Professional Documents
Culture Documents
Where agencies have diverse functions it may be appropriate to apply the CMM separately rather
than attempt to build a single view.
The nature of capability maturity models are such that not every agency will need to achieve the
highest maturity level in each/any category. Depending on the agency’s security threat and risk
environment, ‘core’ will often be an appropriate target. Unnecessarily strong security measures
are expensive and can impede the delivery of public services.
Use each of the following tables to record how you rate your existing capability and also where
your agency needs to be. Bullet list items should be considered a guide rather than a complete
and authoritative list.
It is not necessary that all elements of a lower level are in place before rating at, or aiming for, a
higher level. The ‘informal’ and ‘basic’ levels are typically characterised by a lack of good practice.
Leadership and governance bodies discuss security, but generally only in response to breaches
Access to the executive team and reporting lines to governance bodies exist, but can generally only be used
Basic
Governance meetings include discussions on security issues and the effectiveness of protective measures
Protective security is a standing agenda item for the agency’s Risk & Assurance Committee
All aspects of protective security activity are adequately resourced
Leadership takes a proactive and integrated approach to leading protective security management
Management proactively reports to the executive team and governance bodies, including to inform them of any
Managed
Leadership works collectively to seek innovative ways to continuously improve protective security
Optimised
Oversight of protective security functions is demonstrated through governance bodies setting policies and
monitoring compliance
The executive team and governance bodies actively inform performance targets and improvements in security
management
Resources are deployed strategically to support the maintenance of effective protective security
No or limited defined reporting structures for protective security management, issue resolution, or practice
Informal
improvement
No senior executive is explicitly responsible for overseeing all aspects of protective security
No supporting security management roles
A senior executive is formally responsible for managing protective security, but in practice that person has limited
involvement
Basic
A senior executive is authorised to make decisions on protective security, including resourcing; this person is
accountable to the chief executive for security management and maintains oversight of all aspects of protective
Core
There is clear delineation of protective security governance (e.g. strategic direction-setting and policy approval)
Managed
Ongoing, regular and formal discussions on protective security occur between governance bodies, the executive
Optimised
Monitoring, reporting and other assurance activities are informal and occur only as issues (e.g. breaches) arise
Basic
The agency meets the PSR’s assurance and reporting requirements, and can provide evidence of this
Reporting lines and responsibilities are clear and there is regular management reporting
Core
Internal monitoring and reporting requirements are customised, well defined and assess all aspects of protective
security and related risks
Key performance indicators are used to track and measure performance
Assurance is built into all aspects of protective security planning, governance and operations, and includes
Managed
independent auditing
Outcomes and outputs of assurance activity inform changes to protective security processes and responsibilities
Key performance indicators are linked to, and seek to enable, the agency’s business strategy
There is proactive reporting to all staff against key performance indicators
In addition to scheduled assurance activities, performance data is automatically captured, responded to in real
Optimised
No documentation or guidance on what protective security means to the agency and why it is important
Informal
Protective security is almost exclusively a focus area for specialists; responsibility for security is seen as being
assigned to just a few personnel
The executive team and senior managers recognise the importance of an effective security culture, but are
Basic
Values and aspirations for protective security are communicated in clear terms and are consistently understood
throughout the agency
The joint accountability of all staff for protective security is documented, well known and accepted; expectations
of staff are clear
Core
All personnel actively identify with, and take responsibility for, protective security policies and practices
Optimised
Some systems for communicating regarding protective security, but these are not formally defined
Basic
There are clear protocols for communications regarding protective security and these are regularly used
All staff and contractors are required to undertake basic protective security training (e.g. as part of induction),
with additional clearance-based training occurring as needed
Core
Staff and contractors are aware of the agency’s security policies and relevant resources available to them
All staff and contractors are made aware of the requirements of relevant legislation (e.g. Crimes Act, Official
Information Act, Privacy Act) and how these apply to them
Training is adequate in content, frequency and form, including for staff with significant security responsibilities
Open, two-way communications are active and processes are in place to ensure key messages are received and
understood
Training is targeted and role/job based
Managed
Education needs are actively monitored and training is delivered when gaps are identified
Staff and contractors’ understanding of security requirements is assessed and supplemented as needed before
they are given access to information and other resources that need to be protected, and also when security
clearances are renewed
