UPDATE: NBR asked Ministry of Social development chief execuitve Brendan Boyle to explain why he was on the steering group for the independent inquiry into security problems exposed by Keith Ng.
"The role of the steering group is to provide independent oversight of the review and to give advice to the chief executive," Mr Boyle told NBR.
"Given the importance of the review and the role of the steering group, it is appropriate that the chief executive attend and participate in the steering group."
NBR also asked if Mr Boyle role would be restricted to a non-voting, advisory capacity.
"There’s no requirement for the steering group to vote, so therefore no votes will be taken," Mr Boyle said.
"The independent reviewer [Deloitte chairman Murray Jack] will attend the steering group but will not be subject to direction by the steering group.The independent reviewer will conduct an independent review and the reports on both phases of the review will be made publicly available."
The Ministry of Social Development has released the terms of reference for the independent inquiry into security problems exposed by Keith Ng, to be carried by Deliotte (see RAW DATA below).
The social media mob was quick to seize on the fact CEO Brendan Boyle will attend and participate in the steering group for the inquiry (with Deloitte NZ chairman Murray Jack, who leads the independent review, and four others).
How does that make it independent, exactly?
Institute of IT Professionals head Paul Matthews - who has been sharply critical of the MSD at times this week - says it could be. But then again there could be a benign reason.
In itself, it's not unusual for a member of the organisation being investigated to have a representative on the reviewer's steering group.
The rep helps remove barriers so the independent review can be carried out, Matthews says. The fact that the rep is the CEO could be seen as a sign the MSD is taking the matter seriously.
But the key is whether Brandon Boyle will be a non-voting liaison, or will have some degree of influence over the shape or content of the independent inquiry's report.
The role of the steering group is another factor.
"If the steering group is influencing the direction and outcome of the review then it simply isn’t independent with representatives from the department, especially at senior level. However if the presence of the CEO is to ensure that barriers are removed then having that level participate could indicate they are taking the matter seriously," Matthews says.
Yesterday afternoon, NBR asked the MSD to clarify Mr Boyle's role and whether, for example, he would be a voting member. The ministry acknowledge the inquiry put has yet to come back with a detailed response.
Matthews suggests it could be a communications failure rather than anything more sinister.
"Perhaps calling it a steering group is not the best idea, as opposed to, say, a liaison group."
TERMS OF REFERENCE
Independent Review of the Ministry of Social Development’s Information Systems Security
17 October 2012
The Chief Executive of the Ministry of Social Development (the Chief Executive) has commissioned an independent investigation into the security breach that occurred through the Ministry’s self-service kiosks at two Work and Income service centres, which compromised privacy.
The review will be carried out by Deloitte and will be led by Murray Jack, Chairman, Deloitte (the Independent Reviewer).
A Steering Group, with external stakeholders, including the Office of the Privacy Commissioner and Office of the Government Chief Information Officer, has been set up to provide independent oversight of the review.
This review will take into account the recently announced review of publicly accessible systems by the Government Chief Information Officer.
Objectives of the review
The objectives of the independent review are to address the questions raised about the security of the Work and Income self-service kiosks focusing on what happened, why it happened, the lessons learned, and the actions the Ministry needs to take to address any security issues raised.
The review will also assess the Ministry’s wider information systems security including the policies, governance and culture, and will make recommendations about the actions needed to be taken to restore and increase public confidence in the Ministry’s information systems security.
The review will happen in two phases.
Phase One – Matters in scope
The first part of the review will investigate the circumstances and causes of the kiosk security breach which compromised privacy, focusing on
· The establishment and operation of the self-service kiosks in Work and Income service centres, including:
o the work done to ensure appropriate information security was put in place at the time that the kiosk infrastructure and services were designed and built;
o the independent testing done to ensure the security was operating as designed; and
o the Ministry’s response to any security issues identified during the testing.
· Information provided to the Ministry by third parties raising security concerns about the kiosks and the appropriateness and effectiveness of the Ministry’s response to these concerns.
· The appropriateness and effectiveness of the Ministry’s response to the security breach.
Phase Two – Matters in scope
The second part of the review will assess the appropriateness and effectiveness of the Ministry’s wider information systems security, particularly publicly accessible systems, and including the policies, governance, capability and culture.
The review will identify any lessons learned and make recommendations to the Chief Executive about any changes and improvements needed to the Ministry’s information systems security.
Timeframes and reporting
Phase One - The objective is that Phase One of the review will be completed within two weeks.
Phase Two - The timeframe for the completion of Phase Two of the review will be determined following completion of Phase One.
The reports on both phases of the review will be made publicly available.
The role of the Steering Group is to provide independent oversight of the review and advice to the Chief Executive.
The Steering Group will consist of external stakeholders. The members are:
· James Ogden – Independent Chair
· Erik Koed – Assistant Commissioner, State Services Commission
· Stuart Wakefield – Director, Office of the Government Chief Information Officer
· Katrine Evans, Assistant Privacy Commissioner (Observer)
In addition, the following people will attend and participate in the Steering Group.
· Murray Jack – Independent Reviewer
· Brendan Boyle – Chief Executive