David Fisher at NZ Herald reports:
The security review into problems at the public computer kiosks run by the Social Development ministry raised identical problems to those exposed by a blogger 18 months later.
Keith Ng’s discovery of private information sitting on publicly-accessible hard drives was an almost exact match for the April 2011 report by a security company hired to find problems.
The security-assessment.com report found the connection between the corporate computers and public kiosks – planned for MSD offices across the country – was dangerous.
“This lack of separation means that the kiosk terminal has the same level of authority and access as corporate MSD employees.”
It went on to say it created an “inherent level of risk as it could allow for a member of public to gain access to MSD network resources and services”. …
The type of information at risk was also revealed in the April 2011 security report. It raised concerns about medical information, drug testing results and recorded calls to MSD’s helpdesk as being openly available.
It recommended taking “urgent” action to restrict access.
“A malicious user with access to the operating system of the kiosk is able to gain access to sensitive information kept with the MSD network including medical and drug test results,” it stated.
The review into the problem, released three weeks ago, showed senior managers were not told about the problem.
The April 2011 report was ignored until Mr Ng revealed the holes in MSD’s system.
The staff who were aware of this report and did nothing, clearly must be goneburger – subject to natural justice.
But that does not mean more senior managers are exempt. They may not have known of the recommendations in the report, but were they aware of the fact a report was commissioned? Or were they totally in the dark as to the fact there had even been an issue with the kiosks?
And even if they were totally in the dark, then the question for the senior managers is whether they had a risk reporting framework in place, which required risks such as those identified in the security report to be recorded in a risk register which is reviewed by senior management. If they did not have a comprehensive risk reporting framework in place, then they should consider their own positions.
It is possible that MSD did have a comprehensive risk reporting and mitigation framework in place, and the four staff involved just ignored it. If that is the case, then liability may stop with those staff directly involved. We won’t know until the disciplinary processes are concluded and the full report on what nothing happened is released.