RiR 2007:10 Government control of information security work within the public administration

Transcription

1 RiR 2007:10 Government control of information security work within the public administration Summary Responsibility for the control and management of security of information within the Swedish public administration is apportioned among the Swedish Riksdag (parliament), the Swedish Government, the supervisory and support agencies appointed by the Government (the expert agencies) and the management of the individual agencies. The Swedish National Audit Office (SNAO) has chosen in this audit to focus on the Government s responsibility for making requirements of and following up the work of the their agencies (the public administration) with respect to security of information, and for taking the initiative for measures aimed at improving the conditions for the work of the public administration within this area. The audit has been carried out in the light of the problems that have emerged in the SNAO s audits of eleven public agencies performance of their responsibilities for information security. An analysis of these problems is also presented in the audit report. Have the agencies done enough? The agencies are responsible for protecting their information assets. The conclusion come to by the SNAO, based on the eleven audits, is that on the basis of current standards the agencies are not working systematically on their internal management and control of information security. The SNAO s audits have revealed the following serious incidents in the agencies operations: There are examples of agencies that have failed to avert virus attacks, as a result of which they have been unable to function, sometimes for days. The officials were without access to necessary information. Serious incidents have occurred when agencies have changed their IT systems or introduced new IT systems. Government services on the Internet that are important to society, to citizens and to businesses, were closed down for up to two weeks. Officials had difficulties in carrying out their duties in the new systems. Deficiencies in the protection of agencies websites have led to unauthorised persons gaining access to integrity-sensitive information and also being able to change that information. These incidents have been caused by among other things deficiencies in the work on information security done by the top management of the agencies concerned. The most important management problems are: Management are uncertain as to what their tasks are in the information security work and how those tasks should be carried out. Management do not request any clear documentation showing the kind of risks and threats that exist for the agency concerned. Management do

2 not therefore have sufficient insight into what measures they should prioritise to protect the agency. Management s decisions regarding security measures are not complied with. Also, management do not follow up to ensure that the security fulfils management s requirements. Management do not make sure that they are informed that important measures such as continuity plans, reporting and handling of incidents have been carried out and are functioning as intended. Management underestimate the importance of staff training and information, including training of and information to other management personnel and boards. Is the Government performing its responsibilities? The SNAO deems the problems described above to be serious and that they imply a risk of significant negative consequences for government commitments such as electronic government and national emergency management. As a result of the Government s investment in electronic government, growing numbers of agency services are becoming available on the Internet, agencies are joining together to create coordinated e-services, and there is a general increase in IT-based development work. In order for this reform of the public administration to succeed, citizens and businesses must have confidence in the e- services provided on the Internet. There is a risk of a lessening of confidence in the agencies e-services if the information cannot be protected. It may be a case of unauthorised persons gaining access to sensitive information or changing data or in some other way acting so that the services cannot be used. If that happens, there is a considerable risk of the entire investment in e-government being jeopardised. Deficiencies in information security can also affect national emergency management systems. Central government agencies have as a rule an important role to play in society s ability to forestall, prevent and manage emergencies. The agencies are therefore assumed to have a certain basic capability to enable them to fulfil their role and to help society cope with emergencies. This basic capability is dependent on how well designed the agency s information security is. In the light of the above, the SNAO considers that the Government s control of information security is of great importance. The SNAO s overall assessment is that the Government has not followed up to ensure that the internal management and control of information security in the public administration is satisfactory. The Government has not taken sufficient initiative to improve the conditions for the administration s work on information security. These conditions are treated in the following. Inexplicit requirements and mandate The SNAO has established that the Government has taken measures with respect to the technical conditions for agencies information security work, such as e-signatures, e-identification, secure Internet, etc. On the other hand, no measures have as yet been taken to support the agencies internal management and control of information security. The top management of the audited agencies have no clear understanding of what requirements and rules apply to their information security work, for example as regards management accountability and the agencies risk analyses. In the SNAO s view, this may be due among other things to the fact that the statutes in this area do not provide

