"Pretty brutal" is how blogger Keith Ng describes the Deloitte report on Phase II of its investigation into the Ministry of Social Development kiosk security breach.
Deloitte's Phase I report focused specifically on the MSD security gap first publicised by Mr Ng (public computer kiosks at WINZ allowing wide-ranging acccess to client and commerically-sensitive files on the ministry's network).
Phase II of the independent investigator's assessment looked at whether the breach was symptomatic of governance, cultural and technical problems across the MSD.
Privacy Commissioner: good - but when?
“The Deloitte report on MSD makes it very clear that there is a need for strong leadership by senior management on the way client information is handled within MSD,” said Privacy Commissioner Marie Shroff says.
Ms Shroff said she was pleased MSD had pledged to act on the reports recommendation. But she added pointedly, that she looked forward to a timeline.
The report notes that while the Government Communications Security Bureau (GCSB) and other agencies lay down information security guidelines, the MSD has no process to assess if they are being met.
In response, the ministry has pledged to appoint a chief information security officer, with recruitment to begin "within the next few weeks."
Chief executive Brendan Boyle says the person who fills the new role will be in charge of implementing the recommendation in Deloitte's two reports, and have ongoing responsibility for information security.
The Phase II report says no evidence was found of the securtiy breach identified by Mr Ng (and first identified by Ira Bailey) being exploited by others.
Only lip-service to information security
Mr Ng told NBR ONLINE, "The key findings [on pages 15 - 17 of the report in RAW DATA, below] clearly point to a governance problem."
Management wasn't thinking about information security, Mr Ng summarises.
"There were no KPIs [key performance indicators] or organisation-level policies around information secuirty.
"They didn't have enough infosec people to service the whole organisation, and the visibility of their work was 'limited'.
"MSD's spin is focused on the fact that problems identified in the first report are not widespread. But those problems only existed because the governance at ministry never paid more than lip-service to information security," Mr Ng says.
Overall, he's relatively satisfied with the way things have turned out.
"It's a pretty brutal report, and I think it addresses the governance issues beyond the four employees who are under the gun," Mr Ng says.
Why nobody noticed the screw up
Mr Ng told NBR the first Deloitte report was honest and reasonable, but left the big question, Why was Dimension Data's April 2011 report on kiosk security holes ignored?
Did he feel it was answered by the independent investigator's second installment?
"Partly. We still don't know the details of what those four employees did, but I think the governance issues highlighted in the report explains why those guys screwed up, and why nobody noticed," Mr Ng says.
Following Deloitte's Phase I report, which criticised the MSD for ignoring a report by Dimension Data that ignored security problems with the kiosks, four ministry staff face employment investigations.
Yesterday, the ministry said findings from the Phase II report would be used in the ongoing investigations into the four staff.
The MSD said the two Deloitte reports had cost around $450,000.
A separate Internal Affairs investigation into all public-facing government computer systems continues.
RAW DATA: Deloitte Phase II report (PDF)