"Pretty brutal" is how blogger Keith Ng describes the Deloitte report on Phase II of its investigation into the Ministry of Social Development kiosk security breach.
Deloitte's Phase I report focused specifically on the MSD security gap first publicised by Mr Ng (public computer kiosks at WINZ allowing wide-ranging acccess to client and commerically-sensitive files on the ministry's network).
Phase II of the independent investigator's assessment looked at whether the breach was symptomatic of governance, cultural and technical problems across the MSD.
Privacy Commissioner: good - but when?
“The Deloitte report on MSD makes it very clear that there is a need for strong leadership by senior management on the way client information is handled within MSD,” said Privacy Commissioner Marie Shroff says.
Ms Shroff said she was pleased MSD had pledged to act on the reports recommendation. But she added pointedly, that she looked forward to a timeline.
The report notes that while the Government Communications Security Bureau (GCSB) and other agencies lay down information security guidelines, the MSD has no process to assess if they are being met.
In response, the ministry has pledged to appoint a chief information security officer, with recruitment to begin "within the next few weeks."
Chief executive Brendan Boyle says the person who fills the new role will be in charge of implementing the recommendation in Deloitte's two reports, and have ongoing responsibility for information security.
The Phase II report says no evidence was found of the securtiy breach identified by Mr Ng (and first identified by Ira Bailey) being exploited by others.
Only lip-service to information security
Mr Ng told NBR ONLINE, "The key findings [on pages 15 - 17 of the report in RAW DATA, below] clearly point to a governance problem."
Management wasn't thinking about information security, Mr Ng summarises.
"There were no KPIs [key performance indicators] or organisation-level policies around information secuirty.
"They didn't have enough infosec people to service the whole organisation, and the visibility of their work was 'limited'.
"MSD's spin is focused on the fact that problems identified in the first report are not widespread. But those problems only existed because the governance at ministry never paid more than lip-service to information security," Mr Ng says.
Overall, he's relatively satisfied with the way things have turned out.
"It's a pretty brutal report, and I think it addresses the governance issues beyond the four employees who are under the gun," Mr Ng says.
Why nobody noticed the screw up
Mr Ng told NBR the first Deloitte report was honest and reasonable, but left the big question, Why was Dimension Data's April 2011 report on kiosk security holes ignored?
Did he feel it was answered by the independent investigator's second installment?
"Partly. We still don't know the details of what those four employees did, but I think the governance issues highlighted in the report explains why those guys screwed up, and why nobody noticed," Mr Ng says.
Following Deloitte's Phase I report, which criticised the MSD for ignoring a report by Dimension Data that ignored security problems with the kiosks, four ministry staff face employment investigations.
Yesterday, the ministry said findings from the Phase II report would be used in the ongoing investigations into the four staff.
The MSD said the two Deloitte reports had cost around $450,000.
A separate Internal Affairs investigation into all public-facing government computer systems continues.
RAW DATA: Deloitte Phase II report (PDF)
This article is tagged with the following keywords. Find out more about MyNBR Tags
- Dunne warns government of 'consequences' of RMA reform
- Wellington Airport sees $2 billion net benefit in longer runway
- Snowball runs first wholesale offer for SOS Hydrate
- Orion Health first-half loss widens in line with expectations, revenue climbs 26%,
- If Goff could choose Mt Roskill successor, it'd be Wood
Most listened to
- NZ Windfarms departing director Michael Stiassny speaks out after board exit
- James Mayo talks about SOS Hydration's growth plans after Snowball offer
- Michael Wood on whether he would run in Mt Roskill
- SAFE's Abi Izzard quizzed over protest of a caged hen operation at Pukekohe
- Nevil Gibson talks about Editor's Insight on the planned $US150 million merger between Pfizer and Allergan
- Taupo Beef’s Mike Barton on how to extract sustainable profit from farming
- Will the government lose on RMA reform? Rob Hosking outlines the PM's speech
- How could bookmakers recoup $16 million? Racing Board chief executive John Allen explains
- Nevil Gibson breaks down the latest aviation news
- BusinessNZ manager of energy, environment and infrastructure John Carnegie talks about the climate change survey
- Wayne Evans explains SBS bank's plan to make money for its 3.99% home loan rate
- Nevil Gibson discusses his latest Editor's Insight on demographics