1 Incomplete or too general requirements
Risk that the suppliers fail to establish the adequate level of security
Rigsrevisionen also finds that the majority of the examined authorities can refine their requirements for access control and logging. Either the authorities have failed to define access control and logging requirements altogether, defined only general and vague requirements or imposed requirements for only some of the layers in the IT infrastructure.
If requirements concerning the suppliers' obligations are either missing altogether, general or vaguely formulated - and thereby open to interpretation - there is a risk that the suppliers fail to establish the adequate and/or expected level of security.
2 Insufficient monitoring
Last, Rigsrevisionen finds that the majority of the authorities should improve monitoring of their suppliers' access control and logging, since they have either failed to monitor these or only monitored some layers of the IT infrastructure. The audit shows that some of the authorities need to acquaint themselves with the areas of IT security covered by their suppliers' auditor's reports.
3 Lack of appropriate risk assessement
Risk that the management is not focused on the need to safeguard the information
With the exception of the Danish National Police, none of the authorities have conducted appropriate risk assessments of the examined IT systems. This is not considered satisfactory by Rigsrevisionen. The risk assessments conducted by the authorities were very general in their form and did not include all layers of the systems' IT infrastructure. Moreover, the authorities did not state their reasons for opting out controls in relation to access control and logging, and they were therefore unable to document how they had arrived at the conclusion that imposing requirements on and following up on access control and logging in all layers of the infrastructure would not be necessary. When the authorities fail to base their management of IT security on appropriate risk assessments, there is a risk that their management is not focused on the need to safeguard the confidentiality, integrity and availability of their systems and data.
Background
Many government IT services have been outsourced to external suppliers. The benefits of outsourcing can include cost savings, enhanced quality and organisational improvements. However, in the course of the last couple of years, there have been examples of serious IT security incidents in the companies providing IT services to the government. For instance, in 2012, several of the Danish National Police's systems were compromised in a cyberattack on one of its external suppliers of IT services.
Objectives
This report concerns a number of government authorities' management of IT security in systems that have been outsourced to external suppliers. The report adopts a forwardlooking perspective and makes recommendations for improving the authorities' management of IT security in outsourced systems. Rigsrevisionen took initiative to the study that is based on IT audits performed by Rigsrevisionen during the first six months of 2016.
We have examined the following five authorities and six IT systems: The Danish National Police (centralised passport service), the Danish Customs and Tax Administration (two self-service systems that allow individuals and businesses to manage their tax returns online), the Danish Agency for Labour Market and Recruitment (joint database providing historic and current data on citizens' employment), the Danish Agency for Digitisation (NemID - digital signature) and the Danish Maritime Authority (ship registration system).