A review commissioned amid an investigation into the former deputy police commissioner has revealed weaknesses in police’s internet access controls, unmanaged devices, limited monitoring and governance gaps.
Police Commissioner Richard Chambers says the review made clear the current settings were “not robust enough and urgent attention is required”.
He has ordered the re-introduction of audits of data and internet usage on police devices and initiating an assessment of police-owned standalone devices which operated outside the police network.
RNZ earlier revealed the investigation into Jevon McSkimming led to concerns that staff could bypass internal controls and “exploit vulnerabilities to access inappropriate content”.
The concerns prompted Chambers to order a “rapid review” of police’s information security (INFOSEC) controls to ensure police had sufficiently strong controls to prevent or detect the misuse of police technology and equipment for non-work-related purposes.
The morning’s headlines in 90 seconds, including deadly Texas floods, Australian woman attacked by a lion, and Elon Musk’s new political party. (Source: 1News)
A summary of the review was released on Monday.
The report said police managed an “extremely complex technology operating environment”.
“This requires a variety of different user personas to be catered for, each with different levels of security controls (and in some cases a requirement to have permissive controls).”
“Additionally, the varied (and law enforcement) nature of policing may require some employees to access websites that in other corporate environments may be blocked.”
For several years police had been faced with a “technical debt”, however steps were being taken to address this.
“As with many agencies and businesses, there has been an increase of what is commonly known as Shadow IT – that is, technology purchased or used for legitimate business purposes but operated outside of the management and oversight, and often the knowledge of the ICT group.”
The report said police had a “wide range” of modern security technology in place which protected police information.
“Most user activity is logged and monitored in accordance with good industry practice.
“The review found some key issues however, which provide opportunity for improvement.”
The main risks were; weaknesses in technology configuration, lack of visibility over user activity and gaps in governance.
The report included key findings and recommendations in relation to each of the risks.
There was “inconsistent application” of internet access policies across different workgroups as well as a “lack of robust filtering mechanisms” to consistently prevent access to unauthorised websites.
The review also found here was “insufficient monitoring of internet usage to detect and respond to potential security threats and inappropriate usage.”
Other findings included unmanaged devices being used for operational activities and inadequate monitoring of user activity and network traffic.
There was an absence of centralised logging and analysis tools to detect anomalies and potential issues and “insufficient resources allocated to continuous monitoring and incident response”.
The review also said there was lack of “clear governance structures and accountability” for INFOSEC controls, with “inconsistent enforcement” of security policies and procedures.
The report called for “improved oversight and coordination among different workgroups”.
Among the recommendations was that police implement consistent internet access policies across all work groups and use advanced filtering mechanisms to block unauthorised websites.
It was also recommended that police enforce policies to ensure all devices were managed and monitored, and that they allocate resources to “continuous monitoring and incident response”.
In relation to the concerns about governance, the report recommended police established clear structures and accountability for INFOSEC controls and “ensure consistent enforcement of security policies and procedures.
“Addressing these issues through the recommended actions will enhance operational security, visibility, and policy enforcement, ensuring a robust INFOSEC posture,” the report said.
Police commissioner responds
Chambers said the review found that while Police had a wide range of security measures in place, there were “opportunities to strengthen and tighten controls on their use”.
“The review found Police has a range of modern security controls which protect Police information and systems from malicious activity. Most user activity is logged in line with good industry practice and there is clear guidance and expectations for staff around acceptable use.
“However, the review also identified several areas where improvement was needed. These include more monitoring of staff internet use and stronger filtering mechanisms to guard against inappropriate or harmful content being accessed or downloaded.”
The review also recommended better oversight of all Police-owned devices, including those that sit outside the Police network for legitimate work purposes, Chambers said.
“Police is an extremely complex workplace and different levels of security settings will always be required by some staff for lawful policing purposes. Some staff also require devices that operate outside the central Police system.
“However, the review has made it very clear the current settings are not robust enough and urgent attention is required. The report includes recommendations to strengthen the settings.”
Chambers said he had made two decisions immediately in wake of the review.
He would be re-introducing audits of data and internet usage on police devices, a process that was halted about four to five years ago, and initiating an assessment of Police-owned standalone devices which operate outside the Police network.
“While there are legitimate work reasons for such devices, clarity is needed around the oversight of them.
“I have requested a remediation plan to consider the review’s recommendations and address key issues. I have asked this be done quickly and expect to make further decisions within the month.”
rnz.co.nz
