The WINZ data fiasco - a symptom of "driving change for lower cost"?

by Toby Manhire / 15 October, 2012
On the government's ICT strategy, and the high-level security guidelines ignored - published by guess who?


When the Ministry of Social Development magazine Rise (PDF) cheered the roll-out of self-service kiosks at Work and Income branches across the country, enthusing that "the distinctive blue kiosks allow people to help themselves", I don't think they antipated quite the extent to which that was true.

The consensus is building that the revelations around the information security at the MSD, as exposed by Keith Ng's journey into a WINZ kiosk computer, point to a systemic failure.

Coming days will reveal, no doubt, whether the Swiss-cheese-shaped MSD system, which permitted Ng to relatively effortlessly browse through private information (invoices, mostly) on the network, have been brought on by corner-cutting – and, indeed, whether that is systemic.

But it’s worth noting for the moment that the “Government ICT directions and priorities” (in their words “a medium-term strategy for how central government will more collectively lead the use, development and purchasing of government ICT over the next three years”) is underpinned explicitly – as explicitly as in the project’s logo – by, first, “driving change for lower cost”.



It’s not, however, as though there isn’t plenty of helpful material out there for the people putting together the information systems.

Did the nincompoops responsible for overseeing the Ministry of Social Development’s network not, for example, consult the New Zealand Information Security Manual?

The Manual, an exhaustive 300-page guide (it’s here in PDF, if you’re looking for bedtime reading), is introduced thus:

Effective information, systems and cyber security is fundamental to the management of many of the challenges facing government, underpinning public confidence and vital for the effective, efficient and safe conduct of public business. The Prime Minister and Cabinet delegate responsibility for security to Chief Executives and heads of government departments and agencies. Security is, however, the responsibility of everyone.


The New Zealand Information Security Manual (which abbreviates to NZISM, sounding suspiciously like a nationalistic point of view) is the national baseline technical security policy, describing baseline and minimum mandatory technical security standards for government departments and agencies.


And along the way it includes the following:

Vulnerability analysis strategy


Agencies should implement a vulnerability analysis strategy by:


• monitoring public domain information about new vulnerabilities in operating systems and application software


• considering the use of automated tools to perform vulnerability assessments on systems in a controlled manner


• running manual checks against system configurations to ensure that only allowed services are active and that disallowed services are prevented, and


• using security checklists for operating systems and common applications.


Conducting vulnerability assessments


It is recommended that agencies conduct vulnerability assessments on systems:


• before the system is first used


• after a significant change to the system, and


• as specified by an ITSM or the system owner.


Resolving vulnerabilities


Agencies should analyse and treat any security risks to their systems identified during a vulnerability assessment.


Vulnerability analysis strategy


While agencies are encouraged to monitor public domain information for vulnerabilities that could affect their systems, they should not remain complacent if no specific vulnerabilities relating to deployed products are disclosed.


In some cases, vulnerabilities can be introduced as a result of poor cyber security practices or accidental activities within an agency. As such, even if no new public domain vulnerabilities in deployed products have been disclosed there is still value to be gained from regular vulnerability analysis activities.


One final thing. The publisher of the New Zealand Information Security Manual? The – ahem – Government Communications Security Bureau.
MostReadArticlesCollectionWidget - Most Read - Used in articles
AdvertModule - Advert - M-Rec / Halfpage

Latest

Best red and white wines for winter
75447 2017-06-24 00:00:00Z Wine

Best red and white wines for winter

by Michael Cooper

The winter chill has us instinctively reaching for bold reds and sturdy whites.

Read more
What to do and see in Auckland
74332 2017-06-24 00:00:00Z Sport

What to do and see in Auckland

by Noted

The shopping! The beaches! The cafés! The volcanoes! Auckland is New Zealand’s biggest and busiest city and has everything on offer all the time.

Read more
How the All Blacks inaugural World Cup triumph revived the game of rugby
75187 2017-06-24 00:00:00Z Sport

How the All Blacks inaugural World Cup triumph rev…

by Paul Thomas

The sport was bruised by the fallout from the 1981 Springbok tour, the rebel Cavaliers’ visit to South Africa and a rampant rival football code.

Read more
Grenfell Tower fallout: Two Auckland high-rises found with combustible cladding
75398 2017-06-23 10:10:32Z Property

Grenfell Tower fallout: Two Auckland high-rises fo…

by Phil Pennington

Two Auckland high-rises have the same cladding as that of Grenfell Tower, but the Council won't say which ones.

Read more
Pauline Hanson is wrong, children with disabilities should be in the classroom
75392 2017-06-23 09:17:07Z World

Pauline Hanson is wrong, children with disabilitie…

by The Conversation

Pauline Hanson claims kids with disabilities should learn in special classrooms. Is she right? Two experts examine the evidence.

Read more
National aims to put Todd Barclay affair behind it
75388 2017-06-23 08:18:46Z Politics

National aims to put Todd Barclay affair behind it…

by Demelza Leslie

Senior members of the National Party are confident this weekend's annual conference won't be overshadowed by the controversy around Todd Barclay.

Read more
Labour intern scheme: Awataha Marae rejects 'substandard' housing claim
75385 2017-06-23 06:47:58Z Politics

Labour intern scheme: Awataha Marae rejects 'subst…

by Mihingarangi Forbes

The marae housing Labour's interns isn't substandard, Trust bosses say, while local Māori say they've been fighting to access it for years.

Read more
The demise of Todd Barclay and all the Gor-r-rey details
75338 2017-06-23 00:00:00Z Politics

The demise of Todd Barclay and all the Gor-r-rey d…

by Jane Clifton

The Todd Barclay debacle says more about PM Bill English than the tyro MP.

Read more