Dimension Data kiosk report released
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
Get the latest news from Computerworld delivered via email.
Sign up now
A security report warning the Ministry of Social Development last year of potential failings in its WINZ kiosks has been released under the Official Information Act.
The OIA request was made by Josh Levent on fyi.org.nz - a site which facilitates public freedom of information requests. Levent asked MSD to release all documents relating to security assessments of its systems, although the much publicised Dimension Data report was released on 16 November, Levent says his request has not been met.
“Since I requested all reports containing a review of MSD Information Security in the past five years, am I to conclude that this is the only report relating to information security in the past five years in the entire Ministry?” writes Levent on fyi.org.nz.
Security-Assessment.com (SA), which is owned by Dimension Data, conducted a review of MSD’s public facing kiosks in April 2011.
It produced a report for the MSD later that month which highlighted the lack of separation between the public facing computers and the ministry’s corporate environment as a “critical” vulnerability.
SA recommended the immediate separation of the kiosks and network using a firewall appliance, and further minimising the interaction between the kiosks and MSD’s network.
This vulnerability was exploited by journalist Keith Ng, who was able to gain access to restricted files on MSD's network. It was later revealed that organisations which MSD has a shared IT services agreement with, like CERA and the Childrens Commissioner's Office, were also succeptible to having their files accessed.
MSD has not released any information on how many people were able to access these files in the months following the SA report.
Last month MSD CEO Brendan Boyle admitted the ministry was warned by Dimension Data of the security faults, and may have failed to act on that information.
That said governance around IT projects is very weak in the state sector (and quite possibly beyond) because IT business analysts have a startling ability to write up the solution before defining the problem coupled with a range of functional managers (the supposed clients cum owners of these solutions) who have no concept of what the business process they manage is in terms of the underlying business transaction and where both parties (managers and the BAs) have not been subject to consist performance focussed review. Having performed this oversight function for 10 years it can take a while to get answers that are not defensive or self-serving.
I'm surprised this has been the worst of MSD's problems.
Posted by Anonymous 3 at 13:47:32 on November 22, 2012
I have never come across this in my experience (nearly 20 years as an ICT Business Analyst in NZ for large organisations) BAs produce Requirements Documents and Solution Designers / Architects produce Solution Documents.
Posted by Anonymous at 15:45:50 on November 22, 2012
The issue I was trying to highlight is the lack of robustness (read as blinkered perspective or narrowness of thought) around the problem definition - which then results in a solution that quite often does not address the real problem i.e. the problem re-manifests as something else.
Posted by Anonymous 3 at 14:05:34 on November 23, 2012
As a senior manager in the NZ Public IT Sector - I have experienced many long standing personnel more motivated about getting a salary raise and promotion than delivering on the job and focusing on end results.
These are unspoken and difficult issues that need to be addressed forcefully?
There needs to be allot more transparency, it will be interesting to see how many 'affected employees' were in receipt of compensation payments in excess of 100% ?
In summary, the public sector needs to go though a very tough transformation - too many are just coasting and taking the money, various mafias also need to be eliminated.
Posted by Anonymous at 10:30:53 on November 22, 2012
Posted by Dave at 12:57:07 on November 22, 2012
Posted by Anonymous at 10:20:09 on November 22, 2012
Posted by Anonymous at 10:34:12 on November 22, 2012
Once point that is made in the report is that from February 2011 over 120 of MSD's IT staff and management were seconded to the rebuilding of systems to help out in Christchurch. This point is not laboured in the report, but anyone who was remotely involved in things EQNZ and CERA will know what a major and important distraction that would have been in many ways.
MSD have been nicely transparent over this issue, which is a credit to the CEO.
Posted by DonChristie at 17:51:25 on November 21, 2012
Posted by Anonymous at 8:43:54 on November 22, 2012
Posted by Anonymous at 18:06:52 on November 21, 2012