The public service needs to “raise its game” on information security and privacy, says State Services Commissioner Iain Rennie, following the publication of a report into publicly accessible government information systems.
“Citizens have a right to expect government agencies will protect their personal information and we need to work harder to maintain that trust,” he says.
The review found 12 systems out of 215 across 70 agencies had weak points in their security. This included the Department of Corrections prisoner kiosks at Mt Eden Prison which allowed access to a small number of external websites - this issue has since been resolved.
Measures were quickly put in place “and the systems are now secure”, says Government CIO Colin MacDonald, who was in charge of surveying the public systems’ privacy and security. The survey found:
- Formal security standards and procedures were lacking in 73 percent of the agencies surveyed;
- 87 percent did not have formal security certification and accreditation processes for their ICT systems;
- 73 percent had “no formal robust security management processes”;
- 67 percent “had not performed a security assessment on their systems” and
- 97 percent “had not assessed compliance with government-mandated standards.”
Many security and privacy processes were “undefined, informal or undocumented and often relied on the skills and abilities of individual people,” MacDonald says. A plan of action has been started to ensure best-practice standards are achieved.
However, implementation of measures to bring security and privacy up to standard will remain largely the responsibility of the individual agencies and their chief executives will remain the point of accountability.
It is impractical to issue blanket security directives to cover all agencies, because every agency has to judge its own level of risk, MacDonald says.
“All computer systems are in place to enable us to do our job in an efficient and an effective way. We provide a very disparate set of services and the risks are different within agencies,” MacDonald says.
“I think it’s quite dangerous to sit at the centre and set absolute standards for everyone.” Rather chief executives should make “active decisions about how they’re going to manage those risks within the agencies,” he says; “they’re best placed to make that decision.”
Despite some recent privacy breaches occurring through erroneous autocomplete of an email address, he would not even countenance the issuing of a general directive banning the use of autocomplete on addresses, he says; though some agencies have independently decided to remove the facility.
However, some measures have been implemented generally: “We put in place a requirement that all new systems, before going live, have to have a formal privacy and security assessment,” MacDonald says.
A “privacy leadership programme” led by Statistics NZ has developed and published a “toolkit of privacy resources” and the Department of Internal Affairs has asked ICT security firms to put themselves up for membership of a special-purpose panel to provide security services across all of government.
The immediate exercise is focussed on publicly accessible systems, such as the Ministry of Social Development’s kiosk terminals, found last year to be capable of allowing access to confidential files; but much of the standards-raising exercise will obviously be more broadly applicable to safeguarding other systems, MacDonald says.
Lack of security is not simply a technical problem, he says, “We’ve been relying too heavily on our IT professionals and IT vendors,” and dealing predominantly with only one of the three layers of security risk mitigation – the technical layer. The other two layers that will now be given more attention are leadership – increased awareness and control of risk from senior-executive level – and independent quality assurance.
“It’s not a technology issue; it’s a risk management issue that leaders must address,” says MacDonald.
An assessment on the security of the kiosks during their development identified problems, but the advice did not reach management of an appropriate seniority to initiate action.
Under the present programme, by the end of July agencies are expected to have completed security testing and have provided the GCIO “a statement of capability on their actions to date; high-level details about their ongoing improvement programme; confirmation that they have undertaken all of the actions required of them and a plan to address any vulnerabilities identified through assessments,” says briefing material on the report.
By the end of September the GCIO will report to the State Services Commissioner and then to ministers on initial security and privacy improvements. There will be an annual report on the improvement program for two years.
The improvement is especially crucial, Rennie says, given the increasing role that government plans to make of the online channel in its dealings with citizens.