“The officer is under employment investigation for serious misconduct, relating to inappropriate, but not objectionable, material on a Police-issued device. The alleged misconduct was uncovered through following recent audits of staff internet usage.
“This has identified a small number of users of concern, which are now under review by the National Integrity Unit.”
Police Commissioner Richard Chambers said the misconduct being investigated was uncovered as a result of the new monitoring measures introduced following the rapid review of the settings for police devices, launched after McSkimming’s resignation.
“I sought that review because of my concern that such conduct was not being detected. This offers some reassurance that we now have the necessary tools to detect potentially inappropriate behaviour.”
Police Minister Mark Mitchell told RNZ he had not been briefed on the allegations, but expected police to “take action on any matters that involve inappropriate behaviour”.
The investigation into Jevon McSkimming led to concerns that staff could bypass internal controls and “exploit vulnerabilities to access inappropriate content”.
The concerns prompted Chambers to order a “rapid review” of police’s information security (Infosec) controls to ensure police had sufficiently strong controls to prevent or detect the misuse of police technology and equipment for non-work-related purposes.
Police Commissioner Richard Chambers. Photo / RNZ, Mark Papalii
A summary of the review said the main risks were; weaknesses in technology configuration, lack of visibility over user activity and gaps in governance.
The report included key findings and recommendations in relation to each of the risks.
There was “inconsistent application” of internet access policies across different workgroups as well as a “lack of robust filtering mechanisms” to consistently prevent access to unauthorised websites.
The review also found there was “insufficient monitoring of internet usage to detect and respond to potential security threats and inappropriate usage”.
Other findings included unmanaged devices being used for operational activities and inadequate monitoring of user activity and network traffic.
There was an absence of centralised logging and analysis tools to detect anomalies and potential issues and “insufficient resources allocated to continuous monitoring and incident response”.
The review also said there was a lack of “clear governance structures and accountability” for Infosec controls, with “inconsistent enforcement” of security policies and procedures.
The report called for “improved oversight and coordination among different workgroups”.
Among the recommendations was that police implement consistent internet access policies across all work groups and use advanced filtering mechanisms to block unauthorised websites.
It was also recommended that police enforce policies to ensure all devices were managed and monitored, and that they allocate resources to “continuous monitoring and incident response”.
In relation to the concerns about governance, the report recommended police establish clear structures and accountability for Infosec controls and “ensure consistent enforcement of security policies and procedures”.
“Addressing these issues through the recommended actions will enhance operational security, visibility, and policy enforcement, ensuring a robust Infosec posture,” the report said.
Chambers earlier said the review made clear the current settings were “not robust enough and urgent attention is required”.
He has ordered the re-introduction of audits of data and internet usage on police devices and initiated an assessment of police-owned standalone devices which operated outside the police network.
– RNZ