A formal evaluation of the security of the igovt identity system has been conducted and more evaluations are in process or planned, says the State Services Commission (SSC) in a reply to a Computerworld inquiry under the Official Information Act.
However, the SSC says no detail can be given of what types of security threats were considered or will be considered during the evaluations. The Commission acknowledges there are matters of public interest in favour of, as well as against such a release, but considers the balance favours confidentiality.
The igovt Identity Verification Service (IVS) is the part of the government's authentication system to be used by the public when logging on to government systems.
The inquiry followed doubts cast by a University of Auckland researcher earlier this year on the thoroughness of the security evaluation, given the lack of publicly available information (Computerworld, February 16).
"We cannot find any security requirements analysis for igovt even though the security, as well as its importance in the services, was mentioned in both the key principles and [a] public consultation report," said Yu-cheng Tu and her supervisor Clark Thomborson.
Applications with demonstrated adequate security requirements are more likely to be trusted and accepted by the public, Tu and Thomborson said.
The duos paper sketched the shape a security evaluation should take and specifically identified risks of identity theft, unauthorised matching of information on a user by government agency staff and denial of service attacks that could disable the whole system.
Such a formal study was completed last year, says the SSC's reply, signed by senior communications adviser Marian Mortensen.
"In 2008 a formal threat and risk analysis for the igovt identity verification service was performed by a qualified (CISSP, CISM) internal security consultant. This exercise included security analyses of strategic, operational, technological and physical threats and risks, as well as recommendations on countermeasures and an assessment of residual risk in each of these areas," the letter states.
"As part of the Commission's ongoing risk management programme, the igovt Identity Verification Service is also currently undergoing a series of security assessments by third party experts. The first of these, a high-level design assessment, has recently been completed and included security expectations, a business process assessment and a vendor solution assessment.
"Three subsequent reviews are currently planned for the igovt identity verification service, including a detailed design security assessment, network vulnerability assessment and a pre-deployment assessment."
However, the letter did not provide a summary of the points covered in the analyses, citing a range of clauses under which the information was withheld.