UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own...
Transcript of UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own...
![Page 1: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/1.jpg)
Protective Security
Requirements
UNCLASSIFIED
UNCLASSIFIED
A Risk Based Approach
![Page 2: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/2.jpg)
What is the PSR?
“.…a new framework of New Zealand
Protective Security Requirements which
provides clear guidance and support for
State sector departments to achieve
improved security standards…..”
![Page 3: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/3.jpg)
What does it look like?
Tier 1: PSR Cabinet Paper
and Directive on the
security of government
business
Tier 2: Overarching security
policies and 29 core
requirements
Tier 4: Agencies’ own policies
and procedures
Tier 3: Detailed protocols for
governance, personnel
security, physical security
and information security
(including the NZISM).
![Page 4: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/4.jpg)
Risk based approach
Protective Security for the Agency
Protective security planning
Protective security policy
Protective security procedures
RISK ASSESSMENT
The starting point for
an agency’s protective
security – their security
planning, policies and
procedures – is a risk
assessment
![Page 5: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/5.jpg)
How did we get here?
Out of date,
standards
Lack of support for
agencies
High profile
breaches
Lack of
awareness,
Security is not
seen a
business enabler
Deliver a more
accessible framework
Update standards
Enhance outreach
Cross-government
initiatives
Outreach function and
engagement to lift security
capability
Training for government
agencies
Open source website
‘Living documents’ – tools
and templates
Assurance reporting
![Page 6: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/6.jpg)
A closer look at the
PSR risk based
approach….
![Page 7: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/7.jpg)
Open source website
Outreach function and engagement
to lift security capability
Training for government agencies
Open source website
‘Living documents’ – tools and
templates
Assurance reporting
www.protectivesecurity.govt.nz
![Page 8: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/8.jpg)
Outreach and engagement
Outreach function and engagement
to lift security capability
Training for government agencies
Open source website
‘Living documents’ – tools and
templates
Assurance reporting
o Support in understanding and
implementing the PSR
o 36 mandatory agencies + voluntary
agencies
o Facilitators in completing the Capability
Maturity Model and the PSR Roadmap
o Emphasis on effective and accountable
governance
o Collaboration across agencies
![Page 9: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/9.jpg)
Tools and templates
Outreach function and engagement
to lift security capability
Training for government agencies
Open source website
‘Living documents’ – tools and
templates
Assurance reporting
CMM Element Agency / Unit
Target Current Leadership and culture
Executive commitment, governance oversight Optimized Basic
Management structure, roles, responsibilities Optimized Basic +
Monitoring and assurance Optimized Core
Organisation culture and behaviour Managed Core
Education and communications Optimized Core +
Planning, policies and protocols
Strategy development, delivery Managed Basic
Policies, processes, procedures Managed Basic
Risk management Optimized Core +
Incident management Optimized Core +
Security dimensions
Personnel security Core + Basic
Information security Managed + Core +
Physical security Optimized Core +
![Page 10: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/10.jpg)
Tools and templates
Outreach function and engagement
to lift security capability
Training for government agencies
Open source website
‘Living documents’ – tools and
templates
Assurance reporting
![Page 11: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/11.jpg)
PSR Training
o Additional support for implementation
o Introductory courses
o Specific physical security, personnel
security and information security
courses
o Emphasis on holistic approach to
protective security
o Providing agencies with the tools and
information to take ownership
Outreach function and engagement
to lift security capability
Training for government agencies
Open source website
‘Living documents’ – tools and
templates
Assurance reporting
![Page 12: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/12.jpg)
Assurance Reporting o PSR Agency Self-Assessment Report
o March 2016 – Creating the new baseline
o Chief Executive accountability
o Based on tools departments will be
familiar with
- The Capability Maturity Model
- 29 Core Requirements
- PSR Roadmap
o Ability to seek further evidence if
necessary
Outreach function and engagement
to lift security capability
Training for government agencies
Open source website
‘Living documents’ – tools and
templates
Assurance reporting
![Page 13: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/13.jpg)
What difference does
it make?
![Page 14: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/14.jpg)
What will success look like?
o Trust and confidence: Ministers and public
o Risks can be mitigated, but not eliminated.
Minimize the likelihood, be prepared for the impact,
and react accordingly
o Governance – accountability and ownership at the
top
o Ability to adapt to changes in the threat
environment
o Strong security culture with all personnel
o All boats rising
![Page 15: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/15.jpg)
Where to from here?
![Page 16: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/16.jpg)
Questions?
![Page 17: UNCLASSIFIED Protective Security Requirements - FYI A Risk Based... · Tier 4: Agencies’ own policies and procedures Tier 3: Detailed protocols for governance, personnel security,](https://reader036.fdocuments.net/reader036/viewer/2022071216/6047e609dde39f45837afcb8/html5/thumbnails/17.jpg)
Contact us Website: www.protectivesecurity.govt.nz Email: [email protected]