General and Creation Control of the Information Systems of the Ministry of Foreign Affairs Read full summary in English
The objective of the audit was to assess general and creation control of the information systems of the Ministry of Foreign Affairs. Since the beginning of 2009, the Ministry of Foreign Affairs has achieved considerable progress in the management of the information systems. The auditors reviewed and assessed all key elements of the process.
- there is no mechanism in place designed to address, together with the managers of the Ministry, strategic information technologies management issues, so that the needs of the main activity are linked to the possibilities provided by information technologies
- no data management supervisors have been appointed
- there is a high information technology staff turnover, however, during the audited period reserve staff for substitution and taking over of duties was not planned
- Failure to clearly describe the existing electronic data flows (data structure) may result in additional time and resources required for processing this data and selection of insufficient measures to ensure information safety.
- information system risk assessment was not carried out annually
- internal documentation does not define the specific components which constitute the information systems of the Ministry, therefore the classification of the information systems by categories is unclear
- only one assessment of the information technology security compliance has been performed (in 2012) and not all documents on data protection have been updated
- information system risk factors which existed at that time and which could have affected the security of information were not identified and analysed in detail; no plan of measures to reduce (manage) the risk of the information systems has been developed and approved
- which may result in inaccurate determination of the need, priorities and level of protection of electronic information processed by the information systems of the Ministry
- security management measures for the information systems provided for in these documents may be ineffective
- priorities of the recovery of the operation of the information systems have not been provided for
- administrators responsible for the maintenance of the information technology equipment have not been indicated, no relevant documentation of the information system setup (lists of information technology equipment, parameters of the equipment, physical and logical interconnection schemes of the computer network, etc.) has been prepared, the list of agreements on data provision and computer, hardware and software maintenance is not being compiled, data exchange agreements have been concluded only with part of data providers and users
- tests and efficiency testing of elements of the Information Systems Continuity Management Plan during practical training have not been carried out
- less important business processes of the Ministry may be restored in the first place
- responsibility and service delivery problems
- in case of an incident the Continuity Management Plan may turn to be ineffective and unfeasible
- not all objectives of the automatically processed personal data at the Ministry have been registered with the State Register of Personal Data Managers
- no personal data protection level has been set and no written document describing the application of personal data protection measures has been drawn up and approved
- people have no access to detailed information about the management of their personal data
- lack of compliance with the Law on Legal Protection of Personal Data