Management of Police Information Resources Read full summary in English
Police tasks of the necessary data are processed departmental registers, information systems, automated data processing systems and networks where information is stored, processed and transferred to the classified information. The police department has all of these information resources, so the audit focused on the activities and actions of the Department to ensure planning and organizing of the recourses, monitoring, evaluation and coordination and other aspects of registers and IS strategic management. The audited period was 2012-2014. For the analysis, there were used previous data and data of 2015. The objective of the audit is to evaluate information resource management and development control of the Department of Police.
- The Department of Police confirmed arrangements whereby potential threats and risks, monitoring and evaluation procedures of police analysis. However, they failed to comply them and there are no safety compliance assessments over a specified period
- therefore not subject of measures to adequate controls to manage identified risks, ascertained or selected adequate safety measured or their ignored application
- The Department does not have a common information architecture model, defining the information managed by the Department and police authorities, the classification criteria, the data of IS or registers, technology architecture.
- Therefore the interoperability of the Department and registers, the importance of the information managed by the Department and police authorities, sensitivity for its publication, communication and disclosure are unclear.
- Arrangements whereby potential threats and risks, monitoring and evaluation procedures were in place. However, they were not followed up and there were no safety compliance assessments over a specified period, therefore not subject of measures to adequate controls to manage identified risks, ascertained or selected adequate safety measured or their ignored application
- there is no omitted data recovery testing of backup data, copies of data are stored in the same room as their servers. However, this room does not have an automatic fire extinguishing system, so, during an incident, stations of hardware and software service can be irreversibly damaged, IS data in the database can be lost along with the copies
- The Department does not provided assurance that they are ready to restore activities of IS and registers during the period which does not have any negative impact on implementing functionalities of the Department and relevant authorities because the plan of business continuity management has not been updated and tested
- The Department does not implement all the security measures of technical and organizational personal data when processing it in automatized way, there is no organized lawfulness of training of data processing and information security issues, therefore there are not provided confidentiality of electronic information and protection of personal data from the accidental or unlawful destruction while processing data
- The organized structure of IT management should be improved. There are formed groups and commissions in the Department and police offices in order to make the needs of main activities associated with offered IT opportunities, but not all groups and commissions carry our the functions assigned to the full extent, groups and commissions work irregularly (episodically), they do not ensure an adequate IT implementation of controlling and monitoring threats
- The UPFS (Unified Police Force System) was modernized without legal requirements having been met: mandatory documentation, regulations and specification of the UPFS, were confirmed after the closure of the project. When the phase of the modernization was completed, the UPFS transfer- acceptance act was uncertified
- In order to implement the project of UPFS modernization, there is no integrated plan of UPFS project management that includes times, financial and human resources, points of complex project activities or project related people-to-people contacts, therefore the project components of IS were not properly set in terms of performance and its critical limits (20 days), and time limits of improving the UPFS decreased
- There was a circumvention of control mechanism of the existing projects, works in developing UPFS software was carried out hastily, testing, training and the results of the adoption process were inconsistent, the operation of UPFS trial was not conducted and the results of the project were not reviewed, and in the end of the project it was not known if the functions of UPFS are used