Security in the Government Sector
Protect - Detect - React
www.security.govt.nz

Navigation: Home > SIGS

Security In Government Sector

Preface

This manual is issued by the Interdepartmental Committee on Security in accordance with its terms of reference. It replaces the manual "Security in Government Departments" issued in 1994, and incorporates the revised security classification system approved by Cabinet on 18 December 2000.

The manual takes into account the Australian/New Zealand Standard AS/NZS ISO/IEC 17799:2001 "Information Technology - Code of Practice for Information Security Management". Although the Standard is primarily directed to information technology, its principles are equally relevant to protecting from compromise the integrity and availability of information in all its forms. "Security in the Government Sector" takes a wider perspective and considers the protective security of both information and equipment - comprising physical, personnel, document, information technology and communication security measures. A cross reference has been provided to enable a check to be made against the Standard.

Some of the manual content is based on or drawn from similar overseas publications - in particular, Australia's "Commonwealth Protective Security Manual", and the United Kingdom's "Manual of Protective Security".

The manual is mandatory for government departments, ministerial offices, the NZ Police, the NZ Defence Force, the NZ Security Intelligence Service and the Government Communications Security Bureau. It is also made available to State Owned Enterprises and Crown Entities to assist them in meeting their obligations under the Official Information Act 1982 and the Privacy Act 1993.

"Security in the Government Sector" is designed to help government departments and agencies, State Owned Enterprises and Crown Entities develop their security instructions based on a framework that is consistent throughout the Government sector. While chief executives are responsible for developing, implementing and maintaining standards of protective security within their organisations using a risk management approach, there are certain minimum standards which must be met. These are detailed in this manual.

It would not be practical to attempt to include all detailed advice on matters of security in one manual. The New Zealand Security Intelligence Service (NZSIS) and the Government Communications Security Bureau (GCSB) have produced supplementary manuals and documents intended for the guidance of Departmental Security Officers. These are the NZSIS "Protective Security Manual" (PSM) and the GCSB "New Zealand Security in Information Technology" (NZSIT) series.

Within these guidelines it is expected that each organisation will develop security policies and instructions that are applicable to the circumstances of that organisation and its risk assessment. Once security instructions are adopted they should be mandatory for all staff.

Browse the SIGS manual in HTML

Downloads

Download the entire manual (1,181 Kb Adobe Acrobat file)

Download the entire manual, HTML (Zipped, 111Kb)

Download the entire manual, MS-Word and PDF (Zipped, 1,335Kb)

Download relevant parts (MS-Word)

Title Page, 61Kb

Foreword, 90Kb (TIFF file)

Preface, 24Kb

Table of Contents, 72Kb

Chapter 1: Security Policy, 64Kb

Policy Statement 1-2
Security Framework 1-2
Risk Management 1-3
Business Continuity Management 1-4
Responsibility for Security 1-4
Security Agencies 1-4
New Zealand Security Intelligence Service (NZSIS) 1-4
Government Communications Security Bureau (GCSB) 1-5
Interdepartmental Security Committees 1-5
Officials Committee for Domestic and External Security Co-ordination (ODESC) 1-5
Interdepartmental Committee on Security (ICS) 1-6
The Government Communications Security Committee (GCSC) 1-6
The Departmental Committee on Computer Security (DCCS) 1-6
Annex A-Terms of Reference: Interdepartmental Committee on Security 1-7
Composition and Servicing of the Committee 1-8
Annex B-Terms of Reference: Government Communications Security Committee 1-9
Annex C-Terms of Reference: Departmental Committee on Computer Security 1-10

Chapter 2: Security Organisation, 127Kb

Security Structure within Government Organisations 2-3
Security Policy Document 2-3
Management Security Forum 2-4
Security Co-ordination 2-4
Allocation of Security Responsibilities 2-5
Duties of the Departmental Security Officer 2-6
Education and Training 2-6
Security Education 2-6
Security Training 2-7
Specialist Security Advice 2-7
Information Systems Security Manager 2-7
Travel Advice 2-8
Security Briefings 2-8
Centre for Critical Infrastructure Protection (CCIP) 2-8
Computer Emergency Response Teams 2-9
Security Incidents 2-9
Reporting Security Incidents 2-9
Reporting Security Weaknesses 2-9
Learning from Incidents 2-9
Disciplinary Process 12-0
Other Security Organisations and Legislation 2-10
New Zealand Security Association Inc (NZSA) 2-10
National Supervisory Council for Security Systems (NSCSS) 2-10
NZ Computer Society Special Interest Group on Security (NZCS SigSec) 2-10
Government Information Systems Manager's Forum (GOVIS) Security Group 2-11
Private Investigators and Security Guards Act 1974 2-11
Annex A-Suggested Outline for Security Instructions 2-12
Annex B-Specific Responsibilities of the DSO 2-17
Education and Training 2-17
Protection of Classified Information 2-18
Building Security 2-18
Precautions within Buildings 2-18
Control of Entry to Buildings 2-18
Communications and Electronic Processing of Classified Information 2-19
Security Instructions 2-19
Security Inspections 2-19

