible.

ACCOUNTABLE MATERIAL

The ACCOUNTABLE MATERIAL endorsement marking is used to indicate that the information requires strict control over its access and movement, as well as regular auditing, to ensure its safe custody. What constitutes ACCOUNTABLE MATERIAL will vary from agency to agency. A risk assessment will determine the frequency of auditing practices.

Accreditation

The process by which an approving authority gives formal recognition and approval that appropriate levels of security have been implemented to protect facilities and/or systems.
Accreditation is designed to ensure minimum standards are met and maintained throughout the lifespan of facilities and Information and Communications Technology (ICT) systems, and that any residual risks are appropriately managed.

Adverse security vetting recommendation

A written assessment from the New Zealand Security Intelligence Service (NZSIS) containing a recommendation of prescribed administrative action that would be prejudicial to the interests of the candidate. For example, a recommendation that a candidate should not be given access to protectively marked material.

Aftercare (personnel security)

See Security clearance management.

Agency (or New Zealand government agency)

All New Zealand government departments, authorities, agencies or other bodies established in relation to public purposes, including departments and authorities staffed under the State Sector Act 1988 and Public Finance Act 1989. This includes the State Services Commission, tertiary education institutions, state-owned enterprises and mixed ownership model companies, as well as agencies operating as instruments of the legislative branch of government.

Agency head

The head of an agency as outlined above. Endorses and is accountable for all protective security within the agency.

Agency security management personnel

Employees who are responsible for the day-to-day protective security functions within that agency. Duties may include: security risk reviews and audits, security awareness programmes for agency staff, preparation of agency security plans and security risk management advice.

Agency security plan

The plan of action the agency uses to address its security risk, based on the context in which the agency operates and a thorough threat and risk review.

Agency-specific character checks (fit and proper person checks and personnel security)

Personnel or employment checks other than the security clearance vetting process, undertaken by agencies as part of their personnel security management to address specific agency risks.

Aggregation

A term used to describe collections of protectively marked or UNCLASSIFIED official information or assets where the business impact from the compromise of confidentiality, loss of integrity or unavailability of the combination of the information or assets is greater than its component parts and may require a higher level of protection.

Agreement (information sharing)

An instrument, agreement or treaty between the New Zealand Government and another government. An arrangement or Memorandum of Understanding (MOU) between a New Zealand government agency and a foreign agency for the exchange and protection of information.

AOG

All of Government

APPOINTMENTS

The APPOINTMENTS endorsement marking is used when the actual or potential appointments have not yet been announced, and for the deliberation during the recommendation–approval process.

Approved Products List (APL)

A list of all security products that have been tested and evaluated by the NZSIS and approved for use in the protection of national protectively marked information or material.

Asset

An item that has a value to an agency – including personnel, information, physical assets and services. Also see Official resources.

Attached staff

Government employees from any agency who are posted overseas and who work mainly from the chancery premises (building or office of a diplomatic or consular mission) managed by the Ministry of Foreign Affairs and Trade (MFAT).

Audit

An independent examination and verification of an agency’s systems and procedures, measured against predetermined standards.

Authentication

The process of confirming a claimed identity or information.

Authorised persons (specified persons)

Specified persons who are authorised by the agency to have access to carry out work or perform duties.

Availability (of information)

Availability means that authorised users have access to the information that they need. See also Integrity and Confidentiality.

B

BCM

Business Continuity Management

BCP

Business Continuity Plan

Bilateral agreement

An agreement between the New Zealand government or a New Zealand government agency and the government or agency of another country that provides for the reciprocal exchange of official information. Also see Multilateral agreement and Foreign Government Information (FGI).

BMS

Building Management System

Breach

See Security breach.

Briefings

Additional specific training required before a person is given access to certain compartmented marking information or sensitive sites.

BUDGET

The BUDGET endorsement marking is used for proposed or actual measures for the Budget before its announcement.

Business Impact Level (BIL)

The level of impact on an agency’s ability to operate or on the national interest, resulting from the compromise of confidentiality, loss of integrity or loss of availability of people, information or assets.

C

CABINET

The CABINET endorsement marking is used for material that will be presented to, and/or require decisions by, Cabinet or Cabinet committee.

Candidate (personnel security)

An individual undergoing security vetting is known as the candidate.

CCTV

Closed-Circuit Television

Certification

A procedure by which a formal assurance statement is given that functions, goods or services conform to a specified standard.

Change of circumstance

A relevant change to an employee’s personal circumstances subsequent to a security vetting being conducted and an assessment made.

Chief Information Security Officer (CISO)

A senior executive who is responsible for coordinating communication between security and business functions. The CISO also oversees the application of controls and security risk management processes within an agency.

Chief Security Officer (CSO)

The CSO is an agency executive with overall responsibility for security. The CSO is answerable to, and must have free access to, the agency head on all security-related matters. See New Zealand Government Protective Security Requirements – Security Structure and Agency Responsibilities.

CISO

Chief Information Security Officer

Classification system

New Zealand Government Information Security Classification System. This is New Zealand government’s administrative system (principles, policies, guidance, tools, and resources) for the appropriate classification and handling of government information to ensure it is appropriately used, managed, and protected.

Classified Document Register (CDR)

A register that includes details of all accountable material, including TOP SECRET protectively marked documents and copies received.

Classified information

Classified information is any government information that requires security and special handling to protect it. The information is generally protectively marked with the classification level (e.g. IN-CONFIDENCE, SENSITIVE, RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET) and may also include other endorsement or compartmented markings. See also Protective marking, Endorsement marking, and Compartmented marking.

