Update on the Review of Police Information Security Controls

Enhancing Information Security: A Comprehensive Update from Police Leadership

The complexity of policing demands a robust approach to information security. In a recent discussion, Chief Information Officer Matt Winter outlined significant measures enacted in response to a rapid review of the New Zealand Police’s information security controls conducted in June. This review has catalyzed a transformative journey aimed at strengthening data integrity and safeguarding sensitive information.

The Remediation Plan

The Police Executive Leadership Team swiftly approved a comprehensive remediation plan comprising 26 distinct actions, set to be implemented over six months, from July to December 2025. Recognizing the urgency of the need for improvement, priority was placed on actions that could be deployed quickly. The immediate goal was to curb staff access to inappropriate content and to detect any instances of misuse more effectively.

Tailored Security Settings for Diverse Roles

One challenge highlighted in the review is the diverse security needs arising from the multifaceted roles within the police force. Each member has unique system requirements to perform their duties effectively. The remediation plan not only aims to align these needs with security measures but also to boost the overall integrity of the systems in use.

Progress and Transparency

As of this update, eight out of the 26 actions have been successfully implemented, with the remainder on track for completion by the end of December. Notably, the improvements made thus far have already led to the detection of several instances of misuse and inappropriate content, which are currently under thorough investigation.

In the spirit of transparency, the action plan is being released to the public; however, certain elements have been redacted due to their sensitivity. This step underscores the commitment of police leadership to maintaining both accountability and security.

Key Areas of Improvement

1. Enhanced Monitoring and Detection of Misuse
   The introduction of random audits and a focused strategy to detect inappropriate content access is revolutionizing the approach to monitoring. Unlike previous internet usage reports, which fell short in identifying misuse, the new methodology has already proven successful in pinpointing concerning activities that warrant further scrutiny.

2. Revising Website Categorization Policies
   A crucial aspect of information security involves meticulous categorization of websites that are off-limits by default. The police are currently working with an independent third party to audit these categories and explore potential enhancements. This proactive step aims to minimize the chances of staff inadvertently accessing inappropriate content.

3. Refined Exemption Procedures for Web Access
   Certain investigative roles within the police necessitate exceptions to standard web access protocols. To enhance oversight, the approval process for such exemptions has been tightened. Now, approvals must come at the Assistant Commissioner or Executive Director level, ensuring that access outside regular controls is both justified and minimal.

4. Streamlined Device Management
   Specialized groups within the police require specific technology solutions that often operate outside standard enterprise networks. A thorough inventory of these devices has led to a decision to transition the majority into enterprise frameworks. This move will strengthen oversight and enhance technical control, adding layers of logging and monitoring to mitigate risks associated with these specialized capabilities.

5. Network Security Enhancements
   Addressing both internal and external threats to police networks has become a focal point of the remediation efforts. While specific details of these initiatives remain confidential, the commitment to strengthening network security is clear. This ongoing work aims to further reduce vulnerability to misuse or malicious intent.

Continuous Improvement and Oversight

The remaining actions in the remediation plan will continue to receive oversight from the Police Executive Leadership Team. This commitment ensures that progress remains on track and that all actions taken align with the overarching goal of enhancing information security.

Throughout this process, the police have emphasized their dedication to creating a safe and secure environment for both their staff and the public. Although some challenges remain, the proactive steps outlined represent a significant shift towards a more secure and accountable policing framework.

For more details, you can access the full public release here.