MSD releases terms of reference for Deloitte investigation

The Ministry of Social Development has released the terms of reference for Deloitte's investigation into MSD's kiosk security and its computing security in general

The Ministry of Social Development has released the terms of reference for Deloitte's investigation into MSD's kiosk security, and the ministry's computing security in general.

The review will be lead by Deloitte chairman Murray Jack, backed by a steering committee with members from State Services Commission, the Privacy Commissioner's Office, and the Department of Internal Affairs.

It will be conducted in two phases. The first phase will include an investigation into the establishment of the kiosk system in WINZ branches, and the actions taken following a security report produced by Dimension Data in April 2011 which exposed flaws in the system.

In the second phase, Deloitte will review MSD's wider IT security and privacy set up, including its systems and policies.

The ministry has given a timeframe of two weeks for the completion of phase one, with the timeframe for phase two to be determined once the first is completed.

Recommendations will be included in a publicly available report once the investigation is completed.

Computerworld has asked for clarification on the expected cost of Deloitte's investigation to tax payers.

Daniel Ayers, computer forensics expert and former Deloitte senior manager, says the cost is likely to be significant for minimal return.

Full terms of reference:

TERMS OF REFERENCE

Independent Review of the Ministry of Social Development’s Information Systems Security

17 October 2012

The Chief Executive of the Ministry of Social Development (the Chief Executive) has commissioned an independent investigation into the security breach that occurred through the Ministry’s self-service kiosks at two Work and Income service centres, which compromised privacy.

The review will be carried out by Deloitte and will be led by Murray Jack, Chairman, Deloitte (the Independent Reviewer).

A Steering Group, with external stakeholders, including the Office of the Privacy Commissioner and Office of the Government Chief Information Officer, has been set up to provide independent oversight of the review.

This review will take into account the recently announced review of publicly accessible systems by the Government Chief Information Officer.

Objectives of the review
The objectives of the independent review are to address the questions raised about the security of the Work and Income self-service kiosks focusing on what happened, why it happened, the lessons learned, and the actions the Ministry needs to take to address any security issues raised.

The review will also assess the Ministry’s wider information systems security including the policies, governance and culture, and will make recommendations about the actions needed to be taken to restore and increase public confidence in the Ministry’s information systems security.
The review will happen in two phases.

Phase One – Matters in scope
The first part of the review will investigate the circumstances and causes of the kiosk security breach which compromised privacy, focusing on:

• The establishment and operation of the self-service kiosks in Work and Income service centres, including:
the work done to ensure appropriate information security was put in place at the time that the kiosk infrastructure and services were designed and built;
the independent testing done to ensure the security was operating as designed; and
the Ministry’s response to any security issues identified during the testing.
• Information provided to the Ministry by third parties raising security concerns about the kiosks and the appropriateness and effectiveness of the Ministry’s response to these concerns.
• The appropriateness and effectiveness of the Ministry’s response to the security breach.

Phase Two – Matters in scope
The second part of the review will assess the appropriateness and effectiveness of the Ministry’s wider information systems security, particularly publicly accessible systems, and including the policies, governance, capability and culture.
The review will identify any lessons learned and make recommendations to the Chief Executive about any changes and improvements needed to the Ministry’s information systems security.

Timeframes and reporting
Phase One - The objective is that Phase One of the review will be completed within two weeks.
Phase Two - The timeframe for the completion of Phase Two of the review will be determined following completion of Phase One.
The reports on both phases of the review will be made publicly available.

Governance
The role of the Steering Group is to provide independent oversight of the review and advice to the Chief Executive.
The Steering Group will consist of external stakeholders. The members are:
• James Ogden – Independent Chair
• Erik Koed – Assistant Commissioner, State Services Commission
• Stuart Wakefield – Director, Office of the Government Chief Information Officer
• Katrine Evans, Assistant Privacy Commissioner (Observer)

In addition, the following people will attend and participate in the Steering Group.
• Murray Jack – Independent Reviewer
• Brendan Boyle – Chief Executive