Skip to main content

Protective Security Requirements: Security Governance

hero banner for desktop hero banner for mobile

Protective Security Requirements: Security Governance

In this series of posts, FIRST Security’s Chief Operating Officer Steve Sullivan looks at the New Zealand Government’s Protective Security Requirements (PSR). Although originally designed for government, the PSR is just as relevant for the private sector.

In my previous PSR post, I provided a brief introduction to the Protective Security Requirements. In that post I suggested that the PSR provides a framework for protective security that’s relevant to just about any organisation – not just those in the public sector.

At the heart of the PSR are the 20 mandatory requirements that stretch across the four PSR domains of security governance, information security, personnel security and physical security. In this post we take a closer look at the eight mandatory requirements that sit within the security governance domain.

Just to be clear, the mandatory requirements are mandatory for certain government agencies. For the rest of us, they should be considered best practice.

GOV1 - Establish and maintain the right governance

Establish and maintain a governance structure that ensures the successful leadership and oversight of protective security risk.

To successfully manage security risks organisations must ensure security is part of their organisational culture, practices and operational plans. It starts with leadership and structure, and that’s what governance is all about.

The PSR states that a Chief Security Officer (CSO) and Chief Information Security Officer (CISO) should be appointed as members of the senior team. A CSO is responsible for an organisation’s overall protective security policy and oversight of protective security practices, and the CISO is responsible for an organisation’s information security.

GOV2 - Take a risk-based approach

Adopt a risk management approach that covers every area of protective security across your organisation, in accordance with the New Zealand standard ISO 31000:2018 Risk management – Guidelines.

According to the PSR, security policies and plans should (i) meet your organisation’s specific business needs; and (ii) cover all the protective security areas: governance, information, personnel, and physical.

If there’s one common thread throughout the PSR it’s that a risk management approach is of critical fundamental importance. And, to be clear, risk management isn’t just a buzzword, it’s a clear and deliberate process of understanding what needs to be protected, what the organisation’s risk appetite is, what the risks are, what the likelihood and potential consequences of the risks are, and how they are to be managed and mitigated.

ISO 31000:2018 is a key standard, but since we’re talking security I’d also suggest looking at AS/NZS HB 167 Security Risk Management and ASIS ESRM-2019 Enterprise Security Risk Management.

GOV3 - Prepare for business continuity

Maintain a business continuity management programme, so that your organisation’s critical functions can continue to the fullest extent possible during a disruption. Ensure you plan for continuity of the resources that support your critical functions.

If there’s one thing that COVID and the disruption that occurred in its wake taught organisations is that a Business Continuity Plan is crucial. It also taught us that BCPs are often poorly developed, tested and updated, and that many organisations’ plans proved useless when confronted with lockdown.

If you don’t have one, create it. If you do have one, make sure it’s up-to-date and that it’s been road-tested. Check out this useful BCP information on the business.govt.nz website.

GOV4 - Build security awareness

Provide regular information, security awareness training, and support for everyone in your organisation, so they can meet the Protective Security Requirements and uphold your organisation’s security policies.

This is absolutely key. There’s no point developing world-beating plans and policies if your people don’t know about them, haven’t read them, or are unable to understand them. Awareness is a battle on many fronts, and it requires regular reinforcement through training, discussion at meetings, and engaging internal communications.

GOV5 - Manage risks when working with others

Identify and manage the risks to your people, information, and assets before you begin working with others who may become part of your supply chain.

Collaboration is good, and most organisations rely on collaboration with partners and supply chains to deliver their goods or services. But when we collaborate we also increase our exposure to security risk.

What controls do you have in place in relation to working with others? Does your organisation have a robust contractor agreement, confidentiality agreement, contractor management policy, and do you require any subcontractors to also commit to the PSR?

GOV6 - Manage security incidents

Make sure every security incident is identified, reported, responded to, investigated, and recovered from as quickly as possible. Ensure any appropriate corrective action is taken.

What incident response plans and procedures does your organisation have in place to respond quickly and appropriately to a security incident? Do your people know what is expected of them in the case of an incident? Do they know who they should escalate issues to and how?

GOV7 - Be able to respond to increased threat levels

Develop plans and be prepared to implement heightened security levels in emergencies or situations where there is an increased threat to your people, information, or assets.

Security threat and risk contexts are constantly changing. Is your organisation effectively monitoring the threat/risk context, revising its assessments as the context dictates, and changing security levels and controls and communicating updates accordingly?

GOV8 - Assess your capability

 Use an annual evidence-based assessment process to provide assurance that your organisation’s security capability is fit-for-purpose.

According to the PSR, you should review your policies and plans every two years, or sooner if changes in the threat or operating environment make it necessary. The important concept here is ‘evidence-based’, which means using a standards-based approach and ensuring that you have adequate visibility across your organisation and access to the information and data you need to make an informed assessment.

Coming up...

In my next PSR post, we’ll take a deeper dive into the information security domain. If you’d like to have a discussion about how we might be able to assist you in your protective security planning, feel free to contact me at steven.sullivan@firstsecurity.co.nz

ABOUT THE AUTHOR: Steve Sullivan is a highly experienced security and business operations leader with 30 years’ experience in the security industry. Prior to joining FIRST Security as its Chief Operations Officer, Steve was General Manager – Regional Operations for Wilson Security, based in Melbourne. His career has focussed on leading highly-respected security organisations to improved services, unparalleled customer service and success.