This case study looks at the possible implications if an agency head were to incorrectly grant a security vetting waiver.
Themes covered, include:
- importance of vetting for individuals requiring access to information, areas or networks protectively marked at CONFIDENTIAL or above
- importance of vetting for individuals known to an agency head.
Scenario – what happened
Murray is the CSO of a large government department about to quickly hire two administration staff on a temporary basis.
Murray wants to give them occasional access to restricted areas, requiring security clearance vetting by the NZSIS.
The security clearance level sought for both roles is CONFIDENTIAL.
Murray recognises the surnames of the two recruits and realises they are the children of two senior managers.
Murray reviews the vetting results of the two senior managers (returned from the NZSIS with routine recommendations) and discusses the staff applications with his agency head, James.
James personally knows the two senior managers and has met their children on one or two occasions.
James decides he will grant the recruits a security clearance ‘waiver’ and skip the vetting process altogether.
While recruit A enters the role with no issues. It later emerges, after several breaches occur, including unauthorised access to protectively marked information, that recruit B has a notable police record of theft and dishonesty.
Lessons learned – what should have happened
Agency head James made several errors in this scenario.
James should not have:
- granted a security vetting waiver
Agency heads cannot, and must not, grant security vetting waivers. All individuals requiring access to information, areas or networks protectively marked at CONFIDENTIAL or above, must go through a vetting process conducted by the NZSIS regardless of:
- length of employment contract
- authority or status
- whether the individual is known to the agency or agency head.
In addition, after submitting a security clearance application, agencies must not grant waivers, interim, or temporary security clearances while waiting for a recommendation from the NZSIS.
Agencies must receive a security vetting recommendation from the NZSIS before granting a security clearance.
While it is ultimately the head of the agency’s responsibility to grant or deny a clearance, the decision must be based on knowledge of the candidate at the time and a recommendation from the NZSIS and should be conservative.