GCIO Review of Publicly Accessible Computer Systems
- Cover letter, GCIO Review report 298 KB PDF
- ‘GCIO Review of Publicly Accessible Systems – Summary of Findings, December 2012’ 377 KB PDF
- Cabinet Paper EGI 31 May 2013 200 KB PDF
- Cabinet Paper SEC 25 Feb 2013 379 KB PDF
- Cabinet Paper SEC 8 Feb 2013 397 KB PDF
- EGI Cabinet Minute (13) 11/5 33 KB PDF
- SEC Cabinet Minute (13) 2-6 60 KB PDF
- SEC Cabinet Minute (13) 1-3 34 KB PDF
- GCIO Review Timeline 18 KB PDF
A review of Publicly Accessible Computer systems in the State Services has been released.
State Services Commissioner Iain Rennie requested the review in October 2012 after a security breach at Ministry of Social Development Work and Income kiosks. It was carried out by the Government Chief Information Officer (GCIO) Colin MacDonald, who is Chief Executive of the Department of Internal Affairs.
The review covered 215 publicly accessible information systems across 70 government agencies. These systems included kiosks, sign-in systems at reception desks, and internet access to services requiring information to be entered online. Most government networks and systems are not publicly accessible.
The review found that security processes within many agencies were under-developed and relied too much on the skills and capabilities of staff and suppliers.
Privacy and information security standards are being tightened and a plan of action is underway in response.
The following actions have been taken or are underway:
- Agencies were instructed by the GCIO before Christmas to take immediate actions to strengthen privacy and security processes.
- Immediate requirements included making an executive-level manager in each agency responsible for robust practices and processes.
- Agencies had to produce evidence by April 2013 of a detailed risk assessment of their publicly accessible systems.
- Agencies had to decide by April 2013 whether to increase their ability to address privacy and security challenges, or find alternative arrangements such as using capability in other agencies.
- Agencies are required to provide security assessments to the GCIO by the end of July 2013 and again by the end of March 2014 along with reports about the steps they have taken to address privacy and security issues.