Clear desk policy

A policy requiring an individual to ensure that protectively marked or UNCLASSIFIED official information and other valuable resources are secured appropriately when the person is absent from the workplace.

Clear screen policy

A supplementary policy to the clear desk policy that requires a person to ensure that information on ICT equipment is secured appropriately when the person is absent from the work station, for example, by locking the ICT equipment.

Clearance (personnel security clearance)

See Security clearance.

Clearance process

In the context of personnel security clearances, the process of assessing a person’s suitability for access to protectively marked information (see Protective marking).

CNI

Critical National Infrastructure

Codeword

A type of compartmented marking. A codeword indicates that the information it covers is in a special need-to-know category. Those with a need to access the information will be cleared and briefed about the significance of this type of information. See also Source codeword.

Combined Threat Assessment Group (CTAG)

The CTAG is a fully seconded multi-agency intelligence centre. Its role is to mitigate the risk of the government receiving un-coordinated or conflicting threat assessments in relation to terrorist and criminal threats posing physical harm to New Zealand, it citizens and interests both domestically and overseas.

COMMERCIAL

The COMMERCIAL endorsement marking is used for commercially sensitive processes, negotiations of affairs.

Communications Security (COMSEC)

All measures (including the use of cryptographic security, transmission security, emission security and physical security measures) applied to protect government telecommunications from unauthorised interception and exploitation and to ensure the authenticity of such telecommunications.

Compartmented marking

A compartmented marking is an additional protective marking that is combined with the classification and endorsement marking (if applicable) indicating that the information is in a specific compartment. This word could be a codeword or ‘Sensitive Compartmented Information (SCI)’. See also Protective marking, Need to know, Endorsement marking, and SCI.

Competitive Tendering and Contracting (CTC)

A process of selecting the preferred provider of goods and services from a range of bidders by seeking offers and evaluating these against predetermined selection criteria.

Compromise

Information compromise is the intentional or unintentional unauthorised disclosure, removal, tampering, destruction, or misuse of the information.

COMPUSEC

Computer Security

Computer Security (COMPUSEC)

The measures taken to ensure the security of information stored on and accessed by computer, for example, access passwords, login information or anti-virus software.

COMSEC

Communications Security

COMSEC officer

The person in an agency who is responsible for authorising and controlling cryptographic access.

CONFIDENTIAL (security classification)

A security classification that shows that compromise of official information would damage National interest in a significant manner.

Confidential information

Information provided with an expectation of confidentiality and that it will only be used by and made available to people with a genuine need to know. The meaning is broader than the information designated by the CONFIDENTIAL security classification.

Confidentiality (of information)

Confidentiality means that information is protected from unauthorised disclosure or access. See also Integrity and Availability.

Conflict of interest

An interest or obligation, either inside or outside New Zealand, that could interfere with, or hinder, a person’s performance of their duties, or be perceived to interfere or hinder a person’s performance of their duties.

Contact

See Security contact.

Contract

A legally enforceable agreement in which the parties to the contract set out the terms and conditions of the agreement, the rights and obligations or responsibilities of each party and the agreed outcomes of the relationship.

Contracted service provider (contractor)

A person or business entity that has contracted with an agency for the performance of services for, or supply of goods to, that agency.

Control

A measure used to protect official information from compromise of confidentiality, integrity and availability, or mitigate an identified threat to an agency’s people, information or assets.

Countermeasures

Barriers, including procedural, logical or physical countermeasures, used to protect official resources.

CPNI

Centre for the Protection of National Infrastructure (UK Government)

Crime Prevention through Environmental Design (CPTED)

A multi-disciplinary approach to deterring opportunistic criminal behaviour through environmental design using features including natural surveillance (includes direct and indirect presence), access control and territorial reinforcement, that is, the design of clear boundaries and use of landscaping features to define desired movement areas and delineate borders.

Cryptographic Information (CRYPTO)

Information relating to keying material and cryptosystems used for the protection of information. See the New Zealand Information Security Manual for further details on cryptographic requirements.

CTAG

Combined Threat Assessment Group (NZSIS)

CTC

Competitive Tendering and Contracting

Culture of security

See Security culture.

Cyber espionage

Espionage using ICT equipment.

D

Data

See Electronic information.

Decision-useful information

Information is decision useful when it assists users to make good decisions or informs the development of advice to decision-makers. To be decision-useful, the information needs to be high-quality, timely, and accurate.

Declassification

Declassification is the process for reviewing the protective marking on information with the objective of removing or downgrading classifications to facilitate the public release of information.

Deed of Confidentiality

An undertaking by an individual to comply with confidentiality obligations.

Delegate

A person authorised by another person to act on their behalf. In most cases, a delegate is a senior person authorised to act on an agency head’s behalf.

Denial of service

Deliberate compromise of availability of information technology systems.

Disaster Recovery Plan (DRP)

Planning and implementation of procedures for the recovery of essential systems that have a significant impact on an agency’s ability to deliver its key outcomes. DRPs may be the first part of a business continuity plan.

Disposal

In the context of information and records, disposal means the decision-making processes for retaining, transferring or destroying information and records.

Document

Anything on which information is recorded by any means, including words, symbols, images or electro-magnetic impressions.

Double enveloping

The use of two unused opaque envelopes (an inner and an outer envelope) to help protect protectively marked information in transit from unauthorised access and, in the event of unauthorised access, provide evidence of this to the recipient.

DSAP

Designated Security Assessment Position

Duress alarm

An alarm that enables people to call for a security or police presence in response to a threatening incident.

