Keep your organisation secure with robust physical security by following the mandatory requirements and the associated physical lifecycle stages explained below. Show
Understand what you need to protectBefore you can put the right physical security measures in place, you must understand what you need to protect. You may need to protect:
How will your facilities be used?You need to understand how your facilities will be used, who will use them, who may visit them, and what will be stored in them. Remember to include any classified information or assets you store, and legislative requirements you need to meet. Are your people working away from the office?Consider the situations that your people might face when they are working away from the office. Will they be working at home? In remote locations? In someone else’s building? Overseas? Have you taken health and safety needs into account?Under the Health and Safety at Work Act 2015, organisations must:
Is your organisation co-locating?If you’re co-locating, work in partnership with the other parties to build a shared understanding of physical security issues and each other’s security requirements. Assess your physical security risksWhen you assess your organisation’s unique risks, you can work out which physical security measures you need to reduce those risks to an acceptable level. You need to know where you are vulnerable and how your organisation would be affected by breached security. Here are some questions to answer.
Evaluate the likelihood and impact of each risk to help you understand where you need to take further action. For any risks you can’t accurately assess internally, call on external sources such as local police or other authorities. If you’re co-locating with other organisations, consider the combined security risks and work together to assess them. Remember to:
PHYSEC2 - Design your physical security Consider physical security early in the process of planning, selecting, designing, and modifying facilities. Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with relevant health and safety obligations. Design physical security early in your processesSince physical security measures can be more expensive and less effective if they’re introduced later, consider your physical security requirements at the earliest stages — preferably during the concept and design stages. Apply this strategy any time you’re:
For high-risk sites or buildings, you might need to consult early with specialist organisations, such as the New Zealand Security Intelligence Service (NZSIS) and the Government Communications Security Bureau (GCSB). Evaluate physical security risks before you select a siteEvaluate the following factors to work out if a site is suitable:
Prepare site security plansUse your site-specific risk assessments to help you:
Your organisation needs to have a site security plan for all new sites, facilities under construction, and facilities undergoing major refurbishments. This plan should align with any minimum security standards your organisation has agreed for specific types of facility. For each site security plan, ensure that physical security measures:
Use security zones to reflect business impact levelsExtra security measures apply to areas where protectively-marked information and other official or valuable resources are processed, handled, and stored. These areas are called ‘security zones’. Security zones are based on the BILs and each has minimum security controls that your organisation must implement. If your organisation faces increased threat levels, use your risk assessments to work out what extra measures you need in each affected zone. Increased threat levels can be due to foreign interference, politically motivated violence, criminal activity, or cyber-attacks. Zone 1: Public Access AreaThese are unsecured areas including out-of-office working arrangements. They provide limited access controls to information and physical assets where any loss would result in a low to medium business impact. They also provide limited protection for people. Examples of public access areas are:
Zone 2: Work AreaThese are low-security areas with some controls. They provide access controls to information and physical assets where any loss would result in a business impact up to very high. They also provide some protection for people. These areas allow unrestricted access for your people and contractors. Public or visitor access is restricted. Examples of work areas are:
Zone 3: Restricted Work AreaThese are security areas with high security controls. They provide access controls to information and physical assets where any loss would result in a business impact up to extreme. They also provide protection for people. Access for your people and contractors is limited to those with a need to access the area. People with ongoing access must hold an appropriate security clearance. Visitors must be escorted, or closely controlled, and have a business need to access the area. Examples of restricted areas are:
Zone 4: Security AreaThese are security areas with higher levels of security. They provide access controls to information where any loss would result in a business impact up to extreme, and physical assets where any loss would result in a business impact up to catastrophic. They also provide protection for people. Access for your people is strictly controlled with ID verification and card access. People with ongoing access must hold an appropriate security clearance. Visitors and contractors must be closely controlled and have a business need to access the area. Examples of security areas are:
Zone 5: High-Security AreaThese are security areas with the highest level of security controls. They provide access controls to information where any loss would result in a business impact up to catastrophic. Access for your people is strictly controlled with ID verification and card access. People with ongoing access must hold an appropriate security clearance. Visitors and contractors must be closely controlled and have a business need to access the area. Examples of high-security areas are:
Apply good practice for physical security design
|