National Audit Office: The Information System Authority has ensured the reliability of X-Road, but no one checks the security level of private companies using X-Road

Priit Simson | 3/2/2021 | 10:00 AM

Text size: [-A] [+A]

Language: EST | RUS | ENG

Print

TALLINN, 2 March 2021 – The Information System Authority (RIA) has generally ensured the reliability of the X-Road Centre, but the level of information security of private companies using X-Road is not checked when joining and using X-Road, the National Audit Office found in its audit report “Administration and Reliability of X-Road” published today.

In the audit report, the National Audit Office concluded that the central services of the X-Road (also “X-Tee”) infrastructure have been relatively reliable: over the last three years, there has been one significant interruption in the X-Road services caused by the central components of X-Road. The Information System Authority has determined the most important risks to the reliability of X-Road and has assessed them. Measures have been developed to mitigate risks, many of which are being implemented. However, given the number of inquiries made through X-Road – on average, 133 million inquiries per month –, the provision of the majority of public services would become impossible or significantly more difficult should X-Road not be operational. Replacing data exchange carried out via X-Road with non-electronic data exchange would be practically impossible or at least very costly.

It is concerning that, in many cases, state institutions offering data services on the X-Road platform have not entered into agreements on the use of service. Where contracts have been entered into, none of the state institutions audited checked before entering into the agreement whether private companies implement adequate measures for mitigating security risks in order to ensure the integrity, confidentiality and availability of data. “Private members of X-Road confirm that they implement the required measures when entering into a data service contract, but data service providers do not check up on it,” the audit manager Toomas Viira commented.

Compliance with data service agreements is checked up on only by few state institutions providing access to data. “Failure to enter into data service contracts and failure to check the level of security measures of private companies poses a security risk,” added the audit manager Toomas Viira. “This may allow unauthorised persons to have access to state databases and the ability to make unauthorised changes.”

State institutions implementing X-Road must implement the necessary measures to mitigate information security risks, but it has not been determined which security measures and at which level should be implemented. The requirements established for X-Road by the Government of the Republic Regulation “Data Exchange Layer for Information Systems” are sometimes general and allow members to interpret them differently in implementation.

Although the Information System Authority has not prepared an operational continuity plan for X-Road, several measures have been implemented for the continued operation of secure data exchange and requirements have been established in other documents to ensure operational continuity. Irregularity of performing recovery tests and failure to document them may be considered shortcomings. So can the fact that the vitality and sensitivity of information assets related to X-Road have not been assessed separately.

The National Audit Office recommended