Cyber Security Considered | ITSEC Australia

What is an NV1 security clearance and why does it matter for Penetration testers?

Written by ITSEC Australia | Oct 23, 2022 9:27:04 PM

You may hear people boast that they have an #NV1 security clearance. But what does it mean and why does it matter?

NV1 stands for Negative Vetting Level 1 clearance. And, as described by the Australian Government’s Department of Defence, The purpose of the security vetting process is to determine whether an individual is suitable to hold a security clearance, meaning, whether they possess and demonstrate an appropriate level of integrity.

Like most organisations, The Federal Government wants the best talent, whether that be their employees or external consultants and advisors. The main difference, however, is the requirement for additional levels of certainty with regards to the suitability of a candidate to best safeguard classified Government data.

Four Security Clearance Levels

There are four levels of security clearance;

1. Baseline

The access permitted includes classified resources up to and including PROTECTED resources.

2. Negative Vetting 1

The access permitted includes classified resources up and including SECRET resources. NV1 security clearance holders can be provided with temporary access to TOP SECRET classified resources in certain circumstances.

3. Negative Vetting 2

The access permitted includes classified resources up to and including TOP SECRET resources. An NV2 security clearance will be sufficient for most roles requiring intermittent access to TOP SECRET classified resources.

4. Positive Vetting

Access permitted includes Classified resources up to and including TOP SECRET resources, including some caveated information. Positive Vetting clearances should only be sought where there is a demonstrated need to access extremely sensitive information, capabilities, operations and systems.

Who is eligible or able to apply for a security clearance?

You need to be an Australian citizen to be able to apply for a security clearance. However, you cannot apply for a security clearance if you are not sponsored by an Australian Government department or agency. This will happen if, and when, you win a role or contract that requires a security clearance and if the agency offers to sponsor you. At this stage, you’ll be vetted by the Australian Government Security Vetting Agency (AGSVA).

It is an extensive assessment, with a number of security interview questions and psychological assessments. They will probe many aspects of your life and investigate your identity, background and citizenship, education, criminal and financial history, back as far as 10 years. Due to the backlog and intensity, an NV1 clearance for example, can take up to six months to be granted.

Why would an NV1 clearance be required for security or penetration testers?

Well, think about what a penetration tester’s job is. They are paid to plan and perform authorised, simulated attacks within an organisation’s networks, information systems, applications and infrastructure to identify weaknesses and vulnerabilities. Ethical hackers use penetration testing techniques to identify loopholes and block hackers from conducting malicious acts.

If this responsibility is put into the wrong hands, a penetration tester can use their skills and expertise to harm and exploit your data. Essentially, an organisation is inviting and paying someone to hack their system. Again, if not done with the right intentions, it is a no brainer what the risks will be.

Under the Australian Government Protective Security Policy Framework (PSPF), persons that need ongoing access to security classified resources must hold a security clearance at the appropriate level. An employee or external consultant may also be required to hold a security clearance if they occupy a position of trust, which would require them to obtain additional assurance about the integrity of the person.

The vetting process by the Australian Government is to determine whether or not a person is suitable to hold a security clearance. i.e., do they possess and demonstrate an appropriate level of integrity. Integrity in the case of security, would include character traits such as honesty, trustworthiness, maturity, tolerance, resilience and loyalty.

NV1 Clearance for ITSEC Penetration Testers

For the peace of mind of your organisation, you can opt to use our experienced and highly certified team, who continually perform penetration testing for various government departments and agencies. Meaning, you too can be assured or having testers with #NV1 clearances, who are trusted by the Australian Government to perform ethical hacking.

Are you due for your scheduled application, infrastructure or network #pentest? Contact us for a no obligation quote by emailing info@itsec.com.au