Skip to main content

Protective Security Requirements: A brief introduction

hero banner for desktop hero banner for mobile

In this series of posts, FIRST Security’s Chief Operating Officer Steve Sullivan looks at the New Zealand Government’s Protective Security Requirements. Although originally designed for government, the PSR is just as relevant for the private sector.


In a previous post, I posed the question, what is ‘protective security’? Given that the terms ‘protection’ and ‘security’ have a similar – almost interchangeable – meaning, I asked, why the need for the double-barrelled terminology?

I settled upon a US Department of Defense definition, which described protective security as “the organised system of defensive measures instituted and maintained at all levels within an organisation with the aim of achieving and maintaining security.”

The key to this definition is the word ‘defensive’. Protective security measures are specifically defensive in nature, designed to prevent a security breach altogether or otherwise to stop it in progress or minimise the damage.

In New Zealand, the Government’s Protective Security Requirements (PSR) provides a framework for thinking about and implementing good protective security.

Although the PSR is a set of requirements that the Government has of its agencies, it’s also absolutely suitable to private sector organisations. For private companies that are suppliers to government or that are looking to become suppliers to government, I’d suggest that being compliant with the PSR is a very good idea.

What is the PSR?

According to the Government’s PSR website, the PSR is a “policy framework that sets out what your organisation must do to manage security effectively. It also contains best practice guidance you should consider following.”

“Effective security,” it states, “enables New Zealand organisations to work together securely in an environment of trust and confidence.” This is a key idea. Being compliant with the PSR is a great benchmark to demonstrate to other organisations – whether they are your customers or in your supply chain – that your organisation has its security act together… that they can be trusted.

The PSR’s core policies cover four key areas: security governance, personnel security, information security, and physical security.

Let’s take a brief look at each domain:

Security governance

The PSR contains x8 governance requirements which are aimed at ensuring effective oversight and management of all security areas within an organisation, including:

• GOV 1 — Establish and maintain the right governance
• GOV 2 — Take a risk-based approach
• GOV 3 — Prepare for business continuity
• GOV 4 — Build security awareness
• GOV 5 — Manage risks when working with others
• GOV 6 — Manage security incidents
• GOV 7 — Be able to respond to increased threat levels
• GOV 8 — Assess your capability

Personnel security

Protecting your organisation means ensuring that access to its information and assets is only given to suitable people. In many ways, this is all about managing the ‘insider threat’.

The PSR website points out that personnel security measures should start at the pre-employment stage and continue throughout the personnel lifecycle, and it advocates taking a risk-based approach. The four personnel security requirements are:

• PERSEC 1 — Recruit the right person
• PERSEC 2 — Ensure their ongoing suitability
• PERSEC 3 — Manage their departure
• PERSEC 4 — Manage national security clearances

Information security

The PSR guidance contains substantial resources on the information security domain, and it’s worthwhile also reading up on the Government’s New Zealand Information Security Manual (NZISM) for further guidance.

The PSR covers the security measures your organisation should develop, implement, and review for protecting information from unauthorised use, accidental modification, loss or release. Measures can include establishing an information security culture, developing an information classification policy, and adhering to legal requirements, such as the Privacy Act.

It’s worthwhile noting that according to the PSR, an ‘information asset’ could refer to any form of information, including: printed documents and papers, electronic data, software or ICT systems and networks, intellectual information (knowledge) acquired by individuals, and “physical items from which information regarding design, components or use could be derived.”

The x4 information security requirements are:

• INFOSEC 1 — Understand what you need to protect
• INFOSEC 2 — Design your information security
• INFOSEC 3 — Validate your security measures
• INFOSEC 4 — Keep your security up to date

Physical security

“Good physical security,” states the PSR guidance, “supports health and safety standards, and helps your organisation to operate more efficiently and effectively.”

Again, the PSR guidance recommends that you take a risk-management approach to working out the right levels of physical protection for your organisation’s people, information, and assets. The four physical security requirements are:

• PHYSEC 1 — Understand what you need to protect
• PHYSEC 2 — Design your physical security
• PHYSEC 3 — Validate your security measures
• PHYSEC 4 — Keep your security up to date

Coming up...

That’s the high-level overview. In my next PSR post, we’ll take a deeper dive into the Security Governance domain, and look at issues of governance, plans and policies, and taking that all-important risk-based approach. As always, if you’d like to have a discussion about how to keep your staff and visitors safe, feel free to contact me at steven.sullivan@firstsecurity.co.nz