Valtiontalouden tarkastusvirasto

The current operating model is that each agency is responsible for its own cyber protection. There is not enough expertise in cyber protection available, however, which hinders the creation of cyber protection on one’s own and the creation of cyber protection based on purchased services. Operations for which state agencies are responsible that were previously handled by the agencies themselves have been centralised to state service centres in connection with service centre projects. The need for more standardised and comprehensive risk management has increased due to the centralisation. The risk management practices used by the agencies vary, however. The lack of standardisation in risk management may cause gaps in the protection of confidential information, for example. No information that supports the prioritisation of service protection in case of a comprehensive cyber security violation have been collected from central government services.

Some of the goals of the first implementation programme were not reached, because the level of commitment to the actions varied and the level of commitment could not be improved in a centralised manner. Only actions to which the competent authorities and other actors have clearly committed were included in the new implementation pro-gramme. The level of commitment and available resources are linked. Monitoring of the programme has been improved to offer government leaders a better idea of the current status of cyber security.

No procedures to ensure that funds are allocated to the targets most important for cyber protection have been identified in the regulations on the preparation of the state budget or the preparation process. The agencies budget cyber protection funds in the budget article for operating expenses as a non-itemised part of expenses from the operations of the agency. The fact that cyber protection services are subject to a charge influences both the demand for the Cyber Security Centre’s cyber protection services and the Centre’s opportunity to offer the services and retain its high level of expertise. Ultimately, the fact that the agencies are dependent on each other via the service centres, among others, and the opportunity of the agencies to obtain the cyber protection services subject to a charge from the Cyber Security Centre with the funds included in their budget articles for operating expenses influence the Cyber Security Centre’s operating conditions.

Changes in the central government ICT organisation have influenced the cyber protection arrangements. Administrative and practical cyber protection actions have been centralised (…), but the startup phase (…) was longer than planned and difficulties in retention of the original level of cyber protection arrangements were encountered during the startup phase. Development of the centralised cyber protection (…) has proven difficult. There have been deficiencies in the assessment of the adequacy of the practical cyber protection procedures and the implementation of new arrangements.