A second report into the security breach which was discovered in public kiosks at the Newtown branch of the Ministry of Social Development has been released today. In response to the report, the Ministry is appointing a chief information security officer, and replacing the kiosks with workstations from a new supplier.
Statement from Ministry of Social Development
Chief Executive Brendan Boyle has welcomed the independent Deloitte Phase 2 Report into IT security saying it is timely and constructive as we move to expand our online capability. Two primary causes of the kiosk security breach were that security was not adequately designed into the kiosk project and that exposures identified by penetration testing were not adequately escalated or followed up in that case.
“While there are matters that need to be addressed, I am reassured that the Phase 2 Report has found those issues are not widespread across the Ministry. From the scope of the work Deloitte did, there was also no evidence found to suggest that there were other breaches of the Ministry’s IT systems.
“This was a very wide ranging and thorough review. I wanted to be assured that our organisation’s culture and approach to privacy and security was robust,” said Brendan Boyle.
“I’m very pleased that the report has found that MSD does have a strong culture that values the importance of privacy and information security. This has meant that in general, good judgement has been applied when risks have been identified.
“Deloitte has found that we need to improve our policies and processes to ensure that information security risks are escalated to the right level in all cases. We also need to make explicit that information systems security is a critical part of all our IT projects and is an integral part of everyday business.
“I have made it clear to my leadership team that we are responsible for ensuring this occurs and that the protection of client information is at the forefront of all decision-making. We have already taken steps to make improvements in these areas and I am committed to implementing all the recommendations in the report.
“To that end I am creating a new senior management position of Chief Information Security Officer to support the implementation of all of the recommendations from the two Deloitte reports. We will begin recruiting for this role within the next few weeks.
This role will report directly to the Deputy Chief Executive, People, Capability and Resources, and I have formally assigned information security management to that Deputy Chief Executive to provide a single point of responsibility for driving information security activity across the Ministry.
“Taking the two reports together, I’m confident we have provided a very thorough and effective response to this breach,” Brendan Boyle said.
“Implementation of the remaining recommendations is our priority, and I will also be reviewing any recommendations from the forthcoming GCIO report very closely so as to provide the New Zealand public with full confidence that their personal information is safe and secure in MSD systems.
“Lastly, I can confirm the Ministry has decided on a preferred option to replace the computer kiosks closed in October. We’re in negotiations with a preferred supplier for new client self-service workstations that will be completely separate from the Ministry’s own IT systems.
“The next stage will be proof of concept and rigorous testing. The workstations will only be introduced once we’re satisfied that they are as secure as possible. All going well, we aim to roll them out from May next year,” Brendan Boyle said.
Around 75 per cent of clients have access to the internet without having to use our services and the remaining clients are being supported to find jobs by their case managers and referrals to alternative internet services such as local libraries.
“I’m sorry we won’t have them up sooner, but it is essential we get this right,” said Brendan Boyle.