Management of Information Resources of the Ministry of Agriculture Read full summary in English
The Ministry of Agriculture of the Republic of Lithuania has managed 32 information systems and registers. Of these, 24 ones are managed, developed and upgraded by a state enterprise subordinate to the Ministry of Agriculture, the Agricultural Information and Rural Business Centre. The annual amount allocated by the Ministry for the maintenance of the Centre totals LTL 17.5 million on average. The objective of the audit was to assess the general and development controls of the information resources of the Ministry of Agriculture. The audit was conducted at the Ministry of Agriculture and the state enterprise Agricultural Information and Rural Business Centre, information was also collected at the State Plant Service.
- There is no general information architecture model covering all information resources at the Ministry.
- It is difficult to determine the exact amount of information resources and their interaction.
- There is no procedure in place designed to address strategic information technology management issues with the executive staff of the Ministry (lack of information about IT). Ministry have not appropriate documentation for managing its IT systems including personal data.
- Ministry cannot verify that the development and maintenance funds for IT systems have been used efficiently.
- Failure to clearly define the available digital data flows (data structure).
- Breaches of legal regulations concerning IT.
- Ministry does not have tools to ensure the compliance to the security requirements including personal data for information resources laid down in legislation and in the procedures approved by the Ministry.
- It cannot be verified that appropriate and sufficient measures for IT systems have been selected.
- The recovery of the IT activities may be delayed.
- Data security regulations and documents implementing the security policy have not been approved for all information resources, so the assurance of digital information security depends only on the IT staff awareness. Moreover for almost half of information resources personal date have not been registered in Register of Personal Data Controllers.
- Risk and security compliance assessments are not carried out in the period laid down in legislation and within the scope of all managed systems.
- No priorities for the recovery of information resources have been set, performance continuity plans have not been approved and tested for all information resources, the staff has not been trained to handle an emergency.