E

Electronic Access Control System (EACS)

An electronic system to control access to agency facilities, which includes access control devices, control panel, monitoring station and the policies and procedures to limit access to personnel with verified identities.

Electronic information

Data or information stored or generated electronically including metadata.

EMBARGOED FOR RELEASE

The EMBARGOED FOR RELEASE endorsement marking is used on material before a designated time at which an announcement or address will be made, or the information will be disseminated.

Emergency access

Supervised access to protectively marked material one level above an individual’s current security clearance, when there is an urgent and critical operational need to do so.

Emergency management

A range of measures designed to manage risks to agencies from disasters and emergencies. Emergency management involves developing and maintaining arrangements to prevent or mitigate, prepare for, respond to and recover from emergencies and disasters.

Employee (or staff)

See Personnel.

Employee undertaking

See Deed of Confidentiality.

Encryption

The process of transforming data into an unintelligible form to enable secure transmission.

Endorsement marking(s)

An endorsement marking is an additional protective marking that combined with the classification, warn people that information has special handling requirements. The endorsement marking may indicate the specific nature of information, temporary sensitivities, limitations on availability, or conditions for handling. See also Protective marking and compartmented marking.

Espionage (spying)

A government, organisation or individual attempting to obtain information that is considered secret, confidential or intellectual property without the permission of the holder of the information. Espionage is inherently clandestine, as it is taken for granted that it is unwelcome, and in many cases, illegal.

Evaluated Product List (EPL)

A list of ICT security products, certified against internationally recognised common criteria.

Event

Includes both planned and unplanned events run by, or on behalf of, a New Zealand government agency.

Event attendees

All people attending an event including delegates, speakers, visitors and support staff.

Event manager

The person in overall control of an event – this may be an agency employee or outsourced provider.

Event Security Officer (ESO)

The agency officer, or contractor, responsible for the security of people (attendees, staff and the public) or information and assets at an event.

Exceptional circumstances

Circumstances where the exception is critical to the agency meeting its outcomes, and the risks to the agency can be mitigated or managed in another way.

Exposure

The degree to which a resource is open to, or attracts, harm.

External Integrated System (EIS)

A system that may be integrated or interoperable with a security alarm system, for example, closed-circuit television, building management systems and EACSs.

F

Facility

A building, part of a building or complex of buildings, in which an agency, or a particular agency function, is located. This can include contractors’ premises.

Facility security inspection

An inspection of a contractor’s premises addressing the criteria established in the contract between the contractor and the New Zealand government, to ensure that a secure environment appropriate to the performance of the contracted function can be provided by the contractor.

Firewall

A programme or device designed to prevent unauthorised access to or from a network or system by filtering incoming and outgoing network data based on a series of rules.

Fit and proper person checks

Personnel or employment checks other than the security clearance vetting process, undertaken by agencies as part of their personnel security management to address specific agency risks.

Foreign government

Any government external to New Zealand (including an individual, organisation or agency acting on behalf of this government) or an intergovernmental organisation. This also includes multi-national or supra-national government and non-governmental organisations, for example, the Asia-Pacific Economic Cooperation, North Atlantic Treaty Organisation, European Union, United Nations and Interpol.

Foreign Government Information (FGI)

Information received by the New Zealand government from foreign governments and government agencies in support of strategic and operational objectives. In most cases, New Zealand provides the assurance to safeguard this information under the terms of a bilateral and multilateral agreement, Security of Information Agreement or Arrangement (SIA) or MOUs.

G

Government Chief Digital Officer (GCDO)

As functional leader for government ICT, the GCDO (previously called the Government Chief Information Officer GCIO) is responsible for ICT-enabled transformation across government agencies to deliver better services to citizens.

Government Communications Security Bureau (GCSB)

The GCSB ensures the integrity and confidentiality of government information, and investigates and analyses cyber incidents against New Zealand’s critical infrastructure. The GCSB also collects foreign intelligence bearing on New Zealand’s interests, and assists other New Zealand government agencies to discharge their legislatively mandated functions.

Government information

Government information is all information, regardless of form or format, from documents through to data, that the New Zealand government collects, stores, processes, generates, or shares to deliver services and conduct business. This includes information from or exchanged with the public, external partners, contractors, or consultants and includes public records, email, metadata, and datasets.

GPSL

The Government Protective Security Lead (GPSL) is a leadership role appointed by the Public Service Commissioner to the Director-General of the New Zealand Security Intelligence Service (NZSIS).

H

Harm

Any negative consequence, such as the compromise of, damage to, or loss of, an asset.

Hazard

A source of potential harm – a hazard might include a threat.

Home-based work

An agency may approve or authorise an employee to carry out their duties while based at their place of residence.

HONOURS

The HONOURS endorsement marking is used for material relating to the actual or potential award of an honour before the announcement of the award, and for the deliberations during the recommendation-approval process or the consideration of honours policy matters involving the exercise of the Royal prerogative.

I

ICT equipment

Any device that can process, store or communicate electronic information, for example, computers, multi-function devices and copiers, landline and mobile phones, digital cameras, electronic storage media and other radio devices.

ICT facility

A building, floor of a building or designated space on the floor of a building used to house or process large quantities of data, for example, server and gateway rooms, data centres, back-up repositories, storage areas for ICT equipment and communications and patch rooms.

ICT system

A related set of hardware and software used for the processing, storage or communication of information and the governance framework in which it operates.

