You are using an older browser version. Please use a supported version for the best MSN experience.

SIS data perhaps at risk for years: report

NZ Newswire logoNZ Newswire 3/05/2017

Every computer system used by the government's domestic spy agency to store information about people being vetted for security clearance was non-compliant and may have been vulnerable for years, a report has found.

Inspector-General Cheryl Gwyn on Wednesday released a report looking at the digital storage practices of sometimes highly private security vetting information by the New Zealand Security Intelligence Service (SIS).

It found all four record-keeping systems used by the SIS were "non-compliant [with government requirements] for several years, until a corrective programme began in mid-2015".

Two of the systems were introduced in 2009 while two others were brought in in 2013 and held information including details of personal relationships and medical records.

"I have found, however, that while the NZSIS took some steps to protect these systems when they were first introduced, the urgent compliance programme begun in mid-2015 was needed to give assurance that the systems are secure," Ms Gwyn said.

She said the SIS had already taken steps to "investigate the possibility of security vulnerabilities" during the period of non-compliance.

"These investigations have given, and will continue to give, further assurance."

The report states because of security reasons, the details of potential vulnerabilities or the fixes can't be made public.

Aside from examining possible vulnerabilities, the report also recommends the SIS follow particular procedures if it wishes to bring in new systems and strengthening safeguards against "inadvertent or unauthorised access".

The director of security had accepted all recommendations, Ms Gwyn said.

"The security clearance process is unavoidably intrusive," Ms Gwyn said.

"Holding that information on systems that comply with government information security standards is a critical protection for the people concerned."

The report was the second part of an investigation looking at the compliance of SIS systems and was delayed by the Kaikoura earthquake in November.

image beaconimage beaconimage beacon