The ACA points to IT security gaps in federal ministries

In order to ensure the continuity of operations during the lockdowns in the course of the COVID-19 pandemic, officials in federal ministries occasionally used their private IT equipment, which poses considerable security risks. This is highlighted in the report published today by the Austrian Court of Audit (ACA), which is entitled "IT Security Management in the Administration of Selected Federal Ministries" and which also points to shortcomings in the preparation of possible IT emergencies and IT security risks in the case of changes of the ministries’ responsibilities.

The audit was carried out at the Federal Chancellery, the Federal Ministry for Digital and Economic Affairs, the Federal Ministry of Arts and Culture, Civil Service and Sport as well as the Federal Ministry of Social Affairs, Health, Care and Consumer Protection. The audited period spanned the years from 2018 through 2020. 

Changes in the ministries’ responsibilities posed challenges for the IT

Any change in the responsibilities of a ministry – e.g. in the course of a government restructuring or the formation of a new government – entails extensive adjustments to be made by the concerned IT department and comes with security risks. Due to organizational and staff-related shifts as well as changes of the premises, the IT equipment and technical applications have to be integrated in the ministry that takes on the new responsibilities. This also concerns the implementation of the respective IT security strategy. The transition phase, in particular, can pose IT security risks. In September 2020, for example, – nine months after the competencies of the Federal Chancellery, the Federal Ministry of Arts and Culture, Civil Service and Sport and the Federal Ministry of Social Affairs, Health, Care and Consumer Protection had shifted – a unified responsibility for IT-related matters across the ministries was still lacking.

For the purpose of ensuring a continued IT security, the ACA recommends the preparation of a government bill that serves to clearly and expressly establish a competence for the coordination of IT security in the Federal Ministries Act (Bundesministeriengesetz). A standardization of the IT workplaces would reduce the costs of procurement and licences, simplify maintenance and increase IT security. A corresponding ordinance to the ICT Consolidation Act of 2012 (IKT-Konsolidierungsgesetz) has still not been prepared. 

The use of private IT equipment poses a security risk

The ACA also shed light on the security aspects of telework in the course of the COVID-19 pandemic. The assessment revealed that the officials of the Federal Chancellery, the Federal Ministry for Digital and Economic Affairs and the Federal Ministry of Social Affairs, Health, Care and Consumer Protection occasionally used their private IT equipment to ensure the continuity of the day-to-day operations.
In addition to the fact that the law did not provide for the use of private IT equipment for regular operations during telework, the ACA points to the related risks. The use of one’s own devices entails the risk that official data remains stored on private devices. Furthermore, IT security precautions against malware are typically lower on private devices compared to IT security measures on official devices. In addition, no explicit requirements for IT security had been defined for the use of private IT equipment during telework. The use of private IT equipment for telework should therefore not be envisaged as a standard for day-to-day operations.

Official equipment for telework

The ACA recommends the following: with regard to possible further phases of crisis-related telework, the IT equipment of the workplaces would have to be set up in such a way that it is possible to uphold the regular operations with official equipment outside the workplace. In addition, it is to be determined whether, for reasons of security, certain activities shall be performed in any case at the workplace.

External staff abroad within the EU: direct supervision was impossible

The ACA noted that the Federal Ministry for Digital and Economic Affairs made use of an external service provider whose staff members had their workplace abroad in another EU country. The staff members had access to the IT systems of the ministry. The necessary security checks of the staff members were carried out through the local authorities. The fact that the external IT staff members also had access to important services of the ministry, created a risk with regard to the availability, integrity, authenticity and confidentiality of the data processed by the ministry. As the workplace was situated abroad, a direct supervision and/or control of the external staff members was possible neither for the external service provider nor for the ministry.

Preparation for IT emergencies was insufficient

The ACA sees room for improvement as regards the preparation for IT emergencies. The Federal Chancellery has failed to sufficiently identify emergency scenarios for in-house IT systems. It had failed, for example, to prepare an IT emergency manual and to clearly define criteria for the occurrence of an IT emergency. At the Federal Ministry for Digital and Economic Affairs, emergency concepts, such as IT emergency manuals, IT emergency scenarios or IT emergency plans, were not in place for the in-house IT systems. The ACA recommends to create an IT emergency manual for in-house IT systems and IT services with all important IT emergency scenarios and to define therein clear criteria for the occurrence of IT emergencies as well as a separate IT emergency organization.