ICT system equipment

A subset of ICT equipment that is used to maintain an ICT system, for example, servers, communications network devices, such as PABX, and gateways and network infrastructure, such as cabling and patch panels. This equipment is normally continuously operational.

ID

Identity

IN CONFIDENCE (security classification)

A security classification that shows that compromise of official information would be likely to prejudice the maintenance of law and order, impede the effective conduct of government in New Zealand or adversely affect the privacy of its citizens.

Incident reporting

A scheme whereby security incidents (which can include security infringements, breaches, violations, contacts or approaches) are reported to a central point in the agency (usually the CSO). This enables the agency to undertake investigations, monitor the effectiveness of security controls, advise other affected agencies and collect statistics on its security vulnerabilities.

Information and Communications Technology (ICT)

Describes any device or application used to communicate, record, process, store and/or transfer information, including data storage devices (for example, magnetic disk/tape, compact disks or digital video disks (CD/DVD), flash memory) mobile telephones and mp3 players, and the operating systems, hardware and software applications used to operate networks and systems.

Information Assurance (IA)

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection and reaction capabilities.

Information Privacy Principles (IPPs)

Contained in the Privacy Act 1993, part 2, IPPs regulate the collection, storage, access, use and disclosure of personal information by New Zealand government agencies.

Information Security (INFOSEC)

The application of security controls to information systems that are commensurate with the protective marking, sensitivity and/or value of that information and compliant with government policy. See also Communications security.

Information Technology Security Manager (ITSM)

ITSMs are executives within an agency who act as a conduit between the strategic directions provided by the CISO and the technical efforts of system administrators. The main responsibility of ITSMs is the administrative controls relating to cyber security within the agency.

Information, information assets or information resources

Documents and papers, electronic data, the software or systems and networks on which the information is stored, processed or communicated, intellectual information acquired by individuals and physical items from which information regarding design, components or use could be derived that add value to an organisation.

Insider threat

Insider threats come from our past or present employees, contractors or business partners. They can misuse their inside knowledge or access to harm our people, our customers, our assets or our reputation.

An ‘insider threat’, or ‘insider’, is any person who exploits, or intends to exploit, their legitimate access to an organisation’s assets to harm the security of their organisation or New Zealand, either wittingly or unwittingly, through espionage, terrorism, unauthorised disclosure of information or loss or degradation of a resource (or capability).

Integrity

Integrity means that information is protected from unauthorised changes to ensure it remains reliable and correct. See also Availability and Confidentiality.

IRP

Incident Response Plan

L

LEGAL PRIVILEGED

The LEGAL PRIVILEGED endorsement marking is used for material that is subject to legal privilege.

Logical access controls

ICT measures used to control access to ICT systems and their information. This could involve using user identifications and authenticators such as passwords.

M

Malware (malicious software)

Software designed to disrupt computer operation, gather sensitive information or gain unauthorised access to computer systems.

Mandatory requirements

The mandatory requirements contained within the PSR require compliance by all New Zealand government agencies.

MEDICAL

The MEDICAL endorsement marking is used for material relating to medical reports, records and other material related to them.

MFDs

Multi-Function Devices

Mobile computing and communications

Work from a non-fixed location using portable computing and/or communications devices, for example, laptops, notebooks, tablets, smart mobile phones and personal digital assistants.

Mobile employees

Employees who work at multiple locations using their laptop, or other mobile computing device, as their primary ICT device – setting it up in hotels, offices, at home or in the field, for example, client support workers who deal with clients outside the regular office environment.

MOU

Memorandum of Understanding

Multilateral agreement

An agreement between the New Zealand government, or a New Zealand government agency, and the government, or agencies, of multiple countries that provides for the reciprocal exchange of official information. Also see Bilateral agreement and Foreign Government Information.

N

National interest

National interest means the maintenance of New Zealand’s good international reputation and bilateral relations, public confidence in the areas of tourism, trade, the economy and government, and the security and safety of all New Zealanders.

National security

A term used to describe the safety of the nation from espionage, sabotage, politically motivated violence, promotion of communal violence, attacks on New Zealand’s defence system, acts of foreign interference or serious organised crime, as well as the protection of New Zealand’s borders.

National security information

Official information that, if compromised, could affect the security of the nation. National security information could include information about protection from espionage, sabotage or politically motivated violence.

Need to go

Access to an area should be limited to those who require access to do their work, for example, cleaners – they do not have a need to know but they do have a need to go to do their work.

Need-to-know

A principle that a user must have a legitimate reason to access and use information or equipment to meet an operational need.

Need-to-share

A principle that government information needs to be appropriately shared to enable the protection of New Zealand and New Zealanders from threats, and to realise the potential of information to aid government effectiveness and enable wellbeing of New Zealanders.

Network infrastructure

The infrastructure used to carry information between work stations and servers or other network devices, for example, cabling, junction boxes, patch panels, fibre distribution panels and structured wiring enclosures.

New Zealand Communications Security Standard No. 300 (NZCSS 300)

This standard provides the minimum security requirements for the control and accountability of communications security material within the New Zealand government and agencies.

New Zealand Communications Security Standard No. 400 (NZCSS 400)

This standard provides a minimum standard of installation engineering for all New Zealand government agencies, organisations or personnel concerned with the planning or engineering of New Zealand installations processing protectively marked information.

New Zealand Communications Security Standard No. 500 (NZCSS 500)

This standard provides consolidated statements of national communications security policy. Where necessary, more information about the policy will be provided in the relevant national communications security standards or instructions.

