MSD to appoint chief information security officer

“I am creating a new senior management position of chief information security officer to support the implementation of all of the recommendations from the two Deloitte reports.

“This role will report directly to the deputy chief executive, people, capability and resources, and I have formally assigned information security management to that deputy chief executive to provide a single point of responsibility for driving information security activity across the ministry.”

Boyle also says MSD is negotiating with “a preferred supplier” for new client self-service workstations to replace the kiosks that were the site of the original security breach that sparked the two reports. Those workstations will be completely separate from the ministry’s own IT systems, Boyle says.

The second phase of the Deloitte report at the Ministry of Social Development, following the major kiosk security breach, has found general weaknesses in the Ministry’s governance and management of information security.

Furthermore, the consultancy says such failings are not uncommon in other organisations.

“Information security is not explicitly considered within existing governance arrangements” at MSD, Deloitte says. “For example, executive-level strategic planning and performance monitoring does not include information security. Therefore the planning and monitoring activities that occur are difficult to link back to overall strategic objectives, inconsistent, and difficult to prioritise.”

There is no enterprise-wide approach to information security risk management in MSD, the report says. “Some appropriate elements are in place (such as processes, frameworks and work practices) but these have not been consolidated and expanded to provide a cohesive and comprehensive set of guidance and tools.”

There are, moreover, no specific performance measures in information security. This means “there is no structured basis for establishing the return on investment for information security activities, which makes it more difficult to make robust value-for-money decisions on resources committed to such activities,” the report says.

While there are a number of security standards in government, such as the New Zealand Information Security Manual, issued by the Government Communications Security Bureau, “there are no existing processes [at MSD] to mandate compliance on any aspect of these standards.”

Failings have been found in both the day-to-day operation of the ministry’s ICT and in the process for development of specific projects, three of which Deloitte examined.

“In our experience, these weaknesses are not unusual for New Zealand organisations,” Deloitte says. “In isolation, each weakness does not present a high level of risk, and our findings do not suggest that the degree of risk within the ministry is higher than within many similar organisations.”

The report recommends assigning leadership and accountability for information security at deputy chief executive level. “This will formally assign information security management to the appropriate senior level within the organisation and provide a single point of responsibility for driving information security activity across the ministry,” Deloitte says.

Meanwhile a broader investigation of security in all government ICT systems is still under way, under Government CIO Colin MacDonald.