3 complete and explicit guidance 1. In 2001, the Government pledged an overhaul of the regulations in the area of information security. This overhaul has not yet been carried out. The SNAO takes the view that an overhaul of the regulations is urgently needed, particularly against the background of the investment in e-government. The Government s strategy for information security provides no explicit guidance either. It is aimed at society as a whole and does not lay down specific requirements for the agencies. In support of the public administration and in support of its work on managing the agencies, the Government has set up a number of expert agencies 3 with responsibility for various issues relating to information security. The Government has not however given the expert agencies a sufficiently explicit mandate, which has meant that they have had difficulties in giving the Government a complete picture of the information security problems at the agencies. An explicit mandate is also needed in order for the expert agencies to provide appropriate regulations detailing the Government s requirements for the agencies work on information security. The Government has not followed up the agencies work on information security The audit shows that over the past ten years the Government has been broadly aware of certain management problems in the sphere of information security, but the picture has been unclear with respect to central government agencies and the Government has been unable to present any complete picture of the problems affecting the public administration. The Government has not required the central government agencies to report on the principal problems affecting information security. The Emergency Management Agency s annual assessment of the information security situation is an important source for the Government s assessment of information security work in society. The SNAO has established that the Government has not required the Emergency Management Agency to provide the information in a form that will allow the circumstances relating to central government agencies to be clearly distinguished from, for example, municipalities and county councils. At the same time, the Agency does not consider itself to have a mandate to exercise supervision of the agencies information security work that the Agency considers is needed in order to give the Government a good foundation for its management of the public administration. Management issues in the central government agencies have not been touched upon in the directives to the government investigations relating to information security issues. 1 See separate analysis in Appendix 2. 3 The Emergency Management Agency, the Security Service, the National Post and Telecom Agency, the National Defence Radio Establishment, the Administrative Development Agency (Verva), the Armed Forces, and the Defence Materiel Administration.

4 Deficiencies in the Government s preparation of information security issues According to the SNAO, the Government s organisation of the work done by the Government Offices on information security issues and the management of the expert agencies is together insufficient to handle the agencies problems with their information security. No Government Office is explicitly responsible for carrying out an overall assessment of the agencies internal management and control of information security. The audit shows that as a result of the principles for apportioning responsibility and preparing issues within the Government Offices, strong signals are required (such as serious security incidents) for the Government Offices to become aware of deficiencies in individual agencies. Strong signals are also required in order to identify general problems in the public administration. No such signals have reached the Government, for example via the Emergency Management Agency s annual situation assessment, and the Government has not realized that there is a need to tackle problems in the agencies information security work. The SNAO has also found that the eleven agency audits that have been carried out over a period of two years have also, evidently, given insufficiently strong signals for the Government to draw the conclusion that there is a general problem in the public administration. The SNAO s recommendations Recently, the Government has taken a number of measures designed to better enable the public administration, and society in general, to maintain effective information security. However, in the SNAO s view these measures are not sufficient to solve the problems that the agencies top managements are having with the information security work. Therefore, the SNAO recommends that the Government take the following action to improve the internal management and control of information security in the public administration. The Government should focus more clearly on information security issues The SNAO s eleven audits of the agencies information security work have not been understood by the Government as signalling a more general problem. The Government s investment in e-government also requires it to take action to focus on information security issues. The Ministry of Defence and the Ministry of Finance in particular should coordinate their work more closely in all issues concerning the agencies information security. Give the expert agencies an explicit mandate to follow up and report on the agencies work on information security The expert agencies have hitherto been unable to supply the Government with the information required to give it sufficient insight into the most serious problems affecting the agencies work on their information security. The Government should therefore make plain the expert agencies remit so that some are given an explicit mandate to follow up and report on the agencies management and control of the information security work. In connection with this, the Government should define the purpose and aim of the annual situation assessments. Give the agencies better conditions - set more explicit requirements for information security work

5 The agencies themselves are responsible for their own information security. The SNAO s audits have however shown that the agencies management are unsure how to deal with information security issues. In the SNAO s view, this may be because they have not been given sufficiently explicit requirements from the Government. In 2001, the Government pledged an overhaul of the regulations relating to information security. An enquiry into information security in 2005 resulted in proposals for an ordinance in the sphere of information security. The Government has still not carried out the overhaul of the regulations nor has it made any decision on the proposals produced by the enquiry. The SNAO takes the view that an overhaul of the regulations is urgently needed, particularly against the background of the investment in e- government. The Government s strategy in the sphere of information security should be made plain in order to give the Government a better foundation for its management within the public administration and in order to provide the agencies with better information on the content of government policy. Since the Government has tasked the Emergency Management Agency with developing an action plan to implement the Government s strategy, in the SNAO s opinion the Government s remit should also include paying regard to the agencies internal management and control of the information security work. The Government should also include the agencies information security work in the management by objectives and performance of the individual agencies. The requirements set for the individual agencies should be adapted to their particular circumstances.