Not a good look for the SIS

Stuff reports:

The country’s top spy agency has been slammed after thousands of security clearances to access classified Government information were recommended using systems that failed.

Cheryl Gwyn, Inspector-General of Intelligence and Security, has released findings into how the Security Intelligence Service (SIS) held and used information collected for assessing security clearances.

The clearances were needed for people to access classified information. And Gwyn’s report found all systems used for security clearance checks were non-compliant “for several years” until a corrective programme began in 2015.

The IGIS report is here. An extract:

Until that certification and accreditation programme, however, the NZSIS instituted and operated all four systems without certification or accreditation, in breach of those security standards. OVR and System B were operated without accreditation from 2009-2016; the DMS from 2013-2015; and System D from 2013-2016.

Basically this says the SIS did not do an internal certification of how secure their systems were and also did not do an external review or accreditation.

This would be bad for any government agency not to do. But for the SIS to have failed at, is very embarrassing.

The systems are now compliant and the report doesn’t suggest any information was improperly accessed.

It is good to have an Inspector-General who is reporting so robustly.