Folketinget Rigsrevisionen

National Audit Office of Denmark
...

Cyber security resilience of the Danish public sector II

2023 DK2023cyberSecurityResilience
SCALE
  • - Approximately 90 of the government's IT systems are assessed to be critical by the departments.
COMPLIANCE FOCUS
  • - Center for Cybersecurity's general recommendation for updating software
  • - international standard for information security ISO 27001
PERFORMANCE ASPECT
  • - risk exposure
  • - vulnerabilities management
  • - effectiveness of procedures
1. Continuity - Preparedness

The authorities have developed contingency plans for the majority of the IT systems, but the quality of the plans varies significantly. A few plans are satisfactory, whereas others, particularly the disaster recovery plans, are affected by significant shortcomings. For example, descriptions of the technical recovery of IT systems after a major IT breakdown were missing in more than half of the plans. A few of the IT systems are without contingency plans.

2. Change - Testing

only a few of the contingency plans have been tested. It means that the authorities have not tested the effectiveness of the plans and do not know if the plans have the desired effect . As an example, it has not for the majority of the IT systems been tested whether they would be recoverable after a major IT incident.

Code (gexf) to continue analysis with GephiTerminology graph
svg
The items above were selected and named by the e-Government Subgroup of the EUROSAI IT Working Group on the basis of publicly available report of the author Supreme Audit Institutions (SAI). In the same way, the Subgroup prepared the analytical assumptions and headings. All readers are encouraged to consult the original texts by the author SAIs (linked).