Protective Security Requirements (PSR) in the private sector

The Protective Security Requirements (PSR) outlines the Government’s expectations for security governance and for personnel, information, and physical security.

Effective security enables New Zealand Government organisations to work together securely in an environment of trust and confidence.

Protecting people, information, and assets helps organisations to meet their strategic and operational objectives.

Whilst the PSR is designed for Government, the policy framework for security is also applicable for the private sector.

At the heart of the PSR are 20 mandatory requirements that cover the four PSR domains of security governance, information security, personnel security, and physical security.

These mandatory requirements are mandatory for specific government agencies, not the private sector. However, these requirements should be considered best practice by private organisations and if you are a supplier that is looking to work with the government, being compliant with the requirements of the PSR is a good idea.

What is the Protective Security Requirements?

According to the New Zealand Security Intelligence Service (NZSIS) website, “The PSR sets out what organisations must do to manage security effectively. It also contains best practice guidance. As no two organisations are the same, the PSR follows a risk-based approach designed for flexible implementation.”

The PSR is a “policy framework that sets out what your organisation must do to manage security effectively. It also contains best practice guidance you should consider following.”

Whilst designed for Government, the PSR is suitable for public and private sector organisations.

The PSR website goes on to state that, “Effective security enables New Zealand organisations to work together securely in an environment of trust and confidence. Protecting your people, information, and assets helps your organisation to meet its strategic and operational objectives.”

Core Policies of the PSR

The PSR’s core policies cover four key areas: security governance, personnel security, information security, and physical security. Across these four areas are 20 mandatory requirements that all businesses should comply with:

Security Governance (GOVSEC)

Managing security risks proportionately and effectively enables organisations to protect people, information and assets. To successfully manage security risks organisations must ensure security is part of their organisational culture, practices and operational plans.

The PSR contains eight mandatory governance requirements that are aimed at ensuring effective oversight and management of all security areas within an organisation, including:

GOV 1 – Establish and maintain the right governance

GOV 2 – Take a risk-based approach

GOV 3 – Prepare for business continuity

GOV 4 – Build security awareness

GOV 5 – Manage risks when working with others

GOV 6 – Manage security incidents

GOV 7 – Be able to respond to increased threat levels

GOV 8 – Assess your capability

Personnel Security (PERSEC)

Insider threats come from our past or present employees, contractors, or business partners. They can misuse their inside knowledge or access to harm our people, our customers, our assets, or our reputation.

Although people are often said to be an organisation’s greatest asset, they can also be a weakness.

The PSR website points out that personnel security measures should start at the pre-employment stage and continue throughout the personnel lifecycle, and it advocates taking a risk-based approach. There are four mandatory personnel requirements set out in the PSR including:

PERSEC 1 – Recruit the right person

PERSEC 2 – Ensure their ongoing suitability

PERSEC 3 – Manage their departure

PERSEC 4 – Manage national security clearances

Information Security (INFOSEC)

Every organisation relies on the confidentiality, integrity, and availability of the information it processes, stores, and communicates. Robust information security is a business enabler.

To implement the right security measures, you need to understand what information you have and how valuable it is.

A comprehensive inventory will assist you to determine what types of information and ICT systems your organisation has, including those that support business continuity and disaster recovery plans.

It’s also important to understand what the PSR considers an ‘information asset’. The term ‘information assets’ refers to any form of information, including:

• printed documents and papers
• electronic data
• the software or ICT systems and networks on which information is stored, processed or communicated
• the intellectual information (knowledge) acquired by individuals
• physical items from which information regarding design, components or use could be derived

With this in mind, there are four mandatory requirements for information security including:

INFOSEC 1 – Understand what you need to protect

INFOSEC 2 – Design your information security

INFOSEC 3 – Validate your security measures

INFOSEC 4 – Keep your security up to date

Physical Security (PHYSEC)

Physical security is a key component of your health and safety regime. Physical security combines physical and procedural measures.

Physical security is multi-faceted and complements your security measures in other areas.

Good physical security supports health and safety standards and helps your organisation to operate more efficiently and effectively.

Knowing where your vulnerabilities are is the first step towards robust physical security. You may need to protect:

• your people, information, and assets
• the public and customers
• cultural holdings

Once you identify your risks, you must evaluate the likelihood and impact of each risk. Assessing your risks helps you understand where you need to take further action.

There are four mandatory requirements for physical security including:

PHYSEC 1 – Understand what you need to protect

PHYSEC 2 – Design your physical security

PHYSEC 3 – Validate your security measures

PHYSEC 4 – Keep your security up to date

The Chivalry Group and PSR

As a private organisation, we are not bound by the mandatory requirements of the PSR, however, we do follow them as best practice guidelines.

In addition to the mandatory requirements, the PSR also includes protocols and best practice guidance, and this is also something that sits at the heart of what we do at The Chivalry Group.

The PSR is based on the principles of public sector governance, however, we believe these principles can and should be applied across the private sector as well. These principles include:

Accountability — being answerable for decisions and having meaningful mechanisms in place to ensure your organisation adheres to all applicable protective security requirements

Transparency and openness — having clear roles and responsibilities for protective security functions, and clear procedures for making decisions and exercising authority

Efficiency — ensuring the best use of limited resources to further the aims of the organisation, with a commitment to risk-based strategies for improvement

Leadership — achieving an organisation-wide commitment to good protective security performance through top-down leadership.

These are guiding principles in the way we carry out our work at The Chivalry Group. This gives our clients peace of mind when it comes to working with us – we provide them will transparency and openness and in return, this enables us to carry out our roles to the highest possible standards.

The Chivalry group has completed many complex operations for Government and non-Government organisations. As part of that ongoing commitment, we stand by to assist, evaluate, observe and control any situation if required.