Latvijas Republikas Valsts Kontrole

State Audit Office of the Republic of Latvia (LRVK)
1 Formalized approach to optimization goals
Lack of clear development plans and well-organised infrastructure

Since 2010, when Latvia experienced a significant financial crisis, three major policy-planning documents have been drafted, providing progress towards ICT optimisation. Each of them identifies the same problems in ICT management (fragmented management of ICT services and infrastructure and lack of information on ICT resources). Even today, the level of ICT optimisation is different across the ministries ranging from complete centralisation to a decentralised ICT governance model. The State Audit Office considers that setting the objective of complete centralisation or decentralisation as an end in itself would not be correct, as one must emphasise that the direction chosen by a ministry is based on specific calculations, consideration of alternatives and that this direction is sustainable.

Also there is no current ICT development and optimisation plan in the ministries audited as ICT optimisation plans elaborated in the ministries in 2010–2011 are the last planning documents designed to optimise specific ICT activities. Since there is no single ICT development planning document in the ministries, which would define the directions, priorities, of the ICT development of the ministry, short-term and long-term planned tasks and activities for ensuring ICT management, including conditions for the optimal use of ICT infrastructure, the ministries do not facilitate a single ICT management organisation or achieving the overall goal of the ICT optimisation plan.

When assessing the progress made by the ministries in improving the organisation of ICT management during the audit, auditors have concluded that the requirements of the statutory enactment on the ministerial ICT organisation and establishment of ICT Councils actually are not met (or executed formally) in the ministries audited, because the activities of the ministerial ICT Council are formal, or it is not established at all.

It means that there is no prerequisite for the management of well-organised ICT infrastructure in those ministries, the ICT management organisation is not provided in line with the concept. Therefore, the optimal provision and use of ICT services and the optimal management of ICT infrastructure in the ministry are not provided.

2 Lack of clear development plans and well-organised infrastructure
Lower security and inefficient use of existing infrastructure

Already since 2010, the ministries attempt to solve the issue of single ICT infrastructure placement within the ministry or try to implement a single data centre within the ministry. For identification of the problems related to ICT infrastructure placement, there were four ministries and 16 their institutions visited during the audit. One concludes that 31 server rooms have been established and maintained in the institutions, and 7 server room services are also outsourced.

The auditors assessed the security and workload of server rooms of the ministries. There are security threats in server rooms, and tackling them will require at least 247,000 to 765,000 euro. But more efficient use of existing (requirementcompliant) data centres in the ministries and centralisation of ICT resources therein can ensure savings of up to 1.3 million euro in five years.

To solve the problems with the fragmentation of ICT infrastructure, centralised national electronic communications service eas developed. The centralised national electronic communications service centre would provide various shared ICT services to institutions (for instance, storage of data backup copies, etc.). Although one plans to establish a centre, which would save financial resources of even 3 million euro in five years already since 2011, more intense activities for the establishment of the centre have started only in 2016 by envisaging the launching of the centre in 2019. But the major benefit, which is not exactly quantifiable in financial terms, would constitute ensuring the appropriate level of security for placement of ICT infrastructure. But laws and regulations do not stipulate the duty of institutions to use the infrastructure of the national electronic communications service centre, and the policy planning documents do not include an assessment how the establishment of the centre would affect the optimisation of ICT infrastructure already started in the ministries. Therefore, the risk exists that a situation can occur without the mandatory requirement for certain national information systems to use the services of a single data centre within certain deadlines and to the set extent and without the necessary funding where the data centre set up for several million euro will stay unused.

3 Involvement of many institutions in security activities
Lack of clarity in requirements and common monitoring system

There are many institutions involved in ICT security in Latvia, but there is a lack of clarity as to who and how is providing identifying of ICT security situation in the country and common monitoring thereof, for example, the Regulations of the Ministry of Defence foresee a function to coordinate the development and implementation of information technology security policy, while the Ministry of Environmental Protection and Regional Development is entrusted with elaborating a policy for ICT governance, organising and coordinating its implementation, including to promote the dissemination of good practices and the development of methodology for ICT governance issues, including ICT maintenance, development, optimisation, and security.

The regulatory framework for ICT infrastructure security is incomplete because no detailed security requirements for ICT infrastructure are set forth (for instance, there are requirements regarding different criteria of logical security, but there are no criteria for physical and environmental safety of the infrastructure, which also affects the availability of systems and data protection). Although public policy planning documents point to the importance of ICT infrastructure security and the need to strengthen it, nobody has planned specific activities in this area at the national level. The lack of clear, traceable and logical differentiation of security requirements to be met that would be interconnected in various regulatory enactments poses the risk that the same ICT infrastructure security requirements are not provided for the processing of information of equal importance and significance in the country as a whole.

There is also no monitoring system of the security management of ICT infrastructure introduced that would ensure the implementation of comprehensive and planned security measures. Although the overall responsibility for implementing ICT security in each institution lies with its manager, the understanding of the institutions on the significance of ICT security issues, the assessment of the importance of the information processed, and the resources available to the institutions to address ICT security issues vary widely. Hence, the actual ICT security in institutions is very different, but the situation in the country is not identified as a whole. A regular monitoring system of those processes would be needed, which would be able to evaluate entire public administration as a single system in total independently and under common criteria, to identify different approaches and prevent them by identifying common risks, and to plan preventive actions to mitigate the latter.

Background

Modern public administration is unthinkable without the use of information and communication technologies. With public administration becoming more modern, not only the amount and convenience of services available to the residents but also the amount of information processed and stored in the provision of services increase. Investing not only in the development of new IS but also in the procurement and security of ICT infrastructures, which must ensure the continuity of the systems, is carried out to enable institutions to deliver better quality services and to provide daily support functions. Although institutions have the opportunity to interact and develop interinstitutional sharing services, there is a situation developed historically where institutions take care of their ICT activities themselves according to their understanding, skills, and capabilities, which results in fragmented national ICT infrastructure and insufficient security solutions being ensured during its maintenance.

Objectives

Problems in ICT resource and infrastructure management and trends of increasing overall ICT costs are identified in the country since 2010, and there have been attempts to address these problems at least once per every three years (by integrating potential solutions into sectoral policy planning documents), but overall institutional ICT maintenance costs is still growing. Between 2011 and 2017, total ICT maintenance costs of the institutions have risen from 17 million euro to 20 million euro per year. Total ICT maintenance costs for institutions include expenditure on ICT infrastructure maintenance, information system maintenance, software rental, and communications services for computer network operations. One cannot define from the existing ICT expenditure accounting data directly how much and to what extent the institutions spend directly on ICT infrastructure maintenance. In addition, there is no practice introduced in the institutions to carry out regular evaluation of what costs cheaper - to maintain ICT themselves or to cooperate with another institution to maintain ICT. Therefore, the State Audit Office pays attention to the question, “Has public administration used all opportunities for efficient management of ICT infrastructure?”.

The items above were selected and named by the e-Government Subgroup of the EUROSAI IT Working Group on the basis of publicly available report of the author Supreme Audit Institutions (SAI). In the same way, the Subgroup prepared the analytical assumptions and headings. All readers are encouraged to consult the original texts by the author SAIs (linked).