Training and communications are regularly revised so as to respond to an evolving security risk environment
There is clear and frequent communication between governing bodies and functional teams, and across the
Optimised
whole agency, about protective security and the effectiveness of existing practices and initiatives
Training and communications enable all staff and contractors to be confident they understand and meet
protective security obligations
Training is role-specific and is regularly revised to align with best practice and continuously stimulate personnel
The agency knows it needs to improve aspects of protective security but is doing little to address this
There is little visible consideration of the agency’s security risk profile and tolerance
Improvement activities are not consistent across the agency
The agency is able to address some of its protective security risks but does not usually act until breaches or
other issues occur
The agency protective security plan is reviewed at least every two years to ensure it remains relevant to the
agency’s threat and risk profile, it is sustainable, and it continues to align with the PSR and other relevant
government standards
Core
The agency’s tolerance for security risk is defined and is used to inform resourcing and activity scheduling
Risks and outcomes drive improvement programmes across the agency
The agency uses root cause analysis to address significant systemic security issues
The results of risk management and assurance activity are promptly used to inform and update the protective
security plan
Managed
The executive team and governance bodies define the agency’s tolerance for security risk and accept the
implications, including for business continuity and the agency’s strategic objectives
Improvement programmes result in the proactive identification and resolution of potential security issues and
risks, changes in communication and education delivered to personnel, and ongoing process enhancements
Protective security considerations are fully integrated into the business strategy and planning lifecycle
Optimised
Risk tolerance is regularly reviewed and formally agreed by the executive team and governance bodies, and is
informed by ongoing assessment of protective security threats, trends and expectations
Effective processes are operating to ensure any changes in security requirements or best practice are identified
and assessed in the context of the agency’s security risk profile, and that appropriate change is delivered across
the agency
Protective security is explicitly addressed in at least some policies, processes and procedures, but these may
not be comprehensive and are not consistently followed; non-compliance is not identified
Policies may be reviewed to ensure they comply with the PSR and other relevant requirements, though this
generally only occurs in response to identified breaches
Basic
Security threats and risks are sometimes considered when designing or reviewing processes, procedures and
systems, but this is not compulsory
The level of due diligence undertaken on third parties’ protective security policies, processes and procedures
varies between business units and may only occur in response to a breach
Third party contracts (and similar, e.g. inter-agency memoranda of understanding) include security provisions as
appropriate
Security policies, processes and procedures are relevant, comprehensive, and easy to access and understand
There is a common approach to security management across the agency and good compliance with
requirements
Processes and procedures are periodically reviewed, including against analysis of any changes in the PSR and
the agency’s operating, policy, legislative and regulatory environment
Core
There are documented requirements to consider security threats and risks when designing processes,
procedures and systems
Contract templates include standard protective security terms and conditions
Where third parties have access to information or assets that must be secured, or where they must protect the
safety of people where the agency has a duty of care, due diligence is performed to ensure they meet the
requirements of the PSR
Third parties are educated in incident response processes
Staff and managers proactively contribute to designing practices to support and complement protective security
policies, identifying and communicating gaps or opportunities
Management and security officers proactively review changes to relevant legislation and regulation, and
emerging risks, and amend the agency’s protective security policies, processes and procedures where
appropriate
Managed
Business processes and procedures are designed specifically to mitigate security threats and risks
Third party contract / agreement terms and conditions vary appropriately depending on the nature of the
engagement
Contracts and agreements are entered into only where the third party’s relevant protective security capability and
practices are at least equivalent to those of the agency
Where a third party contract or other agreement exists, there are regular reviews against security clauses and
requirements
The principles and behaviours set out in protective security policies, processes and procedures are consistently
demonstrated by all staff and contractors
Effective systems are in place to ensure any changes to best practice or the agency’s threat and risk profile are
quickly identified and reflected in security policies, processes and procedures
Optimised
Third parties are assessed against relevant security requirements before any contract or other agreement is
entered into
Audits of the security performance of third parties are performed and they are held accountable for the results
Security risks and issues relating to contracts and other inter-organisation agreements are analysed; mitigation
strategies are put in place to improve existing and future agreements where third parties have access to
information or assets that must be secured, or where they must protect the safety of people where the agency
has a duty of care
