• Table of Contents:
• Title Page
• Chapter 1: Security Policy
• Chapter 2: Security Organisation
• Chapter 3: Information Classification
• Chapter 4: Control of Classified Material
• Chapter 5: Personnel Security
• Chapter 6: Contractors and Other Third-Party Access
• Chapter 7: Physical and Environmental Security
• Chapter 8: Communications and Systems Security Management
• Chapter 9: Control of Access to Information Systems
• Cross-Reference to AS/NZ ISO/IEC 17799:2001
• Glossary of Abbreviations

Chapter 2: Security Organisation

Security Structure within Government Organisations

Security Policy Document

1. Management should approve, promulgate and implement a security policy that sets out management's approach and commitment to security.

The policy should:

• state management's commitment to security

• set out the organisation's approach to managing security

• include security measures for information systems.

2. The policy's security framework should:

• be based on robust risk analysis

• meet the organisation's operational purpose

• be practical and useable while providing adequate security

• be cost effective.

3. The organisation's security policy should include:

• general guidance on security roles and responsibilities

• clear definitions of responsibility for the protection of classified material, whether electronic or hard copy

• clear definitions of security processes

• where necessary, more detailed guidance for specific sites, systems or services

• an ongoing programme of user awareness and education.

4. The policy may be implemented through the organisation's security instructions. For a suggested outline of security instructions, see Annex A to this Chapter.

5. For additional advice on INFOSEC policy development, see the GCSB publication, NZSIT 101, Information Technology Security Policy Handbook.

Review and Evaluation

6. A nominated owner is responsible for maintaining and reviewing the policy according to a defined process.

7. The policy review process should be triggered by any changes affecting the basis of the original risk assessment. For example, after:

• significant security incidents

• the introduction of new vulnerabilities

• changes to the organisational or technical infrastructure.

8. Schedule periodic reviews of:

• the policy's effectiveness, gauged by the nature, number and impact of recorded security incidents

• the cost and impact on the policy of controls on efficiency

• effects on the policy of changes to technology

• level of user compliance.

Management Security Forum

9. While all members of the management team share responsibility for the security of official information, consider establishing a management security forum. The forum may operate independently or as part of an existing management body. Its purpose is to ensure clear direction and visible management support for security initiatives.

10. The forum should promote security within the organisation through appropriate commitment and adequate resourcing. The forum may:

• monitor significant changes in the exposure of information to threats

• review and monitor security incidents

• review and approve security policy and overall security responsibilities

• approve major security enhancement initiatives.

Security Co-ordination

11. Make one manager responsible for all security-related activities. In a large organisation, a cross-functional group of management representatives from relevant parts of the organisation may be necessary to co-ordinate security controls.

12. The security manager or management group should:

• agree on specific roles and responsibilities for security across the organisation

• agree specific methodologies and processes for security, such as risk-assessment procedures and security-classification systems

• devise and support organisation-wide security initiatives, such as awareness programmes

• ensure that security is incorporated into the planning process

• assess and co-ordinate the implementation of specific security controls for new systems or services

• review security incidents and recommend appropriate process improvments

• promote the visibility of business support for security throughout the organisation.

Allocation of Security Responsibilities

13. The security arrangements of government entities should be designed to ensure that government security policy is translated into effective and uniform practice throughout the organisation.

14. Each organisation is required to have a proper security infrastructure with clear allocation of responsibility for all aspects of security. The form of this will depend upon the size of the organisation and the amount of classified material to be handled and protected.

15. Organisations handling a substantial quantity of classified material should establish a specialist security unit. This unit should work in close association with the personnel and administrative staffs to ensure that security requirements are treated appropriately.

16. Where a specialist security unit is not justified the organisation's personnel and administrative staffs are responsible for personnel and physical security. In all cases there should be a clear allocation of responsibilities for security.

