A unified data exchange mechanism on the accessibility of e-services would allow finding out the “weak links” quickly and improving them preventively both technically and in terms of security.
BRIEFLY
- In the last five years, state administration expenditures for information technology services (maintenance of information systems (IS) and related information and communication technologies (ICT) infrastructure) have increased from 41 to 64 million euros per year. At the same time, there are no estimates how much the unavailability of IS and e-services has cost made.
- The laws and regulations define the accessibility level to be achieved; however, it is not clear to state institutions how to ensure it, what to monitor and how to measure it.
- Organizational prerequisites (e.g., IS security risk assessment must be carried out in an institution, an IS operation restoration plan must be developed) are also defined in the laws and regulations, but not fully implemented in the institutions.
- Information on the accessibility of services achieved (whether it is achieved and at which stages it is not achieved) is not collected and analysed at one place. Therefore, it is not possible to determine where targeted improvements are most needed.
- Although the national IS and ICT resource accounting system (VIRSIS) has been developed and has been implemented since 1 January 2020, the data recorded there is incomplete.
- During the audit, both the Ministry of Environmental Protection and Regional Development (MEPRD) and the Ministry of Defence have taken steps to resolve problematic issues.
Can individuals and legal entities rely on the access to IS and the receipt of e-services? Unfortunately, the State Audit Office did not get a concrete answer during the audit: several problems were identified in relation to how state institutions assessed the accessibility of IS and how they generally managed IS. “First of all, the information provided by the state institutions on the accessibility level of IS and e-services is mostly based on opinions and not on facts because it is not clear how to measure accessibility: there is no calculation methodology and no indicators are accumulated to measure it. Secondly, information on the achieved accessibility level of IS and e-services is not collected at the national level. By eliminating these irregularities, the state administration could use financial resources and human resources more efficiently. Also, particular “weak links” would be identified in which improvements are most needed,” explained Ms Ilze Bādere, Member of the Council of the State Audit Council.
Although the significance of IS accessibility is recognised at the national level, including for the provision of e-services, and the organizational prerequisites to be implemented in the laws and regulations have been set to facilitate the accessibility of IS and the continuity of operation of the related ICT infrastructure, state institutions are in no hurry to implement these prerequisites, nor are they in a hurry to verify that the implemented organizational and technical measures ensure the continuity of ICT operation, the accessibility of IS and e-services and whether the accessibility of IS can be restored in the shortest possible time in the event of an incident. These issues are becoming more and more relevant both as cyber security risks increase and as the use of e-services increases under the influence of the Covid-19 pandemic. For example, according to the data of the Service Provision and Management Platform, e-services were used four times more than face-to-face services in 2020.
The most important identified problems, for the solution of which recommendations were provided #AfterAudit
It is not clear to state institutions how to ensure and what to monitor to reach the accessibility level specified in laws and regulations (98% for the integrated national IS, 99% for the integrator and 98% for e-services). Technical solutions for the IS used in state institutions (unless it is the integrated national IS or an integrator) are not defined in the laws and regulations, by implementing which the institution ensures the operation of their IS and contribute to the achievement of a certain level of IS accessibility. The selection of appropriate technical solutions for the accessibility of IS and indicators for monitoring the continuity of IS operation are in the control of each institution. State institutions monitor and assess one of the components mostly, such as IS database accessibility or server performance, but they do not measure and assess other components, such as the accessibility of functionality for IS users.
Development planning documents do not specify specific goals and tasks to be achieved for ensuring the accessibility of IS. Moreover, no performance indicators have been set to assess the achieved IS accessibility. It is incomprehensible that the accessibility of e-services, which, in the auditors’ opinion, is one of the most important indicators for service quality, has not been put forward as a quality indicator for state administration services. This is contrary to the principle of public administration to check and improve the quality of services provided to the public constantly (certain indicators that must be measured and published in the Service Provision and Management Platform). Currently, whether a state institution provides/does not provide e-services and the operation of IS supporting them is only a matter of the institution’s agenda, not a centralized data-driven approach on a national scale.
Information about the achieved accessibility level of e-services and the IS supporting them is not collected and analysed at one place. Although individual items of information relating to IS accessibility are accumulated in the state administration (e.g., the MEPRD on state IS and technical resources, CERT.LV on IT security incidents, the State Regional Development Agency on malfunctions and unavailability of e-services on the Latvija.lv portal), information on accessibility is not collected and analysed in a centralized way in the country, nor are the causes and consequences of problems analysed. Without recognizing problems and evaluating their causes, reasonable proposals for improvements cannot be made, and state institutions continue to maintain e-services in the long term without assessing the necessary improvements.
