-
Section 01
Ngā Hononga Ohumahi, Hononga Mahi hoki Workforce and Employment Relations
-
Section 02
Mahi ā-Poari Governance
-
Section 03
Hononga a Ngāi Māori me te Karauna Māori Crown Relationship
-
Section 04
Te Whakamarumarutanga Security
-
Section 05
Te Taiao Environment
-
Section 06
Te Kanorautanga me te Whakaurutanga Diversity and Inclusion
-
Section 07
Te Ngākau Pono, ngā Matatika me ngā Taumata Integrity Ethics and Standards
-
Section 08
Ngā Ture me ngā Pūnaha Pakihi Business Rules and Systems
-
Section 09
Ngā Whakaritenga Kāwanatanga Government Settings
-
Section 10
Te Takohanga me te Pūrongorongo Accountability and reporting
Protective Security Requirements (PSR)
System lead: New Zealand Security Intelligence Service (NZSIS)
New Zealand Government Protective Security Requirements (PSR) outlines the Government’s expectations for managing personnel, information and physical security
Adopting the PSR is encouraged as good practice in managing:
- Information security - Classified or sensitive government information
- Physical security
- Personnel security
- Awareness of potential security threats to organisation
Published guidance:
- Raising security awareness of potential threats to your organisation
- Consider your security governance
- Consider how your personnel may pose security risks
- Understand how to manage your information security
- Physical security to protect your people, information and assets
Department of the Prime Minister and Cabinet - Defining National Security
Contact for further advice: psr@protectivesecurity.govt.nz
Requirements and expectations
|
Crown Agents |
Autonomous Crown Entities |
Independent Crown Entities |
|
Legal requirements: No legal requirements for Crown agents to adopt the PSR, however it is encouraged as good practice Entity-specific requirements may be contained in a Crown entity’s establishment legislation |
Legal requirements: No legal requirements for ACEs to adopt the PSR, however it is encouraged as good practice Entity-specific requirements may be contained in a Crown entity’s establishment legislation |
Legal requirements: No legal requirements for ICEs to adopt the PSR, however it is encouraged as good practice Entity-specific requirements may be contained in a Crown entity’s establishment legislation |
National Cyber Security Centre (NCSC) - GCSB
System lead: Government Chief Information Security Officer (GCISO). The GCISO role is supported by the National Cyber Security Centre (NCSC)
The National Cyber Security Centre (NCSC) is part of the Government Communications Security Bureau. Its role is to help New Zealand’s most significant public and private sector organisations to protect their information systems from advanced cyber-borne threats. Its focus is on detecting and disrupting cyber threats that are typically beyond the capability of commercially available products and services
- Its activities are mandated by the Intelligence and Security Act 2017
- NCSC and GCSB functions form part of the 2019 NZ Cyber Security Strategy
Published guidance:
- NZISM - ISM Document (gcsb.govt.nz) - is intended for use by Crown entities and provides both a risk management framework, and a set of essential or baseline controls and additional good and recommended practice
- Supply Chain Cyber Security: In Safe Hands
- Incident Management: Be Resilient, Be Prepared
- Charting Your Course: Cyber Security Governance
- Technical approaches to uncovering and remediating malicious activity
- Working from home and cloud security
- Approved cryptographic algorithms and retiring older cryptographic algorithms
- Use of approved secure destruction facilities
Services
The NCSC also develops services to strengthen New Zealand’s cyber defence capabilities, such as;
- Malware Free Networks (MFN), is a threat detection and disruption service which provides near real-time threat intelligence reflecting current malicious activity targeting NZ organisations.
- advanced cyber threat detection and disruption (CORTEX) capabilities and services to organisations of national significance
Contact for further advice:
The National Cyber Security Centre responds to threats to nationally significant organisations and high-impact cyber incidents at national level
- Nationally significant organisations can report a suspected cyber security incident
If you have a suspected cyber security incident and you’re unsure about what to do, contact NCSC
Requirements and expectations
|
Crown Agents |
Autonomous Crown Entities |
Independent Crown Entities |
|
Legal requirements: No legal requirements for Crown agents to implement NCSC standards; however, it is strongly encouraged as good practice Entity-specific requirements may be contained in a Crown entity’s establishment legislation Ministerial expectations: Crown agents currently sit outside the scope of agencies of the GCISO’s (and the NCSCs) mandated standards (i.e. the NZ Information Security Manual (NZISM) and assurance activities (i.e. reporting against the Protective Security Requirements (PSR) policy framework). The GCISO are refreshing the mandate as part of their System Leadership role. The refreshed mandate is expected to come into force by 2024. The GCISO will be engaging with Crown agents to highlight how they can benefit from the work of the GCISO in line with Cabinet’s expectations. |
Legal requirements: No legal requirements for ACEs to implement NCSC standards; however, it is strongly encouraged as good practice Entity-specific requirements may be contained in a Crown entity’s establishment legislation |
Legal requirements: No legal requirements for ICEs to implement NCSC standards; however, it is strongly encouraged as good practice Entity-specific requirements may be contained in a Crown entity’s establishment legislation |