Report: MSD security flaws not widespread
An investigation has cleared the Ministry of Social Development (MSD) of widespread security flaws in its computer systems, but other issues have been identified in its approach to security.
MSD ordered an investigation in October after blogger Keith Ng revealed that public computer kiosks in Work and Income offices could be used to access sensitive information, including details of children in care, foster parents, lists of debtors and the name of a person who committed suicide.
The first phase of a report by Deloitte, released last month, found security was not adequately designed into the kiosk project, and problems identified by penetration testing were not adequately escalated or followed up.
The second phase of the report, released by MSD on Thursday, says the same issues around security and follow-up were not evident across the ministry, although its escalation processes need to be improved.
At the time the kiosks were tested, MSD's policies and processes didn't require all security risk exposures to be escalated to management level - and that remains an issue across the ministry.
The report says there are also other weaknesses in MSD's approach to security that pose a risk, although "these weaknesses are not unusual for New Zealand organisations".
It recommended assigning leadership and accountability for information security at a senior level - prompting MSD chief executive Brendan Boyle to announce a new senior management position of chief information security officer on Thursday.
The new role will support the implementation of all of the recommendations from the two Deloitte reports, with recruiting to begin within the next few weeks, Mr Boyle said.
Mr Boyle also announced on Thursday that MSD is negotiating with a preferred supplier to replace the computer kiosks with workstations "completely separate" from the ministry's IT systems.
"The workstations will only be introduced once we're satisfied that they are as secure as possible. All going well, we aim to roll them out from May next year," he said.
MSD is also taking part in a review of all publicly accessible computer systems in the public sector, which was sparked by the kiosk flaw revelation.