IGIS report - NZSIS vetting information (part two)
OFFICE OF THE INSPECTOR-GENERAL OF INTELLIGENCE AND SECURITY
MEDIA RELEASE – 1pm, 03 May 2017
Report on Security Intelligence Service handling of information collected for security clearance vetting
The Inspector-General of Intelligence and Security, Cheryl Gwyn, has released the second part of her report into how the New Zealand Security Intelligence Service holds and uses information collected for assessing security clearances.
Ms Gwyn has found the electronic record-keeping systems used by the NZSIS now comply with mandatory Government standards. The report also finds all four systems used for security clearance information were non-compliant for several years, until a corrective programme began in mid-2015.
“I want to acknowledge the work done by the NZSIS in bringing its systems into compliance over the past 18 months,” Ms Gwyn said. “The protections for these systems have also been significantly enhanced by wider security efforts by both the NZSIS and the Government Communications Security Bureau over this time.
“I have found, however, that while the NZSIS took some steps to protect these systems when they were first introduced, the urgent compliance programme begun in mid-2015 was needed to give assurance that the systems are secure.”
In line with recommendations in the report, the NZSIS has taken steps to investigate the possibility of security vulnerabilities during the period in which the systems were non-compliant. Some of this work has been assisted by the GCSB. “These investigations have given, and will continue to give, further assurance,” Ms Gwyn said.
The review was undertaken as part of the Inspector-General’s statutory responsibility to ensure compliance in NZSIS systems. It began in January 2015 and part one of the report was issued last April. The part two report released today was deferred so that it could take account of the NZSIS compliance and investigative work.
It was also delayed, along with other reports, by significant, and continuing disruption to the Inspector-General’s office following the Kaikoura earthquake in November.
The information stored on the NZSIS systems at issue is collected from people undergoing assessment – “vetting” – for government security clearances.
“The security clearance process is unavoidably intrusive,” Ms Gwyn said. “It can require disclosure of relationship, medical and other detailed personal information. Holding that information on systems that comply with Government information security standards is a critical protection for the people concerned. It is also important for national security that sensitive information about people in the intelligence and defence sectors is kept safe from external access and exploitation.” 2
The Director of the NZSIS has accepted all of the recommendations made in the report. These include steps to avoid any repetition of bringing new systems into operation without ensuring their compliance, and development of better internal controls on data access.
A copy of the report is available here: www.igis.govt.nz/publications/investigation-reports/