Chapter 3: Information Classification, 182Kb

Classified Material 3-2
Inventory of Classified Material 3-2
Classification Guidelines 3-2
Annex A-Management of Material Classified as IN CONFIDENCE 3-7
Annex B-Management of Material Classified as SENSITIVE 3-10
Annex C-Management of Material Classified as RESTRICTED 3-12
Annex D-Management of Material Classified as CONFIDENTIAL 3-14
Annex E-Management of Material Classified as SECRET 3-17
Annex F-Management of Material Classified as TOP SECRET 3-19
Annex G-Endorsements that may be Applied with any Security Classification 3-21

Chapter 4: Control of Classified Material, 164Kb

General 4-2
Workplace Procedures 4-3
Clear Desk and Clear Screen Policy 4-5
End of Day Procedures 4-6
Identification of Staff Keeping Unusual Hours 4-6
Removal of Classified Material from the Office 4-7
Homeworking 4-7
Conference Security 4-7
Information Preparation and Handling 4-7
General 4-7
Preparation 4-8
Registration 4-10
Making Documents "Accountable" 4-10
Minimum Standards for Controlling TOP SECRET and SECRET Material 4-10
Automated Document Accounting Systems (ADAS) 4-11
Copying, Printing and Facsimile Machines 4-11
Laptop Computers 4-11
Custody 4-11
Review 4-12
Spot Checks 4-12
Microform 4-12
Custody of Classified Material 4-13
Transporting Classified Material 4-13
Destruction of Classified Material 4-16
National Archives 4-20

Chapter 5: Personnel Security, 99Kb

Security in Job Definition and Resourcing 5-2
Security in Job Descriptions 5-2
Management Responsibilities 5-2
Terms and Conditions of Employment 5-2
Confidentiality Agreements 5-3
Personnel Screening 5-3
Pre-Employment Checking 5-3
Authority to Access 5-4
Access to "Sensitive" Sites 5-4
Basic Check 5-4
Access to Classified Material 5-5
Security Vetting Procedures 5-5
Legal Aspects to the Security Vetting Procedure 5-5
Assessment of Required Security Clearance Levels 5-6
Guidelines for Assessing Trustworthiness 5-7
Pre-Vetting 5-7
Levels of Vetting and Clearances 5-7
Referees 5-8
Adverse or Qualified Replies 5-8
Decision on Granting Security Clearances 5-9
Records of Security Clearances 5-9
Lapses and Transfers of Security Clearances 5-9
After-Care and Review 5-10
Reviews of Security Clearances 5-10

Chapter 6: Contractors and Other Third-Party Access, 65Kb

Assessment of Risk from Third-Party Access 6-2
Types of Access 6-2
Reasons for Access 6-2
Protection of Classified Material 6-2
On-Site Contractors 6-3
Off-Site Contractors 6-4
Consultants 6-4
Outsourcing 6-5
Security Requirements in Third-Party Contracts 6-5

Chapter 7: Physical and Environmental Security, 110Kb

"Defence in Depth" 7-2
Security Awareness 7-3
Planning Accommodation 7-3
Physical Security Perimeter 7-3
Storage Facilities 7-4
Surveys 7-4
Security Assessment 7-4
General Design Features 7-5
Intrusion-Detection Systems 7-5
Non-Governmental Standards and Agencies 7-5
Physical Entry Controls 7-6
Visitors 7-6
Entry by Media Representatives 7-8
Instructions to Guards or Receptionists 7-8
Securing Facilities, Rooms and Offices 7-8
Security Containers 7-9

Chapter 8: Communications and Systems Security Management, 195Kb

Configuration and Incident Management 8-2
Configuration Management 8-2
Introduction 8-2
Certification and Accreditation 8-2
Incident Management Procedures 8-4
Protection against Malicious Software 8-5
Network Management 8-6
Media Handling and Security 8-7
Protecting Storage Media 8-7
Disposal of Media 8-8
Security of System Documentation 8-9
Exchanges of Information and Software 8-10
Information and Software Exchange Agreements 8-10
Security of Information in Transit 8-10
Leased Lines and Public Networks 8-10
Internet Security 8-11
Telephone Security 8-12
Facsimile Transmission Security 8-14
Transmission of Video and Video-Conferencing 8-14
Security Requirements of Systems 8-15
Security in Application Systems 8-15
Evaluated Products 8-15
Protecting Classified Information 8-16
Cryptographic Controls 8-16
Appropriate Grades of Encryption 8-16
Key Management 8-17
Emanation Security Controls (TEMPEST) 8-18
TEMPEST Countermeasures 8-18
Technical Security (TECSEC) 8-18
Annex A-Minimum Standards for Internet Security in the New Zealand Government 8-19

Chapter 9: Control of Access to Information Systems, 82Kb

Business Requirement for Access Control 9-2
Access Control Rules 9-2
User Access Management 9-3
User Authentication 9-3
User Registration 9-4
User Password Management 9-5
System Access Control 9-5
Firewalls and Border Controls 9-6
Approved Circuits 9-6
Wireless Local Area Networks 9-7
Application Access Control 9-8
Sensitive System Isolation 9-8
Monitoring-System Access and Use 9-8
Mobile Computing, Teleworking and Homeworking 9-8

Cross-Reference to AS/NZ ISO/IEC 17799:2001, 159Kb

Glossary of Abbreviations, 29Kb

Home | Search | Sitemap | About | IMPORTANT Notice