Dimension Data kiosk report released
LATEST NEWS
SUBSCRIBE
Computerworld is New Zealand's only specialised information systems fortnightly. Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
SIGN UP
Report warning of potential failings in the WINZ kiosks is released under official information act
By Sim Ahmed | Auckland | Wednesday, 21 November, 2012 | 17 Comments
A security report warning the Ministry of Social Development last year of potential failings in its WINZ kiosks has been released under the Official Information Act.
The OIA request was made by Josh Levent on fyi.org.nz - a site which facilitates public freedom of information requests. Levent asked MSD to release all documents relating to security assessments of its systems, although the much publicised Dimension Data report was released on 16 November, Levent says his request has not been met.
“Since I requested all reports containing a review of MSD Information Security in the past five years, am I to conclude that this is the only report relating to information security in the past five years in the entire Ministry?” writes Levent on fyi.org.nz.
Security-Assessment.com (SA), which is owned by Dimension Data, conducted a review of MSD’s public facing kiosks in April 2011.
It produced a report for the MSD later that month which highlighted the lack of separation between the public facing computers and the ministry’s corporate environment as a “critical” vulnerability.
SA recommended the immediate separation of the kiosks and network using a firewall appliance, and further minimising the interaction between the kiosks and MSD’s network.
This vulnerability was exploited by journalist Keith Ng, who was able to gain access to restricted files on MSD's network. It was later revealed that organisations which MSD has a shared IT services agreement with, like CERA and the Childrens Commissioner's Office, were also succeptible to having their files accessed.
MSD has not released any information on how many people were able to access these files in the months following the SA report.
Last month MSD CEO Brendan Boyle admitted the ministry was warned by Dimension Data of the security faults, and may have failed to act on that information.
Security-Assessment.com report:
Comments
Inaction on report
That was a commissioned report not, and this needs to be stressed, an option piece by SA. That means whoever commissioned the report should bear a large measure of the responsibility for not acting on the recommendations.
That said governance around IT projects is very weak in the state sector (and quite possibly beyond) because IT business analysts have a startling ability to write up the solution before defining the problem coupled with a range of functional managers (the supposed clients cum owners of these solutions) who have no concept of what the business process they manage is in terms of the underlying business transaction and where both parties (managers and the BAs) have not been subject to consist performance focussed review. Having performed this oversight function for 10 years it can take a while to get answers that are not defensive or self-serving.
I'm surprised this has been the worst of MSD's problems.
Posted by Anonymous 3 at 13:47:32 on November 22, 2012
That said governance around IT projects is very weak in the state sector (and quite possibly beyond) because IT business analysts have a startling ability to write up the solution before defining the problem coupled with a range of functional managers (the supposed clients cum owners of these solutions) who have no concept of what the business process they manage is in terms of the underlying business transaction and where both parties (managers and the BAs) have not been subject to consist performance focussed review. Having performed this oversight function for 10 years it can take a while to get answers that are not defensive or self-serving.
I'm surprised this has been the worst of MSD's problems.
Posted by Anonymous 3 at 13:47:32 on November 22, 2012
Inaction on report
You say: "IT business analysts have a startling ability to write up the solution before defining the problem".
I have never come across this in my experience (nearly 20 years as an ICT Business Analyst in NZ for large organisations) BAs produce Requirements Documents and Solution Designers / Architects produce Solution Documents.
Posted by Anonymous at 15:45:50 on November 22, 2012
I have never come across this in my experience (nearly 20 years as an ICT Business Analyst in NZ for large organisations) BAs produce Requirements Documents and Solution Designers / Architects produce Solution Documents.
Posted by Anonymous at 15:45:50 on November 22, 2012
Inaction on report
I wrote as the reviewer and sometime approver of business cases as put forward by BAs. I got to deal with the holder of the pen: the BA.
The issue I was trying to highlight is the lack of robustness (read as blinkered perspective or narrowness of thought) around the problem definition - which then results in a solution that quite often does not address the real problem i.e. the problem re-manifests as something else.
