The Ministry of Social Development is set to roll out new public computers from May next year to replace the kiosks closed after a security hole was revealed in October, but has promised to tighten up its information security before that happens.
The MSD's chief executive Brendan Boyle announced new workstations were on the way when he released the second phase of a Deloitte's report on MSD's information security systems today.
The Deloitte report was requested in October after blogger Keith Ng revealed Work and Income's public kiosks allowed access to some central office information, including confidential details and invoices.
The second part of the report was critical of the MSD's processes for handling security issues - a problem it said went across the department.
"While information security is considered in many parts of the organisation, approaches and tools are often informal or lack specificity. This places too much reliance on the capabilities of individual people." It recommended specifically assigning responsibility at a senior level and ensuring very clear processes were established.
Mr Boyle said the recommendations in the Deloitte report would be acted on as a priority - including appointing a new senior manager to oversee information security. That position - Chief Information Security Officer - would be recruited within weeks and would be charged with ensuring personal information was adequately protected.
Mr Boyle said it was heartening that the Deloitte report found that there was no widespread problem with information security and no evidence of any other breaches of its systems.
He said MSD was in negotiations with a preferred supplier for new kiosks, which would be completely separate from the department's own systems and would be rigorously tested.
"I am sorry we won't have them up sooner, but it's essential we get this right."
The first phase of Deloitte's study was into the causes of the kiosk breach itself. It found the causes of the breach included a failure to build proper security into the system when it was first developed and a failure to act when that security hole was identified by computer audit company, Dimension Data. It said MSD needed to improve its policies and processes to ensure that such security risks were escalated to the appropriate people within the organisation swiftly.
Mr Boyle said that of the items downloaded by Mr Ng, there were invoices relating to 10 individuals which contained highly sensitive information. All of those had been contacted and MSD was continuing to work with them over any concerns.
He said an employment investigation into the handling of the Dimension Data report was still underway and involved four people.
He said about 75 of MSD clients already had access to the internet without needing the Work and Income offices - others were currently being directed to use other public computers, such as those in libraries.
Privacy Commissioner Marie Shroff called for leadership from the top to ensure MSD staff were working together.
"It's not enough for individual employees to be trying to factor in privacy and security of client information.
"Senior managers must recognise that the way we manage those systems now needs to evolve too.''
Ms Shroff said MSD was a "mega-store'' of personal details and could be leading the way for innovative information holding and handling.
Green Party income support spokeswoman Jan Logie said the report was another reminder of how crucial it was for the Government to treat the privacy of individual people with respect.
"Respect for privacy must be led from the top.''
The two reports from Deloitte have cost the Government $450,000.
The findings -
- Current governance arrangements do not explicitly consider information security.
- Lack of coordination between different teams dealing with information security.
- No enterprise-wide approach to information security risk management.
- No specific operational targets of performance measures for information security.
- No clarity on where MSD stands in relation to Government security standards.
- Information and security governance and responsibility on projects is not well-formed.
- Insufficient requirements to consider information security within the project lifecycle.
- Insufficient information security expert involvement in projects.
- Education on security principles and practices relevant to project related activities in inadequate.
- No consistent project security risk evaluations.
The recommendations -
-Assign deputy chief executive level leadership and accountability for information security.
-Integrate information security into strategic planning and performance monitoring.
-Improve information security risk management, control and assurance approach.
- Establish more explicit information security review points.
-Provide more guidance on information security in the existing project documents.
- Enhance project management and delivery.