1 Task not implemented in the processes of the organisation
Only reason is a requirement, not real application of the change process
The work of information security is not at an acceptable level at the agencies audited
Audit of the Public Employment Service, Social Insurance Agency and Migration Agency was particularly in depth. None of these agencies can be said to have systematic information security work in compliance with the requirements of the Civil Contingencies Agency' s regulations on government agencies' information security. These requirements stipulate that agencies must apply a management system that includes drawing up a policy for information security, classifying their information on the basis of correctness, accessibility and confidentiality as well as determining how to deal with risks on the basis of risk and vulnerability analyses and incidents that have taken place. An important condition for paving the way to a good information security culture and creating understanding for information security is that the agency management shows commitment to the issue.
Despite the fact that the agencies have drawn up policies, guidelines and manuals on information security, knowledge of the contents and purpose of these documents is low among many employees and managers. Security work is not implemented in the ordinary processes of the organisations. The core organisation does not perceive that it has any responsibility for information security, but that this lies somewhere else in the agency, such as the IT or security functions. There is a considerable lack of participation and responsibility that should permeate the entire agency, and there is a lack of understanding of the need for security investments without visible benefit.
2 Insufficient conditions by Government
Agency managements do not make the matter a priority
The Government has not ensured the necessary conditions
At first glance the conditions may seem adequate in that the Government has created certain requirements to enable agencies to work on internal control of information security. There is a structure in place, with different statutes intended to steer this work. Part of this is that the Government has decided that the management of a number of agencies must certify that internal control is satisfactory. In addition, each ministry conducts regular dialogues with agency managements. Nevertheless, the audit shows that there are serious deficiencies in the agencies' information security work.
The Swedish NAO considers that stronger governance is required from the Government in relation to the agencies, so that necessary security measures are actually implemented. Simply drawing up an overall regulatory framework is not sufficient to make security adequate. If the Government does not require information concerning the agencies' information security and does not highlight the importance of good information security, in the opinion of the Swedish NAO the agency managements will not make the matter a priority either.
3 Costs of the activity unknown
No way to determine whether or not the decisions are well-founded
The costs of information security are unknown
To be able to determine whether or not there are well-founded decisions on the measures that need to be taken to protect all the information in public administration that requires protection, a coherent status report on threats, risks and suitable measures is needed. In addition to this it is necessary to know the size of the annual amounts spent on information security. Only when these pictures have been presented is it possible to weigh up the costs in relation to the benefit of protective measures and thus achieve an optimum level of information security in central government as a whole.
At present there are no data, either individual or for public administration as a whole, on agencies' costs for information security. Hence it is not possible to express an opinion on whether management of information security is cost effective. In the opinion of the Swedish NAO it is a clear deficiency that the Government does not request these data, particularly in relation to the fact that IT has been pointed out as a central tool for developing public administration.
4 Building good information security is a heavy burden
Risk: ineffctive use of resources
Resources are probably not used effectively
Swedish public administration functions in a way that allows agencies to enjoy far- reaching independence in relation to organising their activities. From this follows that all agencies in public administration, regardless of size, are obliged to manage their own information security. This means that they must either do most of the work themselves, or engage consultants. The largest agencies are better equipped to build up and maintain good information security themselves, due to economies of scale. However, the situation of most agencies is not as favourable. This audit has shown that it is a heavy burden even for fairly large agencies to conduct successful information security work. The Civil Contingencies Agency contributes a good guide to how an agency is to work with information security. Nevertheless, for several of the agencies audited this is not enough, as they lack operative assistance, which the Civil Contingencies Agency does not currently provide. In the opinion of the Swedish NAO this means that it is probable that information security work at aggregate level is not cost-effective.
In 2005 - 2007 the Swedish NAO audited the work of information security at eleven public administration agencies. The audit showed several deficiencies. The Government had not followed up whether the agencies' internal control of information security was satisfactory, nor given the agencies sufficient conditions for effective information security work. In 2014 the Swedish NAO again audited information security with a focus on the Government and its expert agencies' governance and support. This audit showed that there were considerable deficiencies in the information security work and that the Government had not exercised effective management.Resources are probably not used effectively
The purpose of this audit was to investigate how nine agencies work with their information security. These agencies conduct critical infrastructure activities, handle large amounts of money, are strongly IT-dependent and handle information that requires protection. The Swedish NAO has audited whether the agencies, based on current requirements and conditions, conduct information security work so as to achieve appropriate protection of their information assets. Another purpose was to examine whether the Government ensures that the agencies audited have effective internal control of their information security.
For information security to be effective, both for the respective agency and for public administration as a whole, it must be possible to weigh costs against benefits. Consequently, the Swedish NAO has made an investigation of the cost picture for information security work.Resources are probably not used effectively