Privacy Commissioner Marie Shroff says following a survey of government agencies’ use of personal storage devices (PSDs) such as USB memory sticks, individual agencies will be approached with their own responses and asked what they intend to do to tighten up security.
“In some cases my office will have a discussion with the agency, but we have extremely limited resources,” she says, so it will be more efficient to persuade the agencies to think of their own remedies.
A second survey will be conducted in about a year. This will monitor changes in the answers to the first survey’s questions and may add others in the light of intervening conversations.
Feedback has not been slow in coming from government agencies that have specific expertise in this aspect of security, as well as from private companies, the media and individuals. Suggestions for remedies even came from the audience at the formal launch of the findings in Christchurch, Shroff says.
The survey showed only nine agencies out of the 37 that responded made PSD encryption mandatory, while 43% did not provide encryption solutions of any sort. Sixty-two percent kept a PSD register, but only 22% said they would be able to track transfers of data to PSDs.
All agencies but one had responded by last week, she says; the last was a small department and was experiencing “technical problems” in gathering the information. “I’m disappointed that some of them needed reminding.”
The agencies were divided into three groups: those that held a large amount of personal information on individuals, such as the Ministries of Social Development, Health and Education, the ACC and IRD; those like the Ministry of Defence, the Department of Prime Minister and Cabinet and Security Intelligence Service, which hold formally “classified” information and others, such as the Department of Conservation, which fall outside those two classes, but may still hold information best not publicly released.
It is “particularly concerning”, the Commissioner says, that some agencies with the least satisfactory protection of PSDs were from the first group, those she describes as “flagship departments that hold the personal details of thousands of ordinary New Zealanders”. She declines to identify the worst offenders specifically, “but you can draw some conclusions from what I’ve said”.
Asked whether there was scope for some central imposition of standards, Shroff says “at a general governance level that’s not the way things work”. Since the public service reforms of the 1980s, accountability has firmly lain with the individual agencies and their chief executives.
However, reminded of some all-of-government standards such as those for websites, Shroff acknowledges that “we might look at the possibility of central standards. I’m not undertaking to do that, but it is a definite possibility and one thing I might discuss with the State Services Commissioner”, she says.
A State Services Commission spokesman says despite the commission’s role in all-of-government standards, it does not enforce or promulgate standards for the handling of PSDs. He referred Computerworld to the Government Communications Security Bureau.
GCSB says there are standards for PSD handling in its ICT security manual, NZSIT402 (at www.gcsb.govt.nz/newsroom/nzsits/nzsit-402-feb08.pdf). We were referred specifically to sections 2.4.74 and 2.4.75. These actually deal with personal digital assistants, which present an overlapping but different set of potential problems. The guidelines for PDAs state they must have a power-on password and must have “agency approved anti-virus and anti-malware software enabled” — difficult if not impossible to apply to passive PSDs.
More relevantly, “PDAs operating above the unclassified level”, that is with even the lowest grade of confidentiality, “must have GCSB-approved encryption enabled to protect information stored on the PDA”.
Asked whether the GCSB intended to strengthen or re-emphasise the standards in the light of the survey results, spokesman Hugh Wolfensohn says merely that the standards are under constant review.
The Privacy Commissioner’s office has not had any complaints that bear directly on loss of data on PSDs, but agencies have voluntarily disclosed failings of this kind, “and I’m pleased they’re doing that,” Shroff says.
Only last week someone told her that he had given a presentation to staff of a large government department and a memory stick containing departmental information had been handed to him in mistake for the one containing his presentation.