So you can tell I am a political junkie, I follow the questions in parliament most days and spotted an interesting one from yesterday. Clare Curran, Labour’s ICT Spokesperson, digging around security questions for the DIA’s DaaS service and Peter Dunne responding. Make of it what you will.
Internal Affairs, Department—Security of Personal Information 10. CLARE CURRAN (Labour—Dunedin South) to the Minister of Internal Affairs: Is he confident that the Department of Internal Affairs manages New Zealanders’ personal information, documents and records effectively and safely?
Hon PETER DUNNE (Minister of Internal Affairs): Yes, I am.
Clare Curran: Does he have confidence that the Department of Internal Affairs has effective oversight of risks in IT functions and security across Government agencies, and that appropriate levels of assurance are in place?18 Mar 2015 Oral Questions Page 13 of 15 (uncorrected transcript—subject to correction and further editing)
Hon PETER DUNNE: Yes, I do, for a number of reasons. One is that in late 2012 the Government Chief Information Officer, who is also the Secretary for Internal Affairs, carried out a review of publicly accessible information systems, and, as a result of that review, some changes were made, including the appointment of a Government Chief Privacy Officer.
Clare Curran: Has he seen any recent reports from the Department of Internal Affairs that identified high-level risks leaving Government networks vulnerable to attack, including security controls not functioning, a lack of ability to investigate malicious activity, and insecure information transmitted over the Department of Internal Affairs and “Desktop as a Service” cloud-provider networks; if so, when?
Hon PETER DUNNE: I constantly receive advice from the Secretary for Internal Affairs in his capacity as the Government Chief Information Officer. Given the sensitivity of a lot of that advice, it would be inappropriate to go into detail in this House.
Clare Curran: Which specific IT security functions within his department are currently compromised as a result of a lack of funding?
Hon PETER DUNNE: I think the best way I can answer that question is to refer the member to my previous answer.
Clare Curran: Can he guarantee that under his watch no Government IT system has gone live without accreditation from the New Zealand Institute of Safety Management and sign-off from the chief executive officer?
Hon PETER DUNNE: I assume the member is referring to the chief executive officer of the Department of Internal Affairs in her question, and the answer to that would be yes.
Clare Curran: Will he support my Electronic Data Safety Bill, which has its first reading today, to select committee in order to restore public confidence that people’s information that is held by the Government is secure, private, and well-managed, given that he expressed support for this bill when it was first drawn from the ballot and before he was the Minister?
Hon PETER DUNNE: The short answer is no, because the bill was drawn from the ballot before work that I referred to in one of my earlier answers in late 2012, which addressed the very issues the bill seeks to address, and which therefore makes the bill utterly redundant.