Menu
MSD probes use of all-of-government SharePoint application

MSD probes use of all-of-government SharePoint application

A decision to use the government Shared Workspace to collect sensitive external data appears flawed.

The use of an all-of-government shared workspace to collect sensitive external data will be investigated after a Ministry of Social Development security failure.

The use of an all-of-government shared workspace to collect sensitive external data will be investigated after a Ministry of Social Development security failure.

A Microsoft SharePoint application used by over 30 of the largest government agencies will be at the centre of an independent security review announced by Social Development Minister Anne Tolley yesterday.

The review, into the ministry's use of the government Shared Workspace for a sensitive data collection programme and a subsequent security failure, follows an internal report Tolley described as "disappointing".

"It's extremely disappointing that the report appears to raise more questions than answers on the security of the IT system and the governance of the project," she said.

The Ministry of Social Development decided to use the Department of Internal Affairs' all-of-government Shared Workspace as an interim platform to collect individual client data from external social services providers funded by the government.

MSD said the data was being collected to help government understand who was using such external services and the impact of the programmes.

However, shortly after roll-out, one external provider was able to access another's folder where individually identifiable data was due to be lodged.

No data was in the folder at the time, but the issue was serious enough for the ministry to cancel all external access permissions to the portal.

The independent review will look into the circumstances that led to the privacy failure, the decisions made about why the Shared Workspace was used and security measures taken.

SharePoint can be deployed securely, but this is considered tricky when external parties are included. However, a description on the Department of Internal Affairs' ICT services website appears to describe it as suitable for use with external parties.

"Shared Workspace is a secure, online collaboration tool for government agencies to share information with each other and with their third party project partners."

Explaining the failure, MSD's head of the data collection programme, Peter Galvin, told Radio New Zealand the ministry's own IT people suggested using the Shared Workspace after security reviews provided confidence it would be fit-for-purpose.

Each provider was to have their own folder for uploading data but an error with access permissions settings led to the failure.

“We’d set up permissions on who could see what folder, and we found there had been an error in setting up the permissions on a folder, which meant that other providers when they went into the shared workspace could see that particular folder," Galvin said.

Social Development Minister Anne Tolley
Social Development Minister Anne Tolley

That gave the ministry "significant pause for thought", Galvin said. The ministry had to make a call on whether to persist with using that platform, he said.

"On balance and in the interests of security we couldn't in good conscience continue to pursue that platform."

Galvin said the Shared Workspace was always supposed to be an interim solution. The ministry is now working on a permanent replacement.

Seeming to throw further doubt on the decision to use the Shared Workspace, Galvin said the new system will be standalone, not a shared space, so there would be no risk of one provider seeing another's data.

The final terms of the replacement system were still under negotiation, he said, but it would be controlled directly by MSD.

The Department of Internal Affairs is currently using SharePoint 2010 to run the workspace, but is developing a roadmap to upgrade to SharePoint 2016.

A spokesperson said the Shared Workspace would continue to be available to eligible agencies for as long as they consider it meets their needs.

Microsoft referred queries about the issue to the ministry.

The independent review will be led by former Deloitte NZ consultant Murray Jack, supported by private sector IT and privacy specialists. It is due to be completed by the end of the month. The review will also look into the governance and management of the project.

Providers are continuing to collect data to be uploaded into the new IT system, once it is launched.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags governmentprivacyMicrosoftSharepointNew ZealandMinistry of Social Developmentmsd

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments