This report concerns prevention of cyber attacks. As e-government is expanding so is the need for government bodies to protect themselves from cyber attacks and abuse of their IT systems and confidential data. Attacks on several government bodies in recent years have accentuated the need for increased security.
The objective of the study was to assess whether the government bodies examined had addressed the risk of cyber attacks, whether they had implemented the following three security controls and - in the event that they had decided not to implement the security controls – whether they had recorded their reasons for doing so in their risk assessments.
The three security controls are
- technical restriction of download of programmes;
- limited use of local administrators;
- systematic software updates
Rigsrevisionen also examined whether the Danish Agency for Governmental IT Services had managed the risk that an attack on one inadequately secured agency can spread to other agencies, for instance, through shared services (joint solutions), and whether division of the responsibility for the three cyber security controls was clearly defined in the standard agreement entered between the Danish Agency for Government IT Services and the three government bodies.
Rigsrevisionen took initiative to the examination, which is based on IT audits performed by Rigsrevisionen in the spring 2013 as part of the annual audit.
Read the 1st chapter of the report (PDF)