In Latvia, no estimates have been made so far on how much IS unavailability costs and what consequences it has for private individuals, institutions or the economy as a whole. In the auditors’ opinion, the consequences could be significant, as an administrative burden is created both for a service recipient (an alternative solution must be sought; time must be spent checking whether accessibility has been restored) and for the state administration (customer service in a less automated service delivery channel). According to the estimate made during the audit, receiving an e-service in a different way than remote may result in a cost of 15.40 euros for a service recipient and an average of 1.5 hours to receive it in person. In the case of service unavailability, state institutions are also forced to spend resources (1.83 euros per service), which they could use to provide other, less automated functions. Auditors’ estimates show that if the Latvija.lv portal is not available for twenty-four hours, service recipients cannot receive at least 22,500 e-services. When analysing the notices published in the Latvija.lv portal regarding malfunctions of the portal and e-services during the four-month period, it was found that 21 e-services in total (17% of all) were notified that they were not operating. Eight of the latter were down for between 1 and 23 days. One can conclude that they were accessible in the range from 26% to 96.8% in the given month, which is less than the 98% attainable e-service level set by the regulation.
The set operating time of the IS and the achievable accessibility level are not coordinated among all the components involved in the provision of an e-service, that is, the supporting IS, ICT infrastructure, integrated IS and also regarding the place where the e-service is hosted, in the institution’s website or the Latvija.lv portal.
“In general, the accessibility of e-services and the IS supporting them is not well managed and monitored, as there are both problems and many unanswered questions about the proper organization of accessibility. The action must be mutually coordinated among state institutions because several institutions and the IS maintained by them are involved very often in its execution for an e-service to operate. Therefore, all components must be accessible, as malfunction of even one component will affect the receipt of the e-service,” indicated I.Bādere.
For example, for a resident to receive an e-service on the Latvija.lv portal, the following must function: (1) the Latvija.lv portal, which is maintained by SRDA; (2) user authentication mechanism provided by the LSRTC or one of the commercial banks; (3) information system itself and e-service performing services maintained by a state institution; (4) related IS and services necessary, for example, for checking personal data in the Population Register maintained by the Office of Citizenship and Migration Affairs; (5) data exchange channels maintained by various telecommunication service providers, and 6) an integrator maintained by the SRDA.
It is not defined what the working hours of an e-service are, i.e., whether the accessibility of e-service can be expected during the working hours of the institution or in 24/7 operating mode. For example, when an e-service is hosted in the Latvija.lv portal, its accessibility is possible only during the times specified and provided by its maintainer SRDA. This poses a risk that state institutions will not ensure the accessibility level set for e-services (98% per month) when placing e-services in the Latvija.lv portal. According to the auditors’ calculations, the e-service of that institution can theoretically be available for almost four hours a month less than the regulation on e-service accessibility provides. Because of the uncoordinated requirements for the accessibility of e-services and the Latvija.lv portal, an administrative burden of up to 64,000 euros can be created in the country every month, and in the course of five years (since 2017), an administrative burden of 3.84 million euros has probably been caused, which could have been spent more efficiently.
Although the national IS and ICT resource accounting system VIRSIS has been developed and implemented since 1 January 2020, the data recorded there is incomplete. For instance, state institutions have recorded data on only 127 national ISs out of 181 that were registered in the previously maintained Register of State Information Systems. In addition, only 19 IS managers have indicated that the information system is used to ensure the institution’s core activities. Regarding the majority of information systems (123 ISs), their managers state that ISs are intended only to ensure the internal needs of the institution. Therefore, they do not provide data exchange with other systems or provision of services, which, in its turn, suggests that the systems are not correctly classified, etc. The auditors consider that deficiencies in the information accounting system VIRSIS affect the MEPRD’s ability to plan a unified national policy for the development and maintenance of IS and ICT resources and services necessary for their operation, as well as to establish an evidence-based policy in ICT management successfully. For example, identifying those ISs that provide services to individuals and exchange data with other ISs and achieving an appropriate level of accessibility exactly for those ISs and the ICT infrastructure supporting their operations by planning resources for its provision are impossible. Complete data on national ISs and related ICT infrastructure is a prerequisite for unified management of IS accessibility and continuity of ICT operation.
Based on the audit conclusions, the State Audit Office has provided nine recommendations to the MEPRD and the Ministry of Defence for improving the accessibility of e-services and the IS supporting them #AfterAudit. Recommendations should be implemented in cooperation with CERT.LV. The timeframe for the implementation of the recommendations of the State Audit Office is the middle of 2026, but the implementation of individual recommendations is already planned before April 2023.
One should mention that already during the audit, both the MEPRD and the Ministry of Defence acted to fix the problematic issues. The MEPRD has started a reform of the management of state services, within the framework of which it will also provide for the establishment of precise and justified accessibility requirements for state services. While identifying the insufficient cyber security level of state administrative institutions and shortcomings in the cyber security management model, the Ministry of Defence called on the Cabinet of Ministers to support the establishment of the National Cyber Security Centre starting from 1 January 2023 that the Cabinet of Ministers supported on 7 June 2022.
Additional materials: Audit summary
Additional information
Ms Signe Znotiņa-Znota
Head of PR and Internal Communication Division
Phone number 67017671 | M. 26440185 | E-mail: signe.znotina-znota@lrvk.gov.lv