Paper for Committee Meeting Ljubljana, Slovenia 17-18 May 2001
Report on the Project Communications Security on Internet
Swedish National Audit Office April 27, 2001
Frank Lantz
Bengt Andersson
A final draft report concerning this project has recently been
produced. It will be presented and discussed during the IT Committee
meeting in Slovenia. The conclusions from the project will also be
announced at the IT Audit Seminar before the Committee meeting.
To summarise:
- within the project has been created an audit model for communications security in the public sector.
- the audit model is based on security aspects in three existing information security standards – ISO/IEC 17799-1, FA22 and PD5000
- the audit model has been tested on three governmental agencies and after that further improved
- this model, or Best Practice, in the field of communication has come to be represented by a question database containing 15 domains dealing with security matters
- the question database allows auditors to search for questions individually or by area in order to audit different aspects of communications security, independently of technical solutions
- the tests have provided an insight into which questions are not applicable as things stand at present, and which questions may gain in importance in the near future.
Conclusions:
- Basic criteria for good communications security, such as documents dealing with policy on information security and policy on e-mail, often do not exist or have no official status within the organisation.
- Information security issues have no obvious place with authority management.
- The opportunities for secure communications which meet demands made of confidentiality, integrity and accessibility are currently limited, as few authorities have tools for authentication, encryption and signing. At present, the use of a Public Key Infrastructure (PKI) is the closest we can get to communication which meets the said demands.
- More and more authorities will probably choose the Internet for the communication of authority information, and this will increase the need for PKI tools. This is why the need is also increasing for audit programmes of the type that this project has attempted to describe.
- The Swedish Qualified Electronic Signatures Act, which came into force on 1 January 2001, will probably prepare the way for the Swedish authorities to create solutions for secure Internet communication.
- None of the three standards forming the basis for this work alone meets the overall needs in this area. In other words at least two different standards ought to be considered to cover all topics that are of interest when auditing this area.
- The most detailed standard is PD5000, although this standard primarily seems to apply to a future perspective in comparison with the situation with which RRV came into contact in the case studies, on account of the fact that it assumes that the authorities are using tools which support authentication, encryption, etc.
- The modifications, which had to be made to the model on the basis of the audits carried out, meant that greater emphasis had to be placed on policy issues than had originally been planned. This was due to the fact that the shortcomings in this area were greater than anticipated.
- It was essentially pointless to audit much of the technical aspects in the model, as the technical applications commissioned were not based on policies and active decisions on the part of the management. These policies and guidelines should constitute perhaps the most important foundation against which technical solutions introduced are to be assessed. One of the foundations for a secure communication environment vanishes, if these controlling documents do not exist.
For enquiries or comments about this site, please use our Feedback form.