IT systems used by the Security Intelligence Service to hold security clearance vetting information operated for years in breach of mandatory standards, New Zealand’s intelligence watchdog says.
In the second part of her report into how the SIS holds and uses information for security clearances, Inspector-General of Intelligence and Security Cheryl Gwyn said “unavoidably intrusive” information collected as part of the vetting process needed to be stored securely to give the public peace of mind.
Gwyn said all four of the IT systems used by the SIS to hold vetting data had not been formally certified or accredited to meet security standards as required by law, some for as long as seven years.
While an “urgent compliance programme” starting in mid-2015 fixed the problems, an earlier attempt to secure accreditations in 2010 was downgraded to “business as usual” and shut down in 2014 without completion.
Gwyn also found problems with controls governing who had access to vetting documents.
She said SIS director Rebecca Kitteridge had agreed to all of the report’s recommendations to avoid a repeat in future.
Gwyn also recommended the SIS check its systems to see whether they had been compromised, but acknowledged that could be difficult given the historical nature of the problems.
The first part of her report, released in April 2016, found shortcomings in how the SIS was meeting data protection requirements.
Chris Finlayson, the minister responsible for the SIS, said while the problems had now been addressed, it was unsatisfactory they had occurred previously.
“She [Gwyn] wasn’t happy and neither was I, frankly.”
The inquiry was sparked by security clearance data breaches in the United States in 2015, involving the information of over 22 million people.