Police Commissioner Richard Chambers said the new monitoring and alerting approach has already been successful at identifying use of concern which is now under further investigation Photo: Mark Papalii
Police say improvements made to information security controls following the resignation of former Deputy Police Commissioner Jevon McSkimming have already picked up a "small number of cases of misuse and inappropriate content".
The investigation into McSkimming led to concerns that staff could bypass internal controls and "exploit vulnerabilities to access inappropriate content".
The concerns prompted Police Commissioner Richard Chambers to order a "rapid review" of police's information security (INFOSEC) controls to ensure police had sufficiently strong controls to prevent or detect the misuse of police technology and equipment for non-work-related purposes.
A summary of the review said the main risks were; weaknesses in technology configuration, lack of visibility over user activity and gaps in governance.
Do you know more? Email sam.sherwood@rnz.co.nz
On Tuesday, police's Chief Information Officer Matt Winter released an update on the measures taken since the review.
Following the review, police's Executive Leadership Team approved a remediation plan with 26 "actions" to be implemented over a six-month period from July to December.
"We prioritised measures that could be implemented quickly and would prevent staff accessing inappropriate content or detect instances where that had happened.
"The complex nature of policing means different staff require different security settings to be able to do their jobs effectively."
The review recommended ways to "strengthen our systems and better allow us to detect misuse".
Of the steps, eight had already been completed.
"The improvements we have made have already picked up on a small number of cases of misuse and inappropriate content, which are now under investigation."
Winter said police had made "significant progress" in a number of areas including improving the monitoring, alerting and detection of misuse.
"Police have commenced random audits of staff use as well as a more targeted approach to detect attempts to access inappropriate content.
"The new monitoring and alerting approach has already been successful at identifying use of concern which is now under further investigation."
Acting Deputy Police Commissioner Jill Rogers confirmed to RNZ last week a police officer had been stood down from duty for "inappropriate content on a police device".
"The officer is under employment investigation for serious misconduct, relating to inappropriate, but not objectionable, material on a Police-issued device. The alleged misconduct was uncovered through following recent audits of staff internet usage.
"This has identified a small number of users of concern, which are now under review by the National Integrity Unit."
Winter said the approach was a "different and improved" one to the internet usage reports which were discontinued "a number of years ago".
"Those reports were not able to identify attempts to access inappropriate material.
"We anticipate further strengthening, with a focus on improving use of cyber security tools Police has at its disposal."
Police had also reviewed and strengthened website "categorisation policies".
"This refers to categorising the types of websites which are blocked by default on the police network.
"We have reviewed these categories to ensure the settings are what we expect and reduce the possibility of staff accessing content that is inappropriate or is a risk to the organisation."
Winter said due to the nature of police work, some staff required exemptions to the usual web access controls for investigative or other genuine work-related purposes.
Police had "strengthened" the processes and checks around the exemptions to ensure the access was kept "to a minimum". The exemptions now required Assistant Commissioner/ Executive Director level approval.
He said police also had "better oversight and management" of the use of devices.
"Police have some specialist groups that require technology solutions that historically have not been able to be run on enterprise networks and devices.
"Following a stocktake of these devices, and looking at technology options that are now available, a decision has been made to move the majority of these onto enterprise devices and networks to allow for improved management, technical controls and oversight, including logging, monitoring, and alerting."
There were also several "workstreams" under way to further strengthen the police network to ensure both "insider and external threats" of misuse or malicious content were mitigated.
Rapid review
The review included key findings and recommendations in relation to each of the risks.
There was "inconsistent application" of internet access policies across different workgroups as well as a "lack of robust filtering mechanisms" to consistently prevent access to unauthorised websites.
The review also found there was "insufficient monitoring of internet usage to detect and respond to potential security threats and inappropriate usage".
Other findings included unmanaged devices being used for operational activities and inadequate monitoring of user activity and network traffic.
There was an absence of centralised logging and analysis tools to detect anomalies and potential issues and "insufficient resources allocated to continuous monitoring and incident response".
The review also said there was a lack of "clear governance structures and accountability" for INFOSEC controls, with "inconsistent enforcement" of security policies and procedures.
The report called for "improved oversight and coordination among different workgroups".
Among the recommendations was that police implement consistent internet access policies across all work groups and use advanced filtering mechanisms to block unauthorised websites.
It was also recommended that police enforce policies to ensure all devices were managed and monitored, and that they allocate resources to "continuous monitoring and incident response".
In relation to the concerns about governance, the report recommended police established clear structures and accountability for INFOSEC controls and "ensure consistent enforcement of security policies and procedures".
"Addressing these issues through the recommended actions will enhance operational security, visibility, and policy enforcement, ensuring a robust INFOSEC posture," the report said.
Chambers earlier said the review made clear the current settings were "not robust enough and urgent attention is required".
He has ordered the re-introduction of audits of data and internet usage on police devices and initiated an assessment of police-owned standalone devices which operated outside the police network.
https://radionz.us6.list-manage.com/subscribe?u=211a938dcf3e634ba2427dde9&id=b3d362e693 Sign up for Ngā Pitopito Kōrero], a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
