Protective Security Requirements: Personnel Security


In this series of posts, FIRST Security’s Chief Operating Officer Steve Sullivan looks at the New Zealand Government’s Protective Security Requirements (PSR). Although originally designed for government, the PSR is just as relevant for the private sector.
In my previous PSR post, we looked at the mandatory requirements for the Information Security (INFOSEC) domain of the Protective Security Requirements. In this post, we discuss the four mandatory requirements of the personnel security domain.
The government’s web-based PSR guidance reminds us that personnel security protects your people, information, and assets by enabling your organisation to:
- reduce the risk of harm to your people, customers and partners
- reduce the risk of your information or assets being lost, damaged, or compromised
- have greater trust in people who access your official or important information and assets
- deliver services and operate more effectively.
In short, personnel security focusses on reducing the risks associated with insider threats. These are threats that come from past or present employees, contractors or business partners whose misuse of inside knowledge or access – either wittingly or unwittingly – results in unauthorised disclosure of information or loss or degradation of a capability.
It is important to note that while many security breaches are intentional, some are unintentional and result from a lack of awareness or attention to security practices, being distracted or being fooled into unwittingly assisting a third party.
According to the PSR guidance, the core personnel security requirements that mandated government agencies must follow and other organisations should consider as best practice are as follows:
PERSEC1 - Recruit the right person
Ensure that all people working for your organisation (employees, contractors, and temporary staff) who access New Zealand Government information and assets:
- have had their identity established
- have the right to work in New Zealand
- are suitable for having access
- agree to comply with government policies, standards, protocols, and requirements that safeguard people, information, and assets from harm.
Although this requirement differs for private as opposed to public sector organisations, the same principles apply; it’s all about (i) conducting the right pre-employment checks; (ii) being alert to any employment candidate warning signs; and (iii) having adequate onboarding procedures in place:
- Pre-employment checks can include: reference checks, immigration (work rights) checks, criminal history checks, licensing and qualification checks, drug and alcohol checks, credit checks, and psychometric testing. Taking a risk-based approach, which checks you require depends on the nature of the role and the potential security risks associated with it.
- Being alert to candidate warning signs means noting factors that may raise concerns about a person’s integrity and suitability to work in your organisation, such as: false claims in a CV or job application form, unexplained gaps in the applicant’s employment history, conflicts of interest, evasive behaviour in relation to pre-employment checks, or questionable social media presence.
- Adequate onboarding procedures shouldn’t just be about ensuing the right candidate is selected, but also about ensuring that the selected candidate is made aware of their ongoing responsibilities around security and suitability, and that they have acknowledged that they have been made aware of these.
PERSEC2 - Ensure their ongoing suitability
Ensure the ongoing suitability of all people working for your organisation. This responsibility includes addressing any concerns that may affect the person’s suitability for continued access to government information and assets.
As the PSR guidance states, people and their circumstances can change – either suddenly or over time. A change, such as financial stress, relationship issues, or the development of a gambling or substance addiction, can have security implications. The PSR guidance states that at a minimum, an organisation must:
- have a process for people to report security incidents and near misses
- investigate security incidents
- provide ongoing security awareness updates and training.
PERSEC3 - Manage their departure
Manage people’s departure to limit any risk to people, information and assets arising from people leaving your organisation. This responsibility includes ensuring that any access rights, security passes, and assets are returned, and that people understand their ongoing obligations.
When a person leaves your organisation, they retain IP relating to the organisation’s internal information and security vulnerabilities. Whether a person is leaving by choice or not, a positive exit experience will reduce the risk of this knowledge being misused. The PSR guidance states that at a minimum, an organisation must:
- Remove access rights
- Collect security passes
- Make sure assets are returned
In addition to these, the guidance also suggests that exit interviews are a good opportunity to remind the departing person of their obligations to protect your organisation’s information, discuss their reasons for leaving, and their attitude to your organisation and people, and to collect any passes or access cards they hold. You should also consider the necessity for a deed of confidentiality.
PERSEC4 - Manage national security clearances
Ensure people have the appropriate level of national security clearance before they are granted access to CONFIDENTIAL, SECRET and TOP SECRET information, assets or work locations…
While this PSR requirement relates to government organisations, the same principle applies to any organisation: ensure that only suitable people are given access to sensitive information.
To this end, it is worth considering how you manage user profiles within your IT systems and whether your organisation has any policies and procedures around classifying information and/or the handling and marking of sensitive documents.
Coming up...
In my next PSR post, we’ll take a deep dive into the physical security domain. If you’d like to have a discussion about how we might be able to assist you in your protective security planning, feel free to contact me at steven.sullivan@firstsecurity.co.nz
ABOUT THE AUTHOR: Steve Sullivan is a highly experienced security and business operations leader with 30 years’ experience in the security industry. Prior to joining FIRST Security as its Chief Operations Officer, Steve was General Manager – Regional Operations for Wilson Security, based in Melbourne. His career has focussed on leading highly-respected security organisations to improved services, unparalleled customer service and success.