- State Audit Office of Latvia - http://www.lrvk.gov.lv/en/ -

ICT infrastructure requires more efficient and safe management

Maintenance of the ICT infrastructure cost 62 million euros to the country in 2018, and spending continues to grow. Hence, one must address the issue urgently on how to manage this large-scale area, which is dispersed across many institutions but is strategically important.

As responsible authority for ICT management policy, the Ministry of Environmental Protection and Regional Development (MEPRD) has identified the situation and has offered solutions, but their implementation is very different in various ministries, and the achievements are the result of the own initiative of institutions rather than the result of ICT policy. The State Audit Office and MEPRD agree that optimisation should be continued, but it should become more focused, systematic, and centrally monitored by taking into account the trends of rapid technological development.

Toothless ICT governance policy

The findings of the State Audit Office after assessment of the implementation of ICT governance policy during the audit indicate that there has been virtually no progress since 2012. Namely, each authority optimises the ICT infrastructure according to its own understanding and possibilities. That leads to the different situation in various authorities, as there are ministries where ICT management is organised centrally, and there are ministries where is no single management, and it is done by each institution separately. The State Audit Office supports the view that the full centralisation or decentralisation of ICT in the ministries should not become an end in itself, but the model of action chosen by each ministry should be sustainable and based on specific calculations and alternative considerations that currently is not done. Decisive ICT councils play a significant role in ensuring sustainable development, which takes a broader look at ICT resources and opportunities to optimise them than each separate authority is capable of. The audit found that the IT Council is established formally in some ministries and does not function in fact.

The public authorities do not carry out regular evaluation of what costs cheaper – to maintain ICT themselves or to cooperate with another institution to maintain ICT. While a specific task and the responsible bodies of the implementation and deadlines are not clearly defined in ICT optimisation, optimisation continues to serve as a slogan only for the ninth year, which is included in the strategies, ICT project applications, and funding requests of the public authorities.

The State Audit Office randomly audited four ministries, that is, the Ministry of Culture, the Ministry of Agriculture, the Ministry of Justice, and the Ministry of Education and Science, and verified that the Ministry of Justice achieved the most significant progress in the centralisation of ICT and continued to optimise ICT consistently. On the other hand, the optimisation of ICT started in other ministries 8 years ago has stopped unfinished.

Empty data centres

The fact that four ministries use 38 server rooms to place ICT infrastructure is an example of inefficient governance. One found during the audit that high-level data centres were launched in public administration, but they are not loaded, although the server equipment is located in security-incompliant premises in other authority of the same ministry. The fear of losing control and access to their ICT resources, and the uncertainties surrounding budget allocation are among the factors that discourage the institutions from transferring their ICT infrastructure to be placed in another institution. There is no co-operation in the placement of ICT infrastructure between the ministries or even within one ministry, which has no rational justification. With institutions not cooperating, to outsource infrastructure placement is considered to be the most appropriate solution without considering an alternative to use the already existing data centres in the country by redistributing resources accordingly within one ministry.

At the time, one planned to solve the problem of fragmented ICT infrastructure by establishing a single electronic communications service centre and forecasted to save up to 3 million euro over five years. The establishment of such a centre has been already planned since 2011. Although the centre should have started operating in January 2019, only two institutions began using the services of the centre in reality during this period.

Without imposing a mandatory requirement for national information systems to use the services of a single centre within certain deadlines and volumes and without the necessary funding, a situation might occur that the data centre established for several million euros is not used to its full potential.

Physical security of ICT infrastructure neglected

The observations in the server room during the audit suggests that protection of physical infrastructure is neglected now. Although the ICT infrastructure is an integral part of cyberspace by the Cybersecurity Strategy, security in the electronic space that everybody faces daily is more emphasised and monitored by the state. Security of ICT infrastructure in data centres, which is generally the responsibility of the head of the institution, is not subject to preventive supervision by the superior authorities. In addition, the existing regulatory framework (except the overall objective of protecting resources) does not clearly define the requirements for the security of ICT infrastructure depending on the significance of the information processed in the systems.

Deficiencies in the differentiation of security requirements lead to both inadequate protection and costly solutions where over-protection of insignificant information causes an excessive financial burden on the state budget.

The State Audit Office believes that there is an urgent need to improve the mechanism for monitoring the safety of ICT infrastructure, which has no clear requirements for physical and environmental safety and has no survey and monitoring of the situation in the country as a whole. This poses a risk that the authorities will not be able to defend themselves if an individual decides to use disorder of the physical and environmental safety to damage, destroy, or steal essential technical resources and the data contained therein.