No relationship between protective security functions and wider agency risk management functions
Informal
No formal, structured or consistent process for identifying and assessing protective security threats and risks
No or limited controls are in place specifically to prevent, detect or otherwise mitigate protective security risks
No formal process for monitoring or reporting on protective security risks and mitigations
There is limited interaction between protective security functions and wider agency risk management functions;
what exists is primarily designed to mitigate specific identified risks
Security risk assessments are performed at least occasionally, though this may be viewed simply as compliance
activity; processes may be underdeveloped and not be well documented
Security risk definitions tend to be simplistic, overly generic and insufficiently analysed
Basic
Protective security risks are monitored on a silo’d basis in business units, with little or no cross-functional
interaction
Control activities that respond to identified protective security risks exist, but are not formally documented or
tracked
Protective security risk reporting is largely by exception; requirements for monitoring and reporting on controls
are not fully documented
Protective security risk management processes align to the (inter)national standards identified in the PSR and
are generally integrated with other aspects of the agency’s organisational risk management approach
Security threat, vulnerability and risk assessments are performed on a scheduled basis
Protective security risks are mainly monitored within business units at an operational level, with some
Core
Protective security risks are considered and overseen within the agency’s strategic / enterprise risk management
programme
Protective security risks and issues are owned by the appropriate business units
Identification and assessment of threats, vulnerabilities and risks is proactive and accepted as an enabler of
business continuity
Managed
Monitoring includes analysis of whether risk levels have changed, whether controls are being applied effectively
and whether risk management improvements are being implemented
Risk mitigation plans are applied and integrated across the agency; security functions coordinate these plans
and ensure mitigations are applied consistently across different areas affected by the same risks
Management responsibility is formally assigned for regularly testing business continuity measures and reviewing
other risk controls, and for reporting on review results
Protective security risk reporting is well defined, integrated into wider business-as-usual management reporting
and regularly reviewed at the executive level
Protective security risk management is firmly embedded within the agency’s strategic / enterprise risk
management function
All staff consider the identification of protective security risks as their responsibility
Well defined, best practice and efficient threat, vulnerability and risk identification and assessment processes
are integrated into business activities across the agency; all management and staff see these processes as
Optimised
No structured approach to managing security incidents (infringements, violations, breaches), with little
Informal
Limited staff awareness of the nature of, or potential for, different types of security incidents
Basic
Incident response processes are informal; responses are managed within teams with limited central oversight
Incident recording, response and escalation processes and responsibilities are well documented and are
followed
The executive team receives reports on security incidents, the measures taken to remedy them, and any
disciplinary action taken, for instance as a result of a deliberate breach
Core
The agency complies with PSR requirements for the external reporting of security incidents, including contact
reporting
There is agency-wide understanding of what a security incident is (including infringements, violations and
breaches); staff and contractors know how to respond to an incident, including who to inform and the timeframe
for reporting
The agency has a comprehensive and consistent approach to incident management; a well-defined hierarchy of
Managed
There is ongoing research into appropriate measures for preventing and managing incidents, and this
Optimised
Personnel security
Personnel security Current Target
Limited, undefined and inconsistent controls are in place to ensure only appropriately authorised people have
access to the agency’s facilities, information and other assets
Informal
No central register of security cleared personnel is maintained; poor controls to ensure clearances remain
current
Personnel with expired or revoked security clearances are able to continue accessing classified information and
resources
No reporting to the NZSIS regarding the granting and management of security clearances
Few or no measures in place to ensure personnel remain suitable to access agency resources on an ongoing
basis
Where personnel require access to national security classified information or resources, the requisite security
Basic
Effective policies and procedures are in place to assess and manage the ongoing suitability of all personnel to
access / use agency resources
When staff or contractors cease working for the agency their physical and system access privileges are
immediately revoked and they are provided with advice regarding any ongoing obligations (e.g. under
legislation)
The agency has clearly communicated procedures in place for managing international travel by all staff and
delivering briefings, particularly where staff hold a national security clearance
Agency policy requires all personnel report suspicious contacts
Core
All positions requiring ongoing access to classified information and resources are identified; staff and
contractors who will work in these roles are provided with appropriate training and are required to formally
acknowledge they will comply with relevant policies and protocols
The agency maintains an up-to-date register of all staff and contractors who hold national security clearances