NEW ZEALAND EYES ONLY (NZEO)

The NEW ZEALAND EYES ONLY (NZEO) endorsement marking indicates that access to information is restricted to appropriately security cleared New Zealand citizens on a need-to-know basis.

New Zealand government involvement

Could include strategic planning advice, tactical support or the deployment of operational elements. All New Zealand government involvement is provided in collaboration with the event organisers, the relevant agency with jurisdictional authority and other agencies.

New Zealand Information Security Manual (NZISM)

New Zealand Information Security Manual. The Government’s manual on information assurance and information system security.

New Zealand Security Intelligence Service (NZSIS)

The NZSIS establishes personnel and physical security standards for the protection of national security information, as authorised by the New Zealand Security Intelligence Service Act 1969. The NZSIS is responsible for providing advice to the New Zealand government relating to New Zealand’s security.

NII

National Information Infrastructure

Non-national security information

Official information that, if compromised, does not threaten national security but could otherwise threaten the security of the national interest or interests of individuals, groups or commercial entities.

O

ODESC

The Officials Committee for Domestic and External Security Coordination – commonly referred to as ODESC - is a committee of Chief Executives which manages national security in New Zealand in both its governance and its response mode.

Office of the Auditor-General (OAG)

The Office of the Auditor-General is responsible for conducting annual audits, performance audits and inquiries into any public entity as per the Public Audit Act 2001.

Office of the Privacy Commissioner

The Office of the Privacy Commissioner deals with privacy and the freedom of information.

Official information

A subset of Government information (see Government information).
Any information generated, received, developed or collected by, or on behalf of, the New Zealand government through its agencies and external service providers that is not publicly available, including sensitive information and protectively marked information, such as:

documents and papers
data
the software or systems and networks on which the information is stored, processed or communicated
the intellectual information (knowledge) acquired by individuals
physical items from which information regarding design, components or use could be derived.

See the Official Information Act 1982.

Official resources

Includes official information, people who work for, or with, the New Zealand government, and assets belonging to, or in the possession of, the New Zealand government. Official resources include resources belonging to the New Zealand government but in the possession of contractors.

Offshore services

Services offered from outside of New Zealand that are subject to jurisdictional, sovereignty and privacy risks of that country.

Onshore services

Services offered from within New Zealand.

Open information

Open information is unclassified information that has been made available to the public for their use and sharing. See also Unclassified information.

Originator (of information)

The person, or agency, responsible for preparing or creating official information or for actioning information generated outside the New Zealand government. This person, or agency, is also responsible for deciding whether, and at what level, to protectively mark that information.

Outsourcing

Contracting out of a business process to an outside company.

Overwriting (of electronic information)

Low level reformatting, followed by multiple overwriting with zeroes (0) and ones (1) in random patterns to make the information difficult to recover from electronic media.

P

Paragraph grading indicators

Markings used to indicate the security classification of individual paragraphs.

Paragraph marking

Paragraph marking is the practice of marking the classification level of a section of information within a document, email, or dataset. This informs the user of which sections contain the information of highest classification and enables more appropriate sharing of information.

Partner

Partner refers to any individuals, groups, organisations, or governments where information is shared.

Perimeter Intrusion Detection System (PIDS)

A security alarm system, or part of a security alarm system, that covers areas external to a building envelope.

Personal Identity Verification (PIV)

The method(s) used to verify a person’s identity before being given access to facilities, information or assets. Normally, identity is verified using something a person has (for example, a pass), knows (for example, password) or is (for example, biometrics).

Personal information

Information or an opinion (including information forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. For further details, see the Privacy Act 1988. Also see Sensitive personal information.

Personal Security File (PSF)

A file containing sensitive personal information used to make a decision on a person’s suitability to hold, and continue to hold, a security clearance. This includes details of any security infringements, breaches or violations by the person.

Personnel (employee or staff)

Any member of an agency’s staff (ongoing and non-ongoing), contracted service providers requiring access to protectively marked information or resources, or other people who provide services to the agency or access agency information or assets.

Personnel Security (PERSEC)

The management of personnel to assist in the protection of an agency’s people, information and assets. It includes the screening and ongoing education and evaluation of employees.

Physical asset

An item of economic, commercial or exchange value that has a tangible or material existence, including assets (for example, computers) that contain official information.

Physical Security (PHYSEC)

The part of protective security concerned with the provision and maintenance of a safe and secure environment for the protection of agency employees and clients as well as physical measures designed to prevent unauthorised access to official resources and to detect and respond to intruders.

Planned event

An event that allows relevant agencies sufficient lead time to consider, discuss and implement security arrangements. Also see Event.

POLICY

The POLICY endorsement marking is used for material relating to proposals for new or changed government policy before publication.

Policy and privacy information

Information (usually protectively marked as SENSITIVE or IN CONFIDENCE) that deals with New Zealand government policy or information but does not warrant a higher security classification.

Politically motivated violence

Acts or threats of violence or unlawful harm that are intended or likely to achieve a political objective, whether in New Zealand or elsewhere, including acts or threats carried on for the purpose of influencing the policy or acts of government.

Portable Storage Device (PSD) (electronic information)

See Removable electronic and optical media.

Position of Trust (PoT)

A position where the duties require a higher level of assurance than normal agency employment screening provides and to which additional screening is specified.

Privacy

A person’s ability to control the availability of information about them.

Privacy audit

An audit that examines personal information handling practices for a particular agency programme at a certain time and in a particular location.

Private client facilities

Facilities belonging to private industry clients that can be used by agency personnel to undertake agency work.

