This report concerns a number of government authorities’ management of IT security in systems that have been outsourced to external suppliers. The report adopts a forward-looking perspective and makes recommendations for improving the authorities’ management of IT security in relation to the outsourced systems.
The authorities remain responsible for managing IT security, despite the fact that their IT systems have been outsourced to external suppliers. It is therefore important that the authorities conduct risk assessments, and based on their findings impose relevant requirements on and monitor the level of IT security in the outsourced systems. The risk assessments provide the basis for appropriate and well-founded management of IT security. Without active, risk-based management of IT security, the authorities will be unable to determine whether the level of IT security in the outsourced systems meets their requirements.
The purpose of the report is to assess how the authorities have managed IT security in the systems that have been outsourced to external suppliers in selected areas and, based on the outcome of our assessment, make recommendations to the authorities as to how they can improve management in this area.
Rigsrevisionen has taken initiative to the study, which is based on IT audits performed by Rigsrevisionen during the first six months of 2016.
Read the 1st chapter of the report (PDF)