New Zealand should appoint a chief information security officer to oversee efforts to keep government systems safe and provide a single point of reporting for vulnerabilities, according to the CEO of the Institute of IT Professionals, Paul Matthews.
Earlier this year Labour's Clare Curran revealed that an informant had alerted her to a security hole in a Ministry of Justice system. The government hit back over the disclosure of the flaw. Ministry deputy secretary, organisational development and support, Rose Percival, said there had been no threat to people's private information.
"This isn’t a member of the public inadvertently finding information. It appears to be about someone with IT skills deliberately trying to get into a Ministry IT system – the site where people apply to become licensed security guards," Percival said in April after Curran made the claim.
The incident followed revelations late last year that public computer kiosks provided by the Ministry of Social Development in Work and Income service centres were able to access private information on the ministry's network.
A review conducted by Deloitte found that security had not been adequately considered when the kiosks were designed, security holes discovered in April 2011 had not been addressed and that "risk management processes did not effectively escalate security exposures to management, nor ensure appropriate mitigating actions were taken".
Another review conducted in the wake of the kiosk affair under the auspices of government CIO, Colin MacDonald, found that many agencies had underdeveloped security processes.
The report, prepared last year but released in June, found that the "level of security management maturity across the state sector is lower than could reasonably be expected to provide the public with appropriate assurance about the safety of their private information". It found there were 13 government agencies "with potentially high priority unresolved vulnerabilities".
Things "really have been getting to the point where the public is saying that something's got to be done about it," Matthews said.
"Our view is we actually need government to step up and look at an all-of-government approach around the privacy and security," the IITP CEO added.
"That's why we're advocating a chief information security officer whose primary responsibility will be to set some standards across all of government in terms of both what should be in place, assessing what's actually in place, and also setting up ways that people can report vulnerabilities when they find them in an ethical disclosure manner."
After Curran was contacted about the Ministry of Justice's alleged vulnerability, police launched an investigation into the man who contacted the Labour MP. Having a central point to report vulnerabilities could help preventing situations like this arising, Matthews said.
"Currently every ministry and every department actually does their own thing, and reporting of vulnerabilities varies by department and the protections that they put in place around privacy of information vary quite significantly."
There's work on whole-of-government procurement efforts, "but as soon as you mention all of government from the policy side of things, the message is that they don’t like that approach," Matthews said.
"But the fact is, that's what we need to get the standard [of security] up."