Procedural fairness

Procedural fairness is the right to expect that any decisions being taken about a person are taken by an unbiased decision maker, and are based on open and fair decision-making processes that allow that person the opportunity to respond to those decisions.

Protective marking

Protective marking is the practice of marking the information with its classification, endorsement markings, and compartmented markings (if applicable) such as within paragraphs, emails, documents, metadata, or systems to inform readers and users of their obligations for securely handling and protecting the information.

Protective security

An organised risk management system of defensive measures used to counter security threats instituted and maintained at all levels across an organisation to reduce the security risk to functions, official resources, assets (people, information, infrastructure, facilities) and services. Protective security should be proportionate to threats and operate in a way that supports business.

Protective security audit

An audit (or system of checking for compliance to predetermined standards) on the protective security arrangements in place in an agency.

Protective Security Manual (PSM)

The New Zealand Government Protective Security Manual was the precursor to the PSR.

Protective Security Requirements (PSR)

Protective Security Requirements (PSR) outlines the Government’s requirements for managing personnel, physical, and information security. The Classification System is a core foundation to the PSR. The PSR was approved by Cabinet in 2014 [CAB (14) 39/38].

Public domain information

Information that is authorised for unlimited public access and circulation (for example, agency publications or websites).

Q

Qualified security vetting recommendation

A formal assessment by the NZSIS recommending the security risks that may exist if the agency decides to grant a security clearance to the candidate. A qualified vetting recommendation may include a risk management plan for the individual.

R

Reasonable (in law)

Just, rational, appropriate, ordinary or usual in the circumstances. It may refer to care, cause, compensation, doubt (in a criminal trial) and a host of other actions or activities. Similarly, a reasonable act is that which might fairly and properly be required of an individual.

Regional location

Any location away from an agency’s central office or major operational centres.

RELEASABLE TO (REL)

The RELEASEABLE TO, or REL, endorsement marking identifies information that has been released or is releasable to the indicated foreign countries, or citizens of those indicated countries, only. For example, RELEASABLE TO // GBR, NZ or REL // GBR, NZ means that the information may be passed to citizens and the governments of the United Kingdom and New Zealand only.

Remote worker

An employee who undertakes remote work, including:

casual remote workers – casual remote workers take advantage of remote working to meet a short term or intermittent requirement, unless there is a formal remote-work agreement then they should be considered mobile employees
full time remote workers – full time remote workers operate primarily from a remote, fixed location (this could be either the remote worker’s own home or a remote office or remote centre)
part time remote workers – part time remote workers may spend part of their time working in a fixed remote location and part of their time in the office
day extenders – day extenders may work a regular day in the office and then may log in from a fixed remote location, normally from home, to continue to work or meet a short term or intermittent requirement.

Removable electronic and optical media

Storage media that is easily removed from a system, designed for removal and is not an integral part of the infrastructure. For example, magnetic tapes, CDs or DVDs, USBs, microfilms and removable hard drives.

Request documents

Documentation issued to a potential service provider when requesting pricing on services or functions or utilised in the procurement process.

Request for tender

A request to suppliers for information and a quote to perform clearly defined works or supply certain goods.

Residual risk

The level of risk remaining after mitigations are applied.

RESTRICTED

A security classification that shows that compromise of official information would be likely to affect the national interests in an adverse manner.

Review for Cause (personnel security)

In the personnel security context, a Review for Cause is a review requested by the Sponsoring Agency and undertaken by the NZSIS of a security clearance holder who has had a significant change of circumstance that could affect their suitability to retain a clearance.

RFID

Radio-frequency identification (RFID) uses electromagnetic fields to automatically identify and track tags attached to objects. The tags contain electronically-stored information.

Right of access (contracting)

The right of the agency (or its agent, nominee, employee or auditor) to have access, for purposes associated with the contract including security reviews and audit requirements, security performance monitoring and any additional reviews referred to in the contract, to any premises of the contractor, to any site used in connection with the contract and to equipment, software, data, documentation and records maintained by it and relevant to the performance of the contract.

Risk

The chance of something happening that will materially impact the achievement of objectives – it is measured in terms of event likelihood and consequence.

Risk acceptance

An informed decision to accept a risk within the context of any mitigations applied.

Risk analysis

The systematic process to understand the nature, and to deduce the level, of risk. This includes identification and evaluation.

Risk appetite

Statements that communicate the expectations of an agency’s senior management about the agency’s risk tolerance. These criteria help an agency identify risk and prepare appropriate treatments and provide a benchmark against which the success of mitigations can be measured.

Risk avoidance

A decision not to become involved in a risk situation, for instance, through deciding not to start or continue the activity that gives rise to the risk.

Risk management

Coordinated activities to direct and control an organisation with regard to risk.

Risk mitigation

Actions taken to lessen the likelihood, negative consequences, or both, associated with a risk.

Risk rating

A rating that indicates how significant each identified potential risk is to an agency.The risk rating may be expressed qualitatively or quantitatively, based on the risk likelihood and consequence.

Risk time horizon

The proximity of when the risk might eventuate. Knowledge of the time horizon, or time to impact should the risk occur, contributes to the risk mitigation decision making.

Risk transfer

Shifting the responsibility or burden for loss to another party through legislation, contract, insurance or other means.

S

Sabotage

An act, falling short of a military operation, or an omission intended to cause physical damage in order to assist a hostile foreign power or further a subversive political aim.

See section 79 of the Crimes Act 1961.

