THE CYBER SECURITY ENVIRONMENT IN LITHUANIA Read full summary in English
The purpose of the audit was to assess whether cyber security is being ensured in Lithuania. In view of this goal, we assessed whether: (1) an effective cyber security system has been set up; (2) cyber security is ensured in public establishments. During the audit, the SAI Lithuania analysed current regulation, strategic planning and management practices in the field of cyber security and electronic information security as well as the funds allocated and used in this area. The SAI evaluated whether the cyber security and electronic information security objectives detailed in planning documents were achieved, how public establishments ensure cyber security, and whether technical and organisational measures for cyber security are being applied properly.
- Not all of the links between cyber security and electronic information security planning documents have been addressed, and measures established in planning documents are not being implemented on time
- The Programme for the Development of Electronic Information Security (Cyber Security) for 2011–2019, which was expected to achieve the most results in the field, is being implemented ineffectively (as of September 2015, the overall implementation of programme goals reached 21%).
- no solution has been found for the revision and harmonization of requirements for the area of cyber security and other areas related to information security
- legal acts regulating cyber security have not been drafted on time
- there are partial overlaps in the activity of public establishments
- it is unclear which parts of forming and implementing cyber security and electronic information security policy fall within the purview of certain institutions
- the cyber security management system that took effect in 2015 has not created sustainable management conditions for the areas concerned: there are partial overlaps in the activity of public establishments
- the allocation and use of funds for cyber security and electronic information security (15.6 million euros planned for 2015–2020) is implemented without the Ministry of National Defence and the Ministry of the Interior
- Ministry of National Defence and the Ministry of the Interior could not set priorities and criteria or provide data about the factual state of the cyber security and electronic information security in specific institutions, or their impact
- the funds that have already been used (20.9 million euros in 2011-2014)
- audited institutions apply, on average, only 25% of the recommended organisational measures for this area;
- the principal shortcomings are linked to creating security management systems, managing incidents, ensuring operational continuity, improving the competence of personnel and external collaboration
- The implementation of organisational measures for cyber security and electronic information security in the public sector is insufficient
- audited institutions adequately implement only 39% of the recommended technical measures and continue to be vulnerable due to the inadequate setting of security configurations and management of electronic communications networks as well as mobile and other technologies
- The implementation of technical measures for cyber security and electronic information security in the public sector is insufficient, and establishments are not properly prepared to react to potential cyber threats