Najvyšší Kontrolný Úrad Slovenskej Republiky

Supreme Audit Office of the Slovak Republic (NKÚ SR)

Management and protection of assets in the field of the information-communication technologies at the ME SR Read full text in English

2012 report KA-012/2012/1022

The Supreme Audit office of the Slovak Republic (SAO SR) has conducted the audit at the Ministry of Environment of the Slovak Republic (ME SR) for the audit period 2011 and 2012 to examine the compliance with the generally binding legal regulations and the general statues in the field of the information-communication technologies (ICT) and the information systems of the public administration (ISPA) with emphasis on the use of the information technology (IT) services provided by the third parties. The vast amount of irregularities was found, especially many cases of failure to comply with the standards and lawbreaking, violation of the conditions determined in the particular contracts, documents and agreements (if they were ever found or valid), obsolete conception of the ISPA development, not established internal and security directives, unidentified critical and strategic Information Systems (IS), absolutely unsatisfying principles, procedures, conditions and policy relating to the data backuping (and control of backup's functionality), restoring and security, possibility of unauthorised persons to access the IS and data, which increases the risk of information leakage and security risk, and inadequate physical security of the areas related to the IT. All these irregularities are results of poor coordination, administration, organization, governance and operation management in the field of the ICT and the IS.

In the report page p.2-3

- absence of orders for the external contractors to authorize them of making out an invoices relating to the usage of the provided services by the external providers - performance of the operations overlapping the scope of the contracted activities without reasonable conditions for the operations delivery by contractor

- absence of a valid document declaring the subject designated for the service delivering of the economic information system operation - only formal agreements to the operation statements related to the conditions for the service delivering were given

- payments for the technical support services were made without a given written request - absence of the acceptance protocol declaring the subject designated for technical maintenance service delivering on software facilities

- failure to comply with the subject of a contract determined in the particular contracts of work - unauthorized system interference

- violation of the payment conditions determined in the particular contracts of work

- impossibility to verify the actual extent of the work done - breaking the law on the ISPA

In the report page p.3

- failure to update the concept of the ISPA development

- failure to comply with standards stated in the Edict of the Ministry of Finance of the Slovak Republic (MF SR) on the standards for the ISP

- poor personal data security and performance of the personal data protection supervision

- breaking the law on the ISPA and the law on personal data protection

In the report page p.3-4

- internal directives for the IS operation area and document to adjust the backup and data recovery or a document to regulate the performance of the restore tests and systems functionality were not established - the critical IS were not identified - security directives regulating the area of the information security management of its IS were not established

- detailed principles and procedures concerning the data backup and programs were not adopted - continuous control of the backup functionality of the selected data media were not performed - critical, strategic IS for the ministry were not defined

- internal directives defining the activity description that is necessary to perform for accidents, malfunctions and other special situations in the IS were not adopted - documents defining the preventative measures for reducing the generation of special situations and describing the possibilities of effective restoring of the state of the IS before accident thereon to save the continuity of the ministry's activity were not adopted - back-up power supply (UPS) of the key elements of the IS was not sufficient

- inability to determine the password policy, operating and administrator privileges or administration of these privileges - ability of the third parties to intrude the computer domain of the ministry and to perform radical interventions to the IS of the ministry with the highest access privileges

- insufficient backup policy realized through two copies of the full backup of servers created every day including the operating systems, performed by a system administrator and placing both of the copies in a technological room

- inability to handle special situations in the IS and restore the system after accidents - inability to maintain the continuity of the ministry's activity after malfunction or accident

In the report page p.5-7

- ctive user's accounts with the highest access privileges for persons with the finished cooperation contract were found in the access accounts database - insufficient set up system secure policy in the ministry's IS

- the area of the security policy was not regulated by any internal instructions - privileged access accounts with the access privileges for employees with work duties and working positions not meeting approved access privileges - active administrator's accounts with unrestricted access to every computer inclusive the server and domain controllers acessible through the Virtual Private Network were established for several external ICT services suppliers and were not evaluated and analysed by means of individual systems audit records (logs)

- nternal directives defining the conditions for the access of the third parties to its IS were not approved - existence of active administrator's accounts to the IS for external service contractors whose service delivery contract finished already - missing access management, security risk analysis, audit records evaluation - inadequate physical security of the technological room and presence of the matters directly unrelated with the purpose of this room

- ability of unauthorized persons and the third parties to access the ministry's IS increases the security risk

- possibility of causing physical damage to the IS due to the insufficient security of the areas related to the ministry's IS

The risk cases visible on this page are collected and described by the e-Government Subgroup of the EUROSAI IT Working Group in contact with author Supreme Audit Institutions (SAI). In the same way, analytical assumptions and headings are chosen by the Subgroup. We encourage you to read the original texts by SAIs - to be found in the linked files.