Safe hand

A method of transporting an article in such a way that the article is in the care of an authorised officer or a succession of authorised officers who are responsible for its carriage and safekeeping. The purpose of sending an article using safe hand is to establish an audit trail that allows the sender to receive confirmation that the addressee received the information.

Safety

Safety is the process of ensuring people involved with the organisation, including employees, customers and visitors, are protected from harm.

Sanitisation

The process of removing certain elements of information that will allow the protective marking that indicates the level of protection required for the information to be removed or reduced. This can refer to both electronic media and hard copy information. Information that is not destroyed needs the originator’s approval to be released at a lower level. Also see overwriting.

SCI

Sensitive Compartmented Information. Classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Intelligence Community. See also Compartmented marking, Need to know.

SECRET

A security classification that shows that compromise of the official information could cause serious damage to the national interest.

Security

The controls and measures that an organisation uses to protect their people, information and assets.

Security Alarm System (SAS)

A SAS is the combination of intrusion detection devices, control panel, monitoring station and the policies and procedures needed to ensure an appropriate response to any alarms.

Security breach

An accidental or unintentional action that leads or could lead to, the loss or damage of official information or resources. A breach is also a failure to observe the protective security mandatory requirements. See also Security infringement and Security violation.

Security classification system

See Classification System.

Security classified information (or resources)

See Classified information.

Security clearance

A security clearance is granted to an individual following a favourable vetting assessment and recommendation provided by the NZSIS. An employee’s suitability to access protectively marked material is dependent on the clearance level granted and the need-to-know principle.

Security clearance management (personnel security)

The process required for comprehensive management of personnel holding security clearances. While security vetting is fundamental, it must be supported by active security risk management by both the organisation and the individual. The security clearance management life cycle consists of preemployment identity and verification checks, NZSIS security vetting, the formal grant of a security clearance by the agency head, management of any risks identified by the NZSIS, reporting notifiable changes in circumstances or foreign contacts, annual security appraisals and security vetting reviews.

Security container or room

NZSIS-approved A, B or C class container or room. See Security Zones and Risk Mitigation Control Measures.

Security culture

The ready acceptance by people that the securing of official information and other agency resources is an important and integral part of everyday work practices. The culture of a work group describes the patterns of basic assumptions, beliefs, customs and attitudes of the group that shape the behaviour of members of that group.

Security in Government Sector Manual (SIGS)

The New Zealand Government Security in Government Sector Manual was the precursor to the PSR.

Security incident

A security infringement, breach, violation, contact or approach from those seeking unauthorised access to official resources, or any other occurrence, that results in negative consequences for the New Zealand government.

Security infringement

Any incident that violates internal protective security procedures as outlined in internal agency protective security procedures, other than those that can be categorised as a security breach or security violation.

Security investigation

An investigation carried out to establish the cause and extent of a security incident that has, or could have, compromised the New Zealand government. The overall purpose of a security investigation is to prevent the incident from happening again by making improvements to the agency’s systems or procedures.

Security of Information Agreement or Arrangement (SIA)

An agreement or arrangement with a foreign government setting out reciprocal obligations to safeguard exchanged classified information. Signatories make a moral and political commitment to uphold and adhere to the terms of the arrangement. An SIA holds treaty status and includes MOUs.

Security plan

See Agency Security Plan

Security policy

A set of rules and practices that specify or regulate how a system or organisation provides security services to protect sensitive or critical resources.

Security risk

Any event that could result in the compromise, loss of integrity or unavailability of official information or resources, or the deliberate harm to people measured in terms of its probability and consequences.

Security risk criteria

Statements that communicate the expectations of an agency’s senior management about the agency’s security environment. These criteria help an agency identify security risk and prepare appropriate security treatments, and provide a benchmark against which the success of the security plan can be measured. Also see risk appetite.

Security risk review

The process used to determine risk management priorities by evaluating risk against predetermined criteria in the context of an agency’s protective security arrangements.

Security vetting recommendation

A formal assessment by the NZSIS recommending that the agency grant a security clearance to a candidate.

Security violation

A deliberate, negligent or reckless action that leads, or could lead, to the loss, damage, corruption or disclosure of official information or resources.

Security zones

A method of assessing the security of areas used for protecting people, or handling and storing information and physical assets, based on security controls. Security zones range from One to Five.

Security-in-depth (or defence-in-depth)

A multi-layered, systematic approach to security in which security countermeasures are combined to support and complement each other. This makes unauthorised access difficult, for example, physical barriers should complement and support procedural security measures and vice versa.

Selective tendering

A type of acquisition strategy in which agencies provide a copy of the statement of requirements (SOR) to a small number of potential providers and request a tender from them for the performance of the function. Also see tendering.

SENSITIVE

A security classification that shows that compromise of official information would likely damage the interest of New Zealand or endanger the safety of its citizens.

Sensitive information

Information that may be exempt from disclosure under sections 6 and 9 of the Official Information Act 1982.

SIGINT

Signals intelligence

Site

The discrete, separate physical location of an agency’s facility(s). Agencies may occupy more than one site.

Site planning (physical security)

A determination, as part of the agency’s regular risk review, that the agency’s physical environment is appropriate or inappropriate.

Site security plan

A plan that documents measures to reduce to an accepted level the identified risks to the agency’s functions and resources at a designated site.

SLAs

Service Level Agreements

SOP

A standard operating procedure, or SOP, is a set of step-by-step instructions compiled by an organization to help workers carry out complex routine operations.

Source codeword

A type of endorsement marking. A word or set of letters used to identify the source of certain information without revealing it to those who do not have a need-to-know. People who need to access this information must be cleared and briefed about the significance of this type of information. See also Codeword.