17. Overall responsibility for security rests with a manager, designated as Departmental Security Officer (DSO).

18. The DSO is answerable to, and should have free access to, the Chief Executive or Head on security related matters.

19. The DSO should be known to all staff members.

20. Within government organisations, the DSO's responsibilities include:

• Promulgating and implementing security policy

• providing guidance in security matters

• managing and reporting security incidents.

21. The DSO should ensure that senior management, IT staff and system users appreciate the importance of applying and monitoring information system security (INFOSEC). While technological measures lessen many risks, an effective protection system requires all staff to consider INFOSEC measures as part of their day-to-day routine.

Duties of the Departmental Security Officer

22. Under the delegated authority of the Chief Executive or head, the DSO's duties include:

• formulating and implementing general security policy within the organisation

• serving as liaison with the Secretary of the ICS, the NZSIS, and the GCSB for any specialist advice

• applying common minimum standards for security from the ICS

• issuing instructions on security, and ensuring that the instructions are followed

• arranging for routine security inspections

• arranging for security education and training

• investigating breaches of security.

23. For specific DSO responsibilities, see Annex B to this Chapter.

Education and Training

24. For good protective security, all staff must accept their individual responsibilities to maintain security alertness and adhere to established rules and procedures. This can be achieved through effective ongoing education and training.

25. Since security is a managerial responsibility at all levels, managers should be involved in identifying education and training needs. In particular:

• managers should ensure that staff understand and comply with all relevant security regulations

• managers should participate in security training

• line managers should co-operate fully with the DSO and other security staff to identify education and training needs

• line managers should ensure that their staff can attend security courses and presentations.

Security Education

26. Security education should:

• be ongoing

• be provided for all staff

• be designed to promote a sense of personal responsibility for effective security, regardless of position, rank, grade or level of access

• help counter threats through a basic knowledge of security principles.

Security Training

27. Security training should:

• be provided to staff with specific security responsibilities

• be designed to impart a sound knowledge and understanding of the organisation's security rules and procedures, appropriate to specific responsibilities

• provide staff with the knowledge so they can effectively perform their security duties.

28. For details on preparing and implementing an effective security training and education programme, see the NZSIS Protective Security Manual.

29. The GCSB offers a range of introductory and specialised courses on INFOSEC topics.

Specialist Security Advice

30. Many organisations require specialist advice on security. Ideally, an experienced in-house security adviser, not necessarily the DSO, can provide this advice. Otherwise, a person should be appointed to co-ordinate in-house security knowledge and experience to ensure consistency in security decision-making.

31. Security advisers should be tasked with providing advice on all aspects of security.

32. Security advisers should have access to suitable external advisers for specialist advice outside their own expertise.

33. Security advisers should have direct access to management, since their assessment of security risks and advice on security controls may determine the effectiveness of the organisation's security policy.

34. Consult the security adviser as soon as possible after a suspected security incident or breach. Although most internal security investigations are carried out under management control, the security adviser may advise, lead or conduct the investigation.

Information Systems Security Manager

35. Organisations with significant information system resources should also appoint an Information Systems Security Manager (ISSM).

36. To oversee a range of technically complex security issues, the ISSM must:

• understand the structure and architecture of the organisation's information systems

• have a detailed knowledge of the system's security features, operating systems, access control, and auditing facilities

• be familiar with security strategies in general and INFOSEC in particular

• provide advice on INFOSEC to the DSO

• have ready access to senior management on security issues.

37. Those responsible for INFOSEC in an organisation must also have the authority to enforce information system security policy.

Travel Advice

38. For advice to government employees travelling overseas, see the NZSIS Protective Security Manual.

Security Briefings

39. Appropriate security briefings are available for staff visiting or being posted to certain overseas posts. Contact the NZSIS well in advance to allow time for suitable briefing arrangements.

