RAW DATA: Terms of reference for Deloitte independent review of MSD

TERMS OF REFERENCE

Independent Review of the Ministry of Social Development’s Information Systems Security

17 October 2012

The Chief Executive of the Ministry of Social Development (the Chief Executive) has commissioned an independent investigation into the security breach that occurred through the Ministry’s self-service kiosks at two Work and Income service centres, which compromised privacy.

The review will be carried out by Deloitte and will be led by Murray Jack, Chairman, Deloitte (the Independent Reviewer).

A Steering Group, with external stakeholders, including the Office of the Privacy Commissioner and Office of the Government Chief Information Officer, has been set up to provide independent oversight of the review.

This review will take into account the recently announced review of publicly accessible systems by the Government Chief Information Officer.

Objectives of the review
The objectives of the independent review are to address the questions raised about the security of the Work and Income self-service kiosks focusing on what happened, why it happened, the lessons learned, and the actions the Ministry needs to take to address any security issues raised.

The review will also assess the Ministry’s wider information systems security including the policies, governance and culture, and will make recommendations about the actions needed to be taken to restore and increase public confidence in the Ministry’s information systems security.

The review will happen in two phases.

Phase One – Matters in scope

The first part of the review will investigate the circumstances and causes of the kiosk security breach which compromised privacy, focusing on

·         The establishment and operation of the self-service kiosks in Work and Income service centres, including:

o   the work done to ensure appropriate information security was put in place at the time that the kiosk infrastructure and services were designed and built;

o   the independent testing done to ensure the security was operating as designed; and

o   the Ministry’s response to any security issues identified during the testing.

·         Information provided to the Ministry by third parties raising security concerns about the kiosks and the appropriateness and effectiveness of the Ministry’s response to these concerns.

·         The appropriateness and effectiveness of the Ministry’s response to the security breach.
 

Phase Two – Matters in scope

The second part of the review will assess the appropriateness and effectiveness of the Ministry’s wider information systems security, particularly publicly accessible systems, and including the policies, governance, capability and culture.

The review will identify any lessons learned and make recommendations to the Chief Executive about any changes and improvements needed to the Ministry’s information systems security.

Timeframes and reporting

Phase One - The objective is that Phase One of the review will be completed within two weeks.

Phase Two - The timeframe for the completion of Phase Two of the review will be determined following completion of Phase One.

The reports on both phases of the review will be made publicly available.
 

Governance

The role of the Steering Group is to provide independent oversight of the review and advice to the Chief Executive.

The Steering Group will consist of external stakeholders. The members are:

·         James Ogden – Independent Chair

·         Erik Koed – Assistant Commissioner, State Services Commission

·         Stuart Wakefield – Director, Office of the Government Chief Information Officer

·         Katrine Evans, Assistant Privacy Commissioner (Observer)

In addition, the following people will attend and participate in the Steering Group.

·         Murray Jack – Independent Reviewer

·         Brendan Boyle – Chief Executive