An investigation has cleared the Ministry of Social Development (MSD) of
widespread security flaws in its computer systems, but other issues have been
identified in its approach to security.
MSD ordered an investigation in October after blogger Keith Ng revealed that
public computer kiosks in Work and Income offices could be used to access
sensitive information, including details of children in care, foster parents,
lists of debtors and the name of a person who committed suicide.
The first phase of a report by Deloitte, released last month, found security
was not adequately designed into the kiosk project, and problems identified by
penetration testing were not adequately escalated or followed up.
The second phase of the report, released by MSD on Thursday, says the same
issues around security and follow-up were not evident across the ministry,
although its escalation processes need to be improved.
At the time the kiosks were tested, MSD's policies and processes didn't
require all security risk exposures to be escalated to management level - and
that remains an issue across the ministry.
The report says there are also other weaknesses in MSD's approach to security
that pose a risk, although "these weaknesses are not unusual for New Zealand
It recommended assigning leadership and accountability for information
security at a senior level - prompting MSD chief executive Brendan Boyle to
announce a new senior management position of chief information security officer
The new role will support the implementation of all of the recommendations
from the two Deloitte reports, with recruiting to begin within the next few
weeks, Mr Boyle said.
Mr Boyle also announced on Thursday that MSD is negotiating with a preferred
supplier to replace the computer kiosks with workstations "completely separate"
from the ministry's IT systems.
"The workstations will only be introduced once we're satisfied that they are
as secure as possible. All going well, we aim to roll them out from May next
year," he said.
MSD is also taking part in a review of all publicly accessible computer
systems in the public sector, which was sparked by the kiosk flaw