Posted by Anonymous 3 at 14:05:34 on November 23, 2012
The issue I was trying to highlight is the lack of robustness (read as blinkered perspective or narrowness of thought) around the problem definition - which then results in a solution that quite often does not address the real problem i.e. the problem re-manifests as something else.
Posted by Anonymous 3 at 14:05:34 on November 23, 2012
Public Sector Culture?
It is often said around town that Civil Servants just keep the seat warm and contribute very little.
As a senior manager in the NZ Public IT Sector - I have experienced many long standing personnel more motivated about getting a salary raise and promotion than delivering on the job and focusing on end results.
These are unspoken and difficult issues that need to be addressed forcefully?
There needs to be allot more transparency, it will be interesting to see how many 'affected employees' were in receipt of compensation payments in excess of 100% ?
In summary, the public sector needs to go though a very tough transformation - too many are just coasting and taking the money, various mafias also need to be eliminated.
Posted by Anonymous at 10:30:53 on November 22, 2012
As a senior manager in the NZ Public IT Sector - I have experienced many long standing personnel more motivated about getting a salary raise and promotion than delivering on the job and focusing on end results.
These are unspoken and difficult issues that need to be addressed forcefully?
There needs to be allot more transparency, it will be interesting to see how many 'affected employees' were in receipt of compensation payments in excess of 100% ?
In summary, the public sector needs to go though a very tough transformation - too many are just coasting and taking the money, various mafias also need to be eliminated.
Posted by Anonymous at 10:30:53 on November 22, 2012
Public Sector Culture?
Here here. Well said.
Posted by Dave at 12:57:07 on November 22, 2012
Posted by Dave at 12:57:07 on November 22, 2012
Typical
This was a clear report with clear actions needed.Unfortunately there are hundreds of these sorts of reports from suppliers trying to help out - security related and other ICT recommendations - all lying around government departments right now, getting ignored. Most don't get implemented. Reasons cited include lack of funds, other funding priorities, or just simply too much to do with too little staff; and most of the time blame goes to the govt for cutting budgets. More often than not though, it is quite simply a less than constructive attitude towards vendors trying to help. Too many govt. dept ICT teams sit back and play arm chair critics with their suppliers, rather than work together with their suppliers. You can bet the internal response to this report was down to this issue..."DD just wrote a report to support them selling something new to us, but we know better lets think about it" kind of attitude....
Posted by Anonymous at 10:20:09 on November 22, 2012
Posted by Anonymous at 10:20:09 on November 22, 2012
Typical
spot on. attitude and culture of govt IT depts is the real problem here.
Posted by Anonymous at 10:34:12 on November 22, 2012
Posted by Anonymous at 10:34:12 on November 22, 2012
MSD Transparency
The MSD has also placed the recent Deloitte report up on their website. It is well written and a lesson to all of us on how organisations, particularly large ones, can lose track of things.
Once point that is made in the report is that from February 2011 over 120 of MSD's IT staff and management were seconded to the rebuilding of systems to help out in Christchurch. This point is not laboured in the report, but anyone who was remotely involved in things EQNZ and CERA will know what a major and important distraction that would have been in many ways.
MSD have been nicely transparent over this issue, which is a credit to the CEO.
Posted by DonChristie at 17:51:25 on November 21, 2012
Once point that is made in the report is that from February 2011 over 120 of MSD's IT staff and management were seconded to the rebuilding of systems to help out in Christchurch. This point is not laboured in the report, but anyone who was remotely involved in things EQNZ and CERA will know what a major and important distraction that would have been in many ways.
MSD have been nicely transparent over this issue, which is a credit to the CEO.
Posted by DonChristie at 17:51:25 on November 21, 2012
MSD Transparency
Yeah completely transparent like their network! Seems like transparency is their forte.
Posted by Anonymous at 8:43:54 on November 22, 2012
Posted by Anonymous at 8:43:54 on November 22, 2012
MSD Transparency
It would be a better credit, if someone took responsibility.
Posted by Anonymous at 18:06:52 on November 21, 2012
Posted by Anonymous at 18:06:52 on November 21, 2012
MOST POPULAR
Social Media @Computerworld NZ
Computerworld NZ has now reached LinkedIn! Join to expand your networks and meet others interested in information systems.
