As stated by Chief Information Officer Matt Winter:
Police is releasing a further update on the measures taken since a rapid review of Police information security controls was done in June.
Following the review, the Police Executive Leadership Team approved a remediation plan with 26 actions to be implemented over a six-month period from July to December 2025.
We prioritised measures that could be implemented quickly and would prevent staff accessing inappropriate content or detect instances where that had happened.
The complex nature of policing means different staff require different security settings to be able to do their jobs effectively.
However, the review recommended ways to strengthen our systems and better allow us to detect misuse.
Of the 26 actions, eight have been completed and the rest are on track for completion by the end of December.
The improvements we have made have already picked up on a small number of cases of misuse and inappropriate content, which are now under investigation.
Police is releasing the action plan, however, as some actions reference sensitive aspects of our system security measures, elements have been redacted.
The action plan is overseen by the Police Executive Leadership Team to ensure continued progress.
We have made significant progress in the following areas:
1. Improving the monitoring, alerting and detection of misuse
Police have commenced random audits of staff use as well as a more targeted approach to detect attempts to access inappropriate content.
The new monitoring and alerting approach has already been successful at identifying use of concern which is now under further investigation.
This is a different and improved approach to the internet usage reports which were discontinued a number of years ago.
Those reports were not able to identify attempts to access inappropriate material.
We anticipate further strengthening, with a focus on improving use of cyber security tools Police has at its disposal.
2. Reviewing and strengthening website categorisation policies
This refers to categorising the types of websites which are blocked by default on the police network.
We have reviewed these categories to ensure the settings are what we expect and reduce the possibility of staff accessing content that is inappropriate or is a risk to the organisation. Work is underway with an independent third party to assess further tooling options and potential enhancements.
3. Stronger processes for staff with exemptions
Due to the nature of police work, some staff require exemptions to the usual web access controls for investigative or other genuine work-related purposes.
We have strengthened the processes and checks around these exemptions to ensure this access is kept to a minimum.
Exemptions now require Assistant Commissioner/ Executive Director level approval.
4. Better oversight and management of the use of devices
Police have some specialist groups that require technology solutions that historically have not been able to be run on enterprise networks and devices.
Following a stocktake of these devices, and looking at technology options that are now available, a decision has been made to move the majority of these onto enterprise devices and networks to allow for improved management, technical controls and oversight, including logging, monitoring, and alerting.
Any exemptions require executive approval and would be limited to discrete sensitive capability. Procurement of devices is now limited to standard processes, with any exemptions requiring ICT review and Chief Security Officer approval.
5. Network strengthening
There are several workstreams underway to further strengthen the Police network to ensure both insider and external threats of misuse or malicious intent are mitigated. Details of this work are sensitive so not included in this update.
