Document no. 3:4 (2005–2006) The Office of the Auditor General’s investigation of the authorities’ measures to safeguard IT infrastructure was submitted to the Storting on 22 November 2005.
Society’s dependence on IT systems is constantly increasing – for example in banking and finance, power and water supplies, traffic management systems, and systems in the health and social sector – while at the same time the number of threats against the systems is growing.
The responsibility for IT security is mainly borne by the individual ministry or government agency. However there are several ministries and subordinate bodies that have coordinating roles or cross-sector supervisory tasks. The investigation shows that the responsibility for these tasks has not been adequately clarified, that both responsibility and tasks are fragmented, and that limited resources are used for overlapping tasks. There is a clear need for a closer specification of responsibility between the ministries.
To succeed in safeguarding IT systems that are critical for society, it is vital to acquire a general view of what critical IT infrastructure actually is and of the systems this consists of. There is a high degree of dependence between IT systems within the same sector and between different sectors. The OAG stresses the importance of clarifying which authority is responsible for assessing the vulnerability of critical IT infrastructure across sector boundaries and of coordinating measures that reduce vulnerability.
In the National Strategy on Information Security from 2003 the authorities presented a number of measures aimed to promote better IT security both in critical infrastructure and in society as a whole. The investigation shows that few of the measures have in fact been initiated. The OAG emphasises the need for greater coordination, management and monitoring of IT security measures.
The Ministry of Defence, the Ministry of Justice and the Police, the Ministry of Modernisation and the Ministry of Transport and Communications have submitted responses. The Ministry of Modernisation refers to the fact that an inter-ministry working group has recently been appointed to assess the assignment of responsibility. A national CERT (Computer Emergency Response Team) will also be set up. Together with the Centre for Information Security this will constitute a total concept for national emergency response and advisory services within IT security.
The provision concerning delayed public access to documents that are compiled by or sent to the Office of the Auditor General in connection with the Document no. 3:3 series (2005–2006) has been repealed, cf. Section 28, paragraph 2 of the Auditor General Act.