There is a review of whether a position requires a national security clearance (or clearance level change) prior
to renewal
Regular security clearance maintenance ‘checkpoints’ are scheduled for all cleared staff and contractors, e.g. as
part of annual performance reviews
The agency informs the NZSIS of the granting, downgrading, suspension or cancellation of all national security
clearances, and of any factors that may impact the ability of staff or contractors to maintain a clearance
Protective security risk management activity is well informed by periodic reviews of the personnel security
threats the agency may face within its risk environment across each area of its business
When recruitment into a role requiring a national security clearance is initiated, up-front measures are taken to
minimise the risk of engaging a person who is not eligible to undergo security vetting
Managed
Defined processes exist and are well understood for handling cases where a person fails to gain or maintain a
clearance level that is required for a position they are seeking or currently hold
The agency regularly reviews its register of security cleared staff and contractors, and ensures all updates are
promptly reported to the NZSIS
Staff and contractors with national security clearances have a thorough understanding of, and proactively
comply with, ongoing maintenance requirements; when clearance renewal processes are run, few or no factors
(e.g. reportable changes in circumstances) are discovered that should have been reported earlier
As a matter of course, any initiative that leads to the reallocation of responsibilities within the agency includes
Optimised
Information security
Information security Current Target
Little or no proactive identification of the types of information and other assets requiring a security classification,
and little confidence classified resources are consistently handled correctly
Some information security policy and framework elements are in place, but these may not be comprehensive
Basic
A comprehensive risk-based information security policy is documented, well communicated, and supported by a
defined management framework, documented procedures, and effective controls, in compliance with the PSR
(including the New Zealand Information Security Manual)
All information and other assets requiring classification are consistently classified, marked, accessed and
handled in accordance with the New Zealand Government Security Classification System and other relevant
legislation (e.g. the Privacy Act, the Public Records Act) and standards; this treatment extends to resources
Core
originating from another agency or jurisdiction, and to resources held by third parties on behalf of the agency
Effective business continuity measures are in place to protect against the loss or unavailability of information
and other assets
Access controls and activity audits support the integrity of ICT systems and the data they hold
Systems are in place to deter, detect and report on unauthorised or otherwise inappropriate access to
information (including paper-based) and ICT systems, including during systems development and throughout
the information lifecycle
Staff proactively contribute to refining information management processes and controls; changes are consistent
with the agency’s security risk profile and integrated with wider protective security policy
Information is protected as a strategic asset; process design considers information security needs from
inception, including for data aggregations
All relevant personnel understand the New Zealand Government Security Classification System and accept the
importance of appropriately classifying, marking, handling and accessing information and other assets
Managed
Agency-specific guidelines and tools are in place to help personnel understand and comply with the New
Zealand Government Security Classification System and associated handling requirements
Information usage records and environment scans are used to inform changes to information security policy and
controls
Personnel responsibilities are appropriately segregated to reduce opportunities for unauthorised or unintentional
modification or misuse of classified information assets
Access controls are automatically updated when personnel change roles or leave the agency
Information security is subject to both scheduled and unannounced testing and audit on an ongoing basis
The principles and behaviours defined in the information security policy and supporting controls are consistently
Optimised
demonstrated by all staff and contractors; innovation proposals are encouraged and actively assessed
Systems are in place to automatically detect, monitor and respond to irregular access to information in real time
Physical security
Physical security Current Target
The agency cannot be confident it would quickly detect the theft of, or attacks on, physical assets and
information
Some physical security policy and framework elements are in place, but these may not be comprehensive and
Basic
Effective and proportionate measures are in place to prevent, detect and impede attacks on, or the
unauthorised removal of, physical assets and information
Physical security and safety needs are actively considered from the early stage of any premises relocation,
refurbishment or construction; corresponding zone and control design and certification requirements are
complied with
Staff proactively contribute to evolving physical security controls; changes are consistent with the agency’s
Managed
security risk profile, integrate with wider protective security policy and are promptly communicated
Systems are in place to immediately detect, monitor and respond to physical security breaches
Enhanced physical security measures are automatically adopted in response to emergencies or a heightened
threat environment; all staff and contractors are aware of their responsibilities in such situations
The principles and behaviours defined in the physical security policy and supporting controls are consistently
Optimised