Centre for Critical Infrastructure Protection (CCIP)

40. The Centre for Critical Infrastructure Protection (CCIP) is established within the GCSB to provide advice and support in protecting New Zealand's critical infrastructure from cyber threats. 'Critical infrastructure' is the infrastructure required to provide those services that, if interrupted, would have a serious adverse effect on New Zealand as a whole or on a large proportion of the population and would require immediate reinstatement.

41. The aim of the CCIP is to be a co-ordination point for protection from and reaction to major computer and communications based attacks such as hacking, viruses, and denial-of-service attacks on elements of the critical infrastructure. The CCIP has three main roles:

• provide 24-hour 7-day 'watch and warn' advice regarding the Internet and critical infrastructure threats and incidents

• analyse and investigate cyber-threats in order to improve New Zealand's protection

• assist owners of critical infrastructure to identify and understand their vulnerabilities and to provide advice in protecting critical infrastructure. This includes an outreach programme and facilitation of IT security training.

42. The CCIP has relationships with counterpart organisations overseas, including the National Infrastructure Security Coordination Centre (NISCC) in the UK, the Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP) in Canada, and the National Infrastructure Protection Center (NIPC) in the United States.

43. Although the CCIP provides advice and support, each organisation is responsible for security of its own systems and services.

Computer Emergency Response Teams

44. There are a number of international Computer Emergency Response Teams (CERTs) that produce advisory notices and alerts detailing vulnerabilities, exploits, and suggested fixes for vendor operating systems and software. It is recommended that organisations subscribe to such a service.

Security Incidents

Reporting Security Incidents

45. Report all personnel, physical, IT and information systems security incidents through appropriate channels as quickly as possible.

46. This may include reporting the circumstances of any contact with people or organisations seeking to obtain information, which they do not have a need to know, through unauthorised means.

47. Establish a formal reporting and incident response procedure.

48. Make all staff aware of their responsibilities and the procedure for reporting security incidents.

49. For advice on actions to be taken following breaches of security, see the NZSIS Protective Security Manual.

Reporting Security Weaknesses

50. Staff should be required to note and report any observed or suspected security weaknesses or threats to procedures, policies, systems or services. They should report these matters to the appropriate authority as quickly as possible.

51. Staff should be aware that they should not, in any circumstances, attempt to prove a suspected weakness before reporting. This is for their own protection, as testing weaknesses might be interpreted as a potential misuse of the system.

Learning from Incidents

52. There should be procedures in place to quantify and monitor the types, volumes and costs of incidents and malfunctions. This information should be used to:

• identify recurring or high-impact incidents or malfunctions

• indicate the need for enhanced or additional controls to limit the frequency, damage and cost of future occurrences

• inform the security policy review process.

Disciplinary Process

53. There should be a formal disciplinary process for employees who have violated the organisation's security policies and procedures. The disciplinary process can:

• act as a deterrent to staff who might otherwise be inclined to disregard security procedures

• ensure correct, fair treatment for staff who are suspected of committing serious or persistent breaches of security.

54. Staff should be made aware of the disciplinary process as part of a security education programme.

Other Security Organisations and Legislation

New Zealand Security Association Inc (NZSA)

55. The NZSA is an independent organisation established to promote a professional security industry. NZSA:

• sets minimum standards for its members, published in its Codes of Practice, which is available to non-members

• develops security education and training programmes

• fosters contact with similar international organisations.

56. NZSA members provide a wide range of security services, including advice on the protection of information.

57. Advice from NZSA may be followed as long as it does not conflict with the provisions of Chapter 3 in this manual. For advice on protecting national security information which is classified CONFIDENTIAL and above, consult the NZSIS.

National Supervisory Council for Security Systems (NSCSS)

58. The NSCSS Inc is an independent, non-profit organisation established to raise the standards of intrusion-detection systems in New Zealand. NSCSS aims to ensure that equipment has been tested, approved, and installed safely and correctly. See also Chapter 7 paragraph 21.

