Folketinget Rigsrevisionen

National Audit Office of Denmark

Security of servers managed by the Danish Agency for Governmental IT Services

2023 DK2023secureServers
SCALE
  • - The Danish Agency for Governmental IT Services managed 5,353 servers on behalf of 46 authorities in time of the audit. 537 of these servers were no longer supported by their developers because they have reached the end of their lifecycle.
COMPLIANCE FOCUS
  • - international standard for information security, ISO 27001
  • - Centre for Cyber Security recommendations
PERFORMANCE ASPECT
  • - security of servers
  • - quality of data operations and services

The Danish Agency for Governmental IT Services has not upgraded or decommissioned servers, before the developer ceased to release security updates. Moreover, the agency’s overview of the servers is incomplete, which reduces the ability to respond quickly to cyberattacks and emerging cyberthreats.

The Danish Agency for Governmental IT Services has not implemented sufficient compensatory measures to manage servers that are no longer supported by the developer The Danish Agency for Governmental IT Services have a series of measures in place to reduce the risk of cyberattacks spreading. However, there is still a risk of cyberattacks spreading between servers and between authorities.

The Danish Agency for Governmental IT Services has informed Rigsrevisionen that it is impossible for the agency to upgrade or decommission the servers because the authorities have not, as required, ensured that their administrative systems will be compatible with new servers . (…) the agency has not established the necessary collaboration with the authorities to facilitate timely upgrading or decommissioning.

Code (gexf) to continue analysis with GephiTerminology graph
svg
The items above were selected and named by the e-Government Subgroup of the EUROSAI IT Working Group on the basis of publicly available report of the author Supreme Audit Institutions (SAI). In the same way, the Subgroup prepared the analytical assumptions and headings. All readers are encouraged to consult the original texts by the author SAIs (linked).