The basic policies of the PHR cover four key areas: security governance, personnel security, information security and physical security. Within these four areas, there are 20 mandatory requirements that all companies should meet: A common denominator in the four areas of the PSB is the idea of pursuing a „risk-based approach”. So it`s no surprise that the first of the mandatory PHYSEC requirements is to assess what you need to protect and what you need to protect against. As a private organisation, we are not bound by the binding requirements of the PHR, but we follow them as best practice guidelines. Government organizations must meet the four mandatory personnel security requirements. Companies should consider adopting these requirements as part of best practices. These mandatory requirements apply to specific government agencies, not the private sector. However, these requirements should be considered best practices by private organizations, and if you`re a vendor looking to work with the government, it`s a good idea to comply with the requirements of the PSR. The PSR contains eight mandatory governance requirements that are intended to ensure effective oversight and management of all areas of security within an organization, including: To be clear, mandatory requirements are mandatory for some government agencies.

For the rest of us, they should be considered best practices. In my previous post on PSR, we looked at the mandatory physical security requirements (PHYSEC) of the security protection requirements. In this article, we conclude our six-part PSR series by exploring the idea of physical security by design. PERSEC1 – Hire the right person Make sure that everyone working for your organization (employees, contractors and temporary workers) who access New Zealand government information and assets: • have established their identity • have the right to work in New Zealand • are able to access it • agree to comply with government policies, standards, protocols and requirements, that protect people, information and property from harm. PERSEC2 – Make sure you continue to agree Ensure the continued relevance of everyone who works for your organization. This responsibility includes any concerns that may affect the individual`s ability to continue to have access to government information and assets. PERSEC3 – Managing their departure Manage the departure of people to limit the risks to people, information and assets arising from the departure of people from your company. This responsibility includes ensuring that all access rights, security passports and assets are returned and that employees understand their ongoing obligations. PERSEC4 – Management of National Security Clearances Ensure that individuals have the appropriate national security clearance before gaining access to CONFIDENTIAL, SECRET and TOP SECRET information, assets or workplaces.

Manage the ongoing eligibility of all national security clearance holders to hold a clearance and notify the NISSIS of any changes upon release. Develop and maintain security policies and plans that meet your organization`s specific operational needs. Ensure you meet security requirements in all areas: governance, information, personnel and physical. One of the four physical security requirements of the PSR is the „Design of Your Physical Security” (PHYSEC 2), which requires organizations to consider physical security early in the planning, selection, design and modification process and to design security measures that (i) take into account the risks to which they are exposed; (ii) consistent with the organization`s willingness to take risks; and (iii) comply with relevant health and safety obligations. With this in mind, there are four mandatory information security requirements, including: a self-certification audit to meet PSR Level 3 requirements and the issuance of the TAPA EMEA certification, valid for 3 years. Random audits are performed at self-certified sites. So consider your physical security needs early – preferably during the design and design phases – and at any time when you: Ensure that everyone working for your organization (employees, contractors and temporary workers) who access New Zealand government information and assets: • have established their identity • have the right to work in New Zealand • are able to access it • agree to comply with government policies, standards, protocols and requirements that protect people, information and assets.