NZ Computer Society Special Interest Group on Security (NZCS SigSec)

59. The New Zealand Computer Society's Special Interest Group on Security is a forum for networking with others with an interest in IT security from within and outside Government. It is Wellington-based and meets quarterly for a presentation and networking. For more details contact the Computer Society's Wellington office or go to the NZCS web site, www.nzcs.org.nz.

Government Information Systems Manager's Forum (GOVIS) Security Group

60. The GOVIS Security forum has similar objectives to the NZCS SigSec but is restricted to Government employees only. Meetings are approximately quarterly and there is an e-mail group for posting questions or discussing items of interest. For more details see the GOVIS web site, www.govis.org.nz.

Private Investigators and Security Guards Act 1974

61. The Private Investigators and Security Guards Act 1974 provides for the licensing of security companies and individuals in the commercial security sector. It also defines private investigators and security guards to include anyone who installs, sells or advises on alarm systems, locks or cameras.

62. The licensing procedure requires a Police vetting check. Annual renewals ensure that checks are up to date. Note, however, that the vetting check does not ensure competence.

63. Government departments and agencies, State Owned Enterprises and Crown Entities employing or contracting commercial security companies should verify that the company and the contracting staff are licensed under the act. This can be done either by contacting the PISG Registrar c/- Auckland District Court or by inspecting the relevant certificates.

Annex A - Suggested Outline for Security Instructions

Introduction

Definition of security

The threat, with particular reference to the work of the department

Aims of protective security

Organisation of Protective Security within the Department

Responsibility for security

Security organisation

Security duties

Security education and training

Classification and Markings

The classification system

Importance of correct grading

The classifications

Interpretation of the definitions

Authority to apply classifications

Methods of applying classifications

General rules of classification

The classification of typewriter or printer ribbons

The classification of magnetic and optical storage media

Arrangements for regrading and declassifying

Other endorsement markings

Control of Classified Documents and Similar Material

Objective

The "need to know" principle

Preparation of classified documents

Reference and copy numbers

Page numbering

Accountable documents

The control of TOP SECRET and SECRET documents and files

Removal of classified documents from the premises (including Homeworking)

Spot checks

The "need to retain"

Transmission of Classified Documents and Similar Material

Approved methods of transmission (boxes, pouches, enveloping)

Sealing

Document and package receipts

Movement:

• Within the organisation

• To other government organisations or addresses within New Zealand

• To addresses abroad

• Personal carriage overseas by officials

Electronic transfer

Security of Communications

Rules for passing classified information by telephone, computer, data links, facsimile and any other form of electronic transmission.

Electronic Processing of Classified Information

Rules for the protection and use of:

• information and technology systems

• photocopying machines

• other electronic office equipment.

Storage of Classified Documents

Minimum standards as applied to the department

Destruction

Handling of classified waste

Arrangements for destruction

Records of destruction

Precautions within Buildings

Room security

Precautions against eavesdropping and overview

Dictating machines and tape recorders

Room checks at close of work

Conferences and meetings

Arrangements in secure rooms or areas (if any)

Ancillary staff

Patrol arrangements and duties of patrols

Security of Keys and Combination Lock Settings

Definition of security keys

Compromise - warning

Arrangements for issue and recording of security keys

Safe custody of security keys and duplicates

Replacement of lost keys

Action when security key is lost or compromised

Combination lock settings - security measures

Security of Access Control Devices

Custody of blank cards

Replacement of lost cards

Reprogramming of cards

Changing of combinations

Return of cards

Control of Entry to Departmental Buildings

Control arrangements: staff, visitors, ancillary staff, duties of doorkeepers, receptionists, supervision of cleaners, etc.

Staff responsibility for safeguarding passes

Visitors to secure areas

Identification of staff keeping unusual hours

External Building Security

Site security

Building exterior security

Secure Behaviour

Responsibility of the individual for security

Telephone security

Duty to report known or suspected breaches of security

Disclosure of classified information to persons outside the government service

Social contracts with foreign officials

Personal correspondence

Indiscreet conversations

Overseas travel

Microfilming

Removal of classified documents from the office

Arrangements for taking classified documents to meetings or home

Classified documents in public places

Security Incidents

Management of security incidents

Identification

Reporting

Review and recommendations for improvements

Annex

The security classifications with definitions and examples of the correct use of the classifications based on the work of the department.

