Report on the security of servers managed by the Danish Agency for Governmental IT Services

04-12-2023

Report no. 6/2023

The purpose of the study is to assess whether the Danish Agency for Governmental Services under the Ministry of Finance has ensured that the servers it manages are supported by the developer and that personal data and critical business data are thus not exposed to unnecessary risk of being compromised. The report answers the following questions: 

  • Has the Danish Agency for Governmental Services upgraded or decommissioned servers on behalf of the 46 authorities in the study, before the developer ceased to provide security updates?
  • Has the Danish Agency for Governmental Services implemented compensatory measures to manage vulnerabilities and security issues when the servers are no longer supported by the developer?
  • Has the Danish Agency for Governmental Services established procedures to ensure the timely upgrading and decommissioning of servers that are no longer supported by the developer? 

The Danish Agency for Governmental IT Services under the Ministry of Finance has not ensured that all servers managed by the agency are supported by the developer. The agency has failed to upgrade or decommission servers for which security updates are no longer released, and the agency’s overview of the authorities’ servers is incomplete. This fact is considered unsatisfactory by Rigsrevisionen and entails a risk that hackers gain access to and abuse or destroy sensitive personal data and critical business data. 

Rigsrevisionen took the initiative to do the study in March 2023.

Read the introduction and conclusion (PDF)