Wednesday, May 03, 2017

Incompetent, trust-abusing muppets II

A little over a year ago, the Inspector-General of Intelligence and Security exposed the SIS as incompetent, trust-abusing muppets who had failed to safeguard the security and privacy of highly-sensitive vetting information. This wasn't just an abuse of the trust public servants applying for a security clearance placed in them - it was also a fundamental compromise of national security, in that that information could have been stolen and used to blackmail people.

Today, IGIS released the long-awaited second part of that report, which exposes just how bad SIS was. The short version:

  • The computer systems SIS used for storing and accessing vetting information were not accredited or certified, in direct contravention of their own Information Security Manual.
  • The systems had multiple security vulnerabilities.
  • Most systems had no logging, meaning it was impossible to tell who had accessed what and detect unauthorised or improper access. They still have no idea whether this occurred before the security holes were plugged.
  • Attempts to investigate why this had happened were thwarted by poor record-keeping (which seems to be a violation of the Public Records Act).

Apparently, all of this has been corrected now. But it doesn't exactly inspire confidence. And if you're asked by SIS to provide blackmail on yourself for security vetting purposes, then you should think very carefully about whether you can trust them with it.