Annex B - Specific Responsibilities of the DSO

Personnel Security

1. In consultation with the Chief Executive, determine which posts within the organisation involve access to classified material and what level of security clearance is required for each.

2. Regularly review the list of posts that involve access to classified material.

3. Perform pre-vetting procedures in the organisation.

4. Arrange for the vetting of staff in posts that involve access to classified material.

5. Arrange for the security education of staff doing classified work. Ongoing training should include:

• the need for protective security

• the requirements of protective security

• personal responsibility for security, including the need to report any incident that may have a bearing on security.

6. Advise on the supervision of staff doing classified work.

7. Advise on measures to ensure that security incidents are immediately reported to the Chief Executive or DSO.

8. Arrange for keeping "out of normal hours" attendance records, as needed.

Education and Training

9. Arrange ongoing security training to ensure that staff with specific security responsibilities:

• have a clearly defined role and function

• know what organisational and individual resources are available

• can competently perform the correct security procedures for their current and future responsibilities.

10. The DSO should:

• identify the organisation's security education and training needs

• formulate a policy to meet the organisation's security education and training needs

• brief line managers on security education and training needs and policy

• supervise the security education and training programme, in agreement with the responsible managers

• liaise with personnel management to identify the security education and training needs of staff, especially new recruits and those taking on new posts and duties

• liaise with security staff to identify their particular education and training needs and carry out programmes to meet those needs

• liaise with the NZSIS on security education and training matters.

Protection of Classified Information

11. In consultation with the appropriate staff, prepare and issue internal instructions for safeguarding classified information and equipment, including:

• the "need to know" principle

• preparation, control, transmission, housing and destruction of classified documents

• restrictions on the use of photocopying machines

• removal of documents from the office

• protection of security keys and combination settings of containers (pouches, satchels, etc.) used for transmitting classified material

• handling of classified waste.

Building Security

• Oversee site security and building exterior security.

Precautions within Buildings

• Secure areas and planning of accommodation from the security standpoint.

• Measures to guard against the risk of eavesdropping and overview.

• Room security and room checks at close of work.

• Visitors to areas where classified information is handled and/or discussed.

• Conferences and meetings.

• Supervision/control of ancillary staff.

Control of Entry to Buildings

• Access control - pass system and control of entry cards and passes.

• Supervision of security staff including issue of instructions to security guards and door control staff.

• Inspections including night visits of security guards.

• Physical obstacles to prevent unauthorised entry, such as: doors, locks, windows, skylights, ducts, fencing, vehicle barriers, and outer perimeter lighting.

• Formulation of security procedures in event of emergency.

Communications and Electronic Processing of Classified Information

12. Prepare and issue internal guidelines on the use of:

• office equipment

• data processing equipment

• communications systems for processing and/or transmitting classified information.

13. Oversee all communications and computer security arrangements. Specifically:

• liaise with the COMSEC officer and communications staff, to ensure that communications equipment and systems are procured and used in accordance with National COMSEC standards

• advise staff on the security of telephone conversations

• create computer security practices for the organisation

• advise users of personal computers, word processors and electronic or electric typewriters on the special precautions required to process classified information.

Security Instructions

14. Prepare security instructions for the organisation.

15. Prepare security notes for staff doing classified work.

Security Inspections

16. Inspect personnel, physical and document security. Include checks on entry, pass and document control.

Breaches of Security

17. Arrange to be informed of all breaches of security.

18. Maintain records of all breaches of security.

19. Ensure that breaches of security are brought to the attention of those concerned.

20. Ensure action is taken to investigate, minimise damage done and prevent recurrence.

[ Previous | Next ]