Security constraints shouldn’t stop agencies from co-locating though, as they can usually be managed through design, environmental and operational treatments.
The approach to security in co-locations
There are two key principles that relate to site security for co-locations.
- Agencies must take a coordinated security approach to the building. This approach should be informed by the combined security risk of all the agencies located in the building.
- Control measures and treatments should be in response to the security risk assessment of the combined agencies. These will be met through design or procedure where it’s possible to do so.
This means that co-locating agencies in each site must:
- follow the Protective Security Requirements (PSR) mandatory requirements
- understand their own security capability
- do a site specific threat and risk assessment before searching for a building
- choose a lead agency with an adequate security capability maturity level to manage the risk environment at the site
- have a security strategy and plan in place to prevent security breaches. They must also have immediate response capabilities in the event of security emergencies or critical (life threatening) situations. This should include:
- common tactics
- communication capabilities
- technology, and
- identify security requirements and establish standard operating procedures. These should be agreed and understood by all agencies on site
- build in public safety procedures and resources to handle emergency scenarios.
Protective Security Requirements (PSR)
The Protective Security Requirements (PSR) outline the government’s expectations for managing personnel, physical and information security. They include mandatory requirements that all government agencies must implement to:
- better manage business risks
- ensure continuity of service delivery
- assure the government and the public that appropriate, effective measures are in place to protect New Zealand’s people, information and assets.
Protective Security Requirements
As part of its role, the PSR aims to ensure that each agency’s security capability aligns with the risk environment they work in. The PSR has developed a security capability maturity model to help agencies work this out. Agencies should use it to self-assess both their current security capability and their desired future state.
Agencies can use their self assessments, along with their site’s security risk assessment, to work out their compatibility for co-location. This will:
- help determine the lead agency
- identify the required security capability level of all agencies, appropriate to the risks present at the co-location site
- identify ways to improve an agency’s security capability.
The security capability maturity model can be downloaded from the Protective Security Requirements website, along with other tools and templates.
PSR security capability maturity model
PSR mandatory requirements for physical security
- Provide clear direction on physical security through the development of policy and an agency security plan.
- Have in place policies and protocols to:
- identify, protect and support employees under threat of violence, based on a threat and risk assessment of specific situations. In certain cases agencies may have to extend protection and support, for example to family members
- report incidents to management, human resources, security and law enforcement authorities, and/or Worksafe NZ as appropriate
- provide information, training and counselling to employees
- maintain thorough records and statements on reported incidents.
- Fully integrate physical security early into the process of planning, selecting, designing and modifying their facilities.
- Ensure any proposed physical security measure or activity is consistent with the relevant health and safety requirements.
- Show a duty of care for the physical safety of the public interacting with the New Zealand government. Where an agency’s function involves providing services, the agency must ensure clients can transact with the New Zealand government with confidence about their physical wellbeing.
- Implement a level of physical security measures that minimises or removes the risk of information assets being made inoperable, inaccessible or improperly accessed or used.
- Develop plans and protocols to move up to heightened security levels in cases of emergency and increased threat. The New Zealand Government may direct its agencies to implement heightened security levels.
Security zones in workplace design
Workplaces are designed with three general categories of space.
- Public (Zone 1 in PSR): areas that the public have unimpeded access to during office hours. This includes transaction counters, reception, and meeting spaces.
- Invited (Zone 2 in PSR): areas that known visitors can access when escorted by an employee. These are generally collaborative areas or controlled meeting areas.
- Private (Zone 2 or higher in PSR): areas that only employees can access, such as the general work area. Areas within this space can be restricted to specific employees, either through:
- physical controls, for example a secure evidence room, or
- temporary people-based controls, like signage indicating that a meeting room is needed for confidential work.
Lead agency and participating agency responsibilities
Lead agencies are responsible for coordinating security requirements and responses for the site. As the person conducting a business or undertaking (PCBU) managing the workplace and workplace facilities, they need to ensure appropriate design and procedural treatments are adequate for the site.
Participating agencies must tell the lead agency about any activities that could affect the safety of other agency employees. The lead agency can then manage them as part of the site’s security plan.
All agencies are required to work together throughout the project to ensure security measures meet their needs.