Basic errors must not threaten e-government

It seems that human error, rather than technology, is behind the bulk of IT problems.

This week's case in point comes in a New Zealand government report following the leakage of public data from customer "kiosks" placed in the offices of Work and Income New Zealand (WINZ), the Kiwi equivalent of Australia's Centrelink.

At the time the story broke, junior staff within WINZ were blamed, with the head of the Ministry of Social Development accusing WINZ of having "slack and sloppy" processes.

We have the publication this week of the government review, which has found that 12 systems out of 75 government agencies had weak points in their security.

Among them, formal security standards and procedures were lacking in 73 percent of the agencies surveyed. Eighty seven percent did not have formal security certification and accreditation for their IT systems, 73 percent had "no robust security management processes", 67 percent "had not performed a security assessment on their systems", and 97 percent "had not accessed compliance with government-mandated standards".

Furthermore, government CIO Colin MacDonald said that many security and privacy processes were "undefined, informal, or undocumented, and often relied on the skills of individual people".

The government has since tightened up its procedures, with agencies expected to have completed security testing by the end of July, and made it clear that individual heads are responsible for their own departments, rather than their being an all-of-government approach, with each agency to determine its own level of security risk.

As MacDonald said in his report, a lack of security is not a technical problem.

"We've been relying too heavily on our IT professionals and IT vendors," he said.

The government dealt with one of the three levels of security risk — the technical layer — when it needed to give more attention to leadership, increased awareness, and control of risk from a senior executive level, and independent quality assurance.

"It's not a technology issue; it's a risk management issue that leaders must address," MacDonald said.

Thus came the justified cries that the New Zealand government must "raise its game" on information and security, from head bureaucrat, State Services Commissioner Ian Rennie.

"Citizens have a right to expect government agencies will protect their personal information, and we need to work harder to maintain that trust," he said.

The Privacy Commission called for a "cultural change" in how governments hold information on people, and welcomed how privacy would now become one of the key performance indicators for heads of government departments.

With mismanagement so obviously to blame, the public sector union, naturally and rightfully, raised the issue of staff numbers and whether they have been trained adequately.

Government ministers also said that they expect action to remedy the privacy and security problems, outlining what has happened to date and what is planned next.

Indeed, the government is making a major push toward putting services online, with a recent Budget announcement on i-identity just a small part of it.

Coincidentally, as the New Zealand government released its findings into its privacy and security failures, Symantec also produced a global report on the subject.

And what did it conclude? That rather than the technology being at fault, most data breaches are caused by human and systems errors.

It might seem like basic stuff, but since it appears to be such basic stuff, then hopefully government will learn from this debacle.

The report may seem like closing the stable door after the horse has long bolted, but it does appear that government bosses have grappled with the issues at stake and are finally coming up with solutions to prevent it from happening again.

Such solutions had better work as the matters at stake — the security of citizens' data, as well as the trust needed for e-government to work — are too great to be ruined by such basic errors like what we have seen to date.