MEDIA RELEASE

19 October 2012

Terms of reference released for privacy review

The Government Chief Information Officer (GCIO), Colin MacDonald today released the terms of reference for his review of the security of publicly accessible government IT systems, and made the following comments:

“The public expects to be able to interact with government effectively and efficiently. They want rapid access to clear, helpful, government information, and easy transactions and they expect that the personal information they share with government will remain private.

“The review I am initiating today will look at the steps agencies have taken to secure their systems.

“I will review lessons learned from the Ministry of Social Development, agency self-review reports and agency documentation. I will also identify any systemic issues and provide assurance and advice on improvements.”

“I have appointed KPMG to support me in the review. Detailed planning will begin next week. A public release of findings will be made after I report first to the State Services Commissioner.”

GCIO Review of Publicly Accessible Systems
Terms of Reference
The Government Chief Information Officer (GCIO), together with an external specialist, will review policy, process and assurance information provided by departments relating to the security of publicly accessible agency systems.
1) Remit
a. The Government Chief Information Officer (“GCIO”) has been requested by the State Services Commissioner to review the security of publicly accessible systems across government
2) Purpose
a. provide Ministers with assurance on the security of publicly accessible systems
b. provide Chief Executives with advice on security improvements which can be made in the deployment and operation of such systems
3) Agencies in Scope
a. Public Service Departments, NZ Police and relevant Crown Entities
4) Matters in Scope
a. Publicly accessible systems including:
i. Kiosks or similar devices that provide public access that are connected to a government network
ii. Web servers that provide a service delivery interface
iii. Wireless networks providing access to the public
5) Approach
a. Review:
i. Lessons learned from MSD
ii. Agency self-review reports
iii. Agency documentation including:
a) Information Management security policy and practices
b) Change & Release Management processes
c) Network and Security architectures
d) Security and penetration tests and responses to those
e) Audit reports and responses to those
b. Recommend:
i. Identify systemic issues
ii. Provide assurance
iii. Provide advice on improvements
6) Timeframe
a. Draft report prepared by 27 November 2012