Second Deloitte report into MSD security breach 'brutal' - Keith Ng

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.nbr.co.nz/article/second-deloitte-report-msd-security-breach-brutal-keith-ng-ck-133590

"Pretty brutal" is how blogger Keith Ng describes the Deloitte report
on Phase II of its investigation into the Ministry of Social
Development kiosk security breach.

Deloitte's Phase I report focused specifically on the MSD security gap
first publicised by Mr Ng (public computer kiosks at WINZ allowing
wide-ranging acccess to client and commerically-sensitive files on the
ministry's network).

Phase II of the independent investigator's assessment looked at
whether the breach was symptomatic of governance, cultural and
technical problems across the MSD.

Privacy Commissioner: good - but when?
“The Deloitte report on MSD makes it very clear that there is a need
for strong leadership by senior management on the way client
information is handled within MSD,” said Privacy Commissioner Marie
Shroff says.

Ms Shroff said she was pleased MSD had pledged to act on the reports
recommendation. But she added pointedly, that she looked forward to a
timeline.

Security czar
The report notes that while the Government Communications Security
Bureau (GCSB) and other agencies lay down information security
guidelines, the MSD has no process to assess if they are being met.

In response, the ministry has pledged to appoint a chief information
security officer, with recruitment to begin "within the next few
weeks."

Chief executive Brendan Boyle says the person who fills the new role
will be in charge of implementing the recommendation in Deloitte's two
reports, and have ongoing responsibility for information security.

The Phase II report says no evidence was found of the securtiy breach
identified by Mr Ng (and first identified by Ira Bailey) being
exploited by others.

Only lip-service to information security
Mr Ng told NBR ONLINE, "The key findings [on pages 15 - 17 of the
report in RAW DATA, below] clearly point to a governance problem."

Management wasn't thinking about information security, Mr Ng summarises.

"There were no KPIs [key performance indicators] or organisation-level
policies around information secuirty.

"They didn't have enough infosec people to service the whole
organisation, and the visibility of their work was 'limited'.

"MSD's spin is focused on the fact that problems identified in the
first report are not widespread. But those problems only existed
because the governance at ministry never paid more than lip-service to
information security," Mr Ng says.

Overall, he's relatively satisfied with the way things have turned out.

"It's a pretty brutal report, and I think it addresses the governance
issues beyond the four employees who are under the gun," Mr Ng says.

Why nobody noticed the screw up
Mr Ng told NBR the first Deloitte report was honest and reasonable,
but left the big question, Why was Dimension Data's April 2011 report
on kiosk security holes ignored?

Did he feel it was answered by the independent investigator's second
installment?

"Partly. We still don't know the details of what those four employees
did, but I think the governance issues highlighted in the report
explains why those guys screwed up, and why nobody noticed," Mr Ng
says.

Following Deloitte's Phase I report, which criticised the MSD for
ignoring a report by Dimension Data that ignored security problems
with the kiosks, four ministry staff face employment investigations.

Yesterday, the ministry said findings from the Phase II report would
be used in the ongoing investigations into the four staff.

The MSD said the two Deloitte reports had cost around $450,000.

A separate Internal Affairs investigation into all public-facing
government computer systems continues.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.