Special event

A planned event of such a nature that the national interest is served by the New Zealand government’s involvement in whole-of-government coordination of security and/or the provision of support to offshore events.

Specified persons

Specified persons who are authorised by the agency to have access to carry out work or perform duties.

Spying

See Espionage.

SSC

State Services Commission

SSP

System Security Plan

Statement of Requirements (SOR)

A description of the activity or function to be contracted out in terms of required outputs and outcomes.

Stewardship

Stewardship is the careful and responsible management of something. In the context of this guide, it is the careful and responsible management of government information to benefit all New Zealanders.

Sub-contractor

A contractor who contracts to provide goods or services to another contractor, so that the latter can perform another contract.

Suitability indicators (personnel security)

Suitability indicators for a security clearance include maturity, responsibility, tolerance, honesty and loyalty, also see the Security Assessment Criteria and the Adjudicative Guidelines.

T

Technical Surveillance Countermeasures (TSCM)

The process of surveying facilities to detect the presence of technical surveillance devices and to identify technical security weaknesses that could aid in the conduct of a technical penetration of the surveyed facility.

Tele-centre

A location separate to the employee’s home and remote from the agency’s normal business premises that provides access to an office environment and may provide remote access to agency ICT systems. These facilities may be provided on an agency-specific or shared basis.

Tele-work (telework, telecommuting)

Paid work conducted away from an agency’s offices in a fixed location that requires at least periodic connection to the employer’s ICT network. Tele-work is distinguished from mobile computing by having a controlled environment and little need for portability of equipment. Tele-work is subject to a formal agreement between the agency and the employee.

TEMPEST

The investigation of compromising emanations from electronic equipment such as computers. The term is also used for such compromising emanations.

Tendering

The act of a potential contractor offering to perform services or supply goods for a specified cost.

Thin client technology

A thin client is a lightweight computer that has been optimized for remoting into a server-based computing environment. The server does most of the work, which can include launching software programs, crunching numbers, and storing data.

Third party interest (in competitive tendering and contracting)

Any legal or equitable right, interest, power or remedy (no matter the degree) in favour of any person, other than the agency or the contractor, in connection with the contract, including any right of repossession, receivership, control or power of sale and any mortgage, charge, security or other interest.

Threat

A source of harm that is deliberate or has the potential or intent to do harm.

Threat assessment

Evaluation and assessment of the intentions of people who could pose a hazard to a resource or function, how they might cause harm and their ability to carry out their intentions. Threats need to be assessed to determine what potential exists for them to actually cause harm.

TOP SECRET

A security classification that shows that compromise of the official information could cause exceptionally grave damage to the national interest.

Treaty

A treaty is an agreement between states (countries) that is binding by international law. In some cases, international organisations can be parties to treaties. A treaty may also be called a convention, protocol, covenant or exchange of letters.

U

Unauthorised access (to facilities or assets)

Access to official facilities or assets that is not sanctioned by government policy or agency direction or an entitlement under legislation.

Unauthorised access (to information)

Access to official information that is not based on a legitimate need to know, sanctioned by government policy or agency direction or an entitlement under legislation.

Unauthorised disclosure (of official information)

The communication or publication of official information where it is not based on a legitimate need to know, sanctioned by government policy or agency direction or an entitlement under legislation.

Unclassified (information)

Official information that is not expected to cause harm and does not require a security classification. It may be unlabelled or it may be marked ‘UNCLASSIFIED’. This type of information represents the bulk of official information.

Unclassified information

Unclassified information is government information that would have a low impact on individuals, organisations or New Zealand’s national interest if it were compromised. It doesn’t need special security or handling over and above the standard protections that apply to all government information and therefore does not require classification or protective marking to keep it secure.

Uninterruptible Power Supply (UPS)

An electrical apparatus that provides emergency power when the input power source or mains power fails.

Unplanned event

An event that occurs at short notice, is routine or otherwise does not allow, or require, for detailed planning, including security planning. Also see Event.

V

Vetting

A background checking process and assessment action to determine a realistic and informed evaluation of an individual’s suitability for access to protectively marked material and to hold the appropriate security clearance.

Vetting officer (NZSIS)

NZSIS vetting officers assess candidates undergoing security vetting against established criteria that measure and influence their suitability to hold a security clearance. Vetting officers conduct interviews with and assessments on candidates applying for a national security clearance in accordance with the procedures outlined in the PSR.

Virtual Private Network (VPN)

The tunnelling of network traffic through another networks, separating the VPN traffic from the underlying network. A VPN can encrypt traffic, if necessary.

Virus (ICT systems)

See Malware

Visitor

A visitor is any person whose duties do not normally require them to access the area being visited, or who does not qualify for an appropriate pass, but who can demonstrate a legitimate reason for seeking entry to the area.

Vulnerability (ICT systems)

A flaw, bug or misconfiguration that can be exploited to gain unauthorised access to a network or information.

Vulnerability (risk management)

The degree of susceptibility and resilience of an agency to hazards.

W

Wireless communication

The transmission of data over a communications path using electromagnetic waves rather than a wired medium.

Z

Zone 1

Unsecured area, including out of the office working arrangements.

Zone 2

Low security area with some security controls and access control for visitors.

Zone 3

Security area with high security controls, strict control of visitors on a needs basis and access to employees controlled.

Zone 4

Security area with a higher level of security controls and strict visitor and employee access controls on a needs basis.

Zone 5

Security area with the highest level of controls and strict visitor and employee access controls on a needs basis.