17 March 2022
Aaron Schiff
[FYI request #18585 email]
Tēnā koe Aaron,
Official Information Act request: Infoshare maintenance
Thank you for your query of 17 February 2022 requesting the following:
I would like to understand the extent to which Stats NZ’s Infoshare platform is maintained to
reduce the chance of extended outages. Specifically I would like to ask:
1. What processes does Stats NZ use to ensure that the underlying software
infrastructure and dedicated codebase of Infoshare are kept updated with security
patches and any other critical software updates?
2. Approximately how much software developer and/or IT technician person time has
been allocated to maintaining the Infoshare software platform and codebase each
year for the past five years? To clarify, I am asking about maintenance of the
Infoshare platform itself rather than updating timeseries data held in that system.
3. What standards, if any, has Stats NZ set for uptime of Infoshare?
4. What contingency plans does Stats NZ have for making data in Infoshare publicly
available in the event of an extended outage of more than one week?
We have responded below to each of your questions in turn:
What processes does Stats NZ use to ensure that the underlying software
infrastructure and dedicated codebase of Infoshare are kept updated with security
patches and any other critical software updates?
Stats NZ conducts vulnerability scanning to identify where systems are susceptible to attack.
These susceptibilities are due to attackers developing new forms of attack. Certain
companies keep track of all the evolving threats and Stats NZ uses their catalogues to
identify where additional security action is needed.
Stats NZ also conducts regular penetration testing of services. This is where expert hackers
systematically attack the service to identify if it is susceptible to different forms or
combinations of attack. It was penetration testing that revealed the recent vulnerability which
forced Stats NZ to temporarily remove the NZ.Stat service.
Approximately how much software developer and/or IT technician person time has
been allocated to maintaining the Infoshare software platform and codebase each
year for the past five years? To clarify, I am asking about maintenance of the
Infoshare platform itself rather than updating timeseries data held in that system.
We cannot easily retrieve data for the past five years – average data for the past two years
is as follows: 122 hours maintenance, with 104 hours of general support per year.
What standards, if any, has Stats NZ set for uptime of Infoshare?
Web Application Availability Monitoring of Infoshare for the past 13 months (max reporting
period) is 99.83% uptime.
What contingency plans does Stats NZ have for making data in Infoshare publicly
available in the event of an extended outage of more than one week?
For security related events, Stats NZ’s approach is to deploy security updates while
maintaining the Infoshare service, which is what we were able to do with the most recent
security update. Unfortunately, this was not possible with NZ.Stat.
Should a security event occur that disrupted the Infoshare service, our comprehensive
disaster recovery back up would allow us to restore the service within 24 hours. Should this
take longer for any reason we would ensure continuity of data supply using the same
practices we applied for the NZ.Stat outage. We would provide channels for customers to
request data directly through our Information Centre and publish more data files on our
website. We would stand up these services as soon as practically possible should any
outage occur, that would impact customers.
In the case of a major national disaster, Stats NZ could potentially be competing for restore
resources with other agencies based on a national priority system. For instance, emergency
and critical services may take precedence over Stats NZ.
If you are not satisfied with this response, you have the right to seek an investigation and
review by the Ombudsman. Information about how to make a complaint is available at
www.ombudsman.parliament.nz or 0800 802 602.
It is our policy to proactively release our responses to official information requests where
possible. This letter, with your personal details removed, will be published on the Stats NZ
website. Publishing responses creates greater openness and transparency of government
decision-making and helps better inform public understanding of the reasons for decisions.
Ngā mihi nui
Matt Phimmavanh
Senior Advisor, Executive and Government Relations
Office of the Chief Executive
Stats NZ