5 minute read
Protective Security Requirements
Although the Protective Security Requirements (PSR) are designed for use by government agencies, FIRST Security’s Chief Operating Officer Steve Sullivan writes that they are just as relevant for the private sector.
When I first came across the expression ‘protective security’, I found it a little curious. Given that the terms ‘protection’ and ‘security’ have a similar – almost interchangeable – meaning, why the need for the double-barrelled terminology?
I settled upon a US Department of Defense definition, which described protective security as “the organised system of defensive measures instituted and maintained at all levels within an organisation with the aim of achieving and maintaining security.”
The key to this definition is the word ‘defensive’. Protective security measures are specifically defensive in nature, designed to prevent a security breach altogether or otherwise to stop it in progress or minimise the damage.
In New Zealand, the Government’s Protective Security Requirements (PSR) provides a framework for thinking about and implementing good protective security. Over in Australia, they use the Protective Security Policy Framework (PSPF), and there are similar frameworks in the UK, US and Canada.
Although the PSR is a set of requirements that the Government has of its agencies, it’s also absolutely suitable to private sector organisations. For private companies that are suppliers to government or that are looking to become suppliers to government, I’d suggest that being compliant with the PSR is a very good idea.
What is the PSR?
According to the Government’s PSR website, the PSR is a “policy framework that sets out what your organisation must do to manage security effectively. It also contains best practice guidance you should consider following.”
“Effective security,” it states, “enables New Zealand organisations to work together securely in an environment of trust and confidence.” This is a key idea. Being compliant with the PSR is a great benchmark to demonstrate to other organisations – whether they are your customers or in your supply chain – that your organisation has its security act together… that they can be trusted.
The PSR’s core policies cover four key areas: security governance, personnel security, information security, and physical security. Let’s take a brief look at each domain:
Security governance
The PSR contains eight governance requirements which are aimed at ensuring effective oversight and management of all security areas within an organisation, including:
• GOV 1 Establish and maintain the right governance
• GOV 2 Take a risk-based approach
• GOV 3 Prepare for business continuity
• GOV 4 Build security awareness
• GOV 5 Manage risks when working with others
• GOV 6 Manage security incidents
• GOV 7 Be able to respond to increased threat levels
• GOV 8 Assess your capability
Personnel security
Protecting your organisation means ensuring that access to its information and assets is only given to suitable people. In many ways, this is all about managing the ‘insider threat’.
The PSR website points out that personnel security measures should start at the pre-employment stage and continue throughout the personnel lifecycle, and it advocates taking a risk-based approach. The four personnel security requirements are:
• PERSEC 1 Recruit the right person
• PERSEC 2 Ensure their ongoing suitability
• PERSEC 3 Manage their departure
• PERSEC 4 Manage national security clearances
Information security
The PSR guidance contains substantial resources on the information security domain, and it’s worthwhile also reading up on the Government’s New Zealand Information Security Manual (NZISM) for further guidance.
The PSR covers the security measures your organisation should develop, implement, and review for protecting information from unauthorised use, accidental modification, loss or release. Measures can include establishing an information security culture, developing an information classification policy, and adhering to legal requirements, such as the Privacy Act.
It’s worthwhile noting that according to the PSR, an ‘information asset’ could refer to any form of information, including: printed documents and papers, electronic data, software or ICT systems and networks, intellectual information (knowledge) acquired by individuals, and “physical items from which information regarding design, components or use could be derived.”
The four information security requirements are:
• INFOSEC 1 Understand what you need to protect
• INFOSEC 2 Design your information security
• INFOSEC 3 Validate your security measures
• INFOSEC 4 Keep your security up to date
Physical security
“Good physical security,” states the PSR guidance, “supports health and safety standards, and helps your organisation to operate more efficiently and effectively.”
Again, the PSR guidance recommends that you take a risk-management approach to working out the right levels of physical protection for your organisation’s people, information, and assets. The four physical security requirements are:
• PHYSEC 1 Understand what you need to protect
• PHYSEC 2 Design your physical security
• PHYSEC 3 Validate your security measures
• PHYSEC 4 Keep your security up to date
A risk-based approach
Ultimately, the extent to which an organisation might adhere to the PSR is dependent upon the protective security risk context that organisation sits in. The greater the risks (or the greater the need to protect), the greater the need for the organisation to have more mature protective security capabilities in place.
Earlier this year, FIRST Security was audited by the New Zealand Security Association (NZSA) in relation to our protective security capability, and as a result our level of capability maturity was found to be ‘optimised’ (the highest of the capability levels). This means that we ticked all the relevant mandatory requirements boxes and that, among other things, “long term planning is in place and integrated with business planning to predict and prepare for protective security challenges.”
We were obviously pleased with this external assessment of our protective security capability, but at the same time we acknowledge that this is the level that we actually need to be operating at given the relatively high security risk context of many of our customer organisations.
According to the NZ Government’s Capability Maturity Model for Protective Security, your maturity targets “must be considered and informed by your organisation’s security context, potential threats, and risk appetite. This approach might drive you to select different maturity targets for different locations, business activities, and dimensions.”
In taking this approach, it cautions the reader to be “mindful that broad and disproportionately strong measures are not cost-effective and can impede business functions.” Reflecting good risk management practice, it comes down to the principle that measures should be proportionate to the risk.
Author: Steve Sullivan
Prior to joining FIRST Security as its Chief Operations Officer, Steve was General Manager – Regional Operations for Wilson Security, based in Melbourne. His 30 year security career has focussed on leading highly-respected security organisations to improved services, customer service and success.
