Riksrevisionen

The work of information security is not at an acceptable level at the agencies audited

Audit of the Public Employment Service, Social Insurance Agency and Migration Agency was particularly in depth. None of these agencies can be said to have systematic information security work in compliance with the requirements of the Civil Contingencies Agency' s regulations on government agencies' information security. These requirements stipulate that agencies must apply a management system that includes drawing up a policy for information security, classifying their information on the basis of correctness, accessibility and confidentiality as well as determining how to deal with risks on the basis of risk and vulnerability analyses and incidents that have taken place. An important condition for paving the way to a good information security culture and creating understanding for information security is that the agency management shows commitment to the issue.

Despite the fact that the agencies have drawn up policies, guidelines and manuals on information security, knowledge of the contents and purpose of these documents is low among many employees and managers. Security work is not implemented in the ordinary processes of the organisations. The core organisation does not perceive that it has any responsibility for information security, but that this lies somewhere else in the agency, such as the IT or security functions. There is a considerable lack of participation and responsibility that should permeate the entire agency, and there is a lack of understanding of the need for security investments without visible benefit.

The Government has not ensured the necessary conditions

At first glance the conditions may seem adequate in that the Government has created certain requirements to enable agencies to work on internal control of information security. There is a structure in place, with different statutes intended to steer this work. Part of this is that the Government has decided that the management of a number of agencies must certify that internal control is satisfactory. In addition, each ministry conducts regular dialogues with agency managements. Nevertheless, the audit shows that there are serious deficiencies in the agencies' information security work.

The Swedish NAO considers that stronger governance is required from the Government in relation to the agencies, so that necessary security measures are actually implemented. Simply drawing up an overall regulatory framework is not sufficient to make security adequate. If the Government does not require information concerning the agencies' information security and does not highlight the importance of good information security, in the opinion of the Swedish NAO the agency managements will not make the matter a priority either.

The costs of information security are unknown

To be able to determine whether or not there are well-founded decisions on the measures that need to be taken to protect all the information in public administration that requires protection, a coherent status report on threats, risks and suitable measures is needed. In addition to this it is necessary to know the size of the annual amounts spent on information security. Only when these pictures have been presented is it possible to weigh up the costs in relation to the benefit of protective measures and thus achieve an optimum level of information security in central government as a whole.

At present there are no data, either individual or for public administration as a whole, on agencies' costs for information security. Hence it is not possible to express an opinion on whether management of information security is cost effective. In the opinion of the Swedish NAO it is a clear deficiency that the Government does not request these data, particularly in relation to the fact that IT has been pointed out as a central tool for developing public administration.

Resources are probably not used effectively

Swedish public administration functions in a way that allows agencies to enjoy far- reaching independence in relation to organising their activities. From this follows that all agencies in public administration, regardless of size, are obliged to manage their own information security. This means that they must either do most of the work themselves, or engage consultants. The largest agencies are better equipped to build up and maintain good information security themselves, due to economies of scale. However, the situation of most agencies is not as favourable. This audit has shown that it is a heavy burden even for fairly large agencies to conduct successful information security work. The Civil Contingencies Agency contributes a good guide to how an agency is to work with information security. Nevertheless, for several of the agencies audited this is not enough, as they lack operative assistance, which the Civil Contingencies Agency does not currently provide. In the opinion of the Swedish NAO this means that it is probable that information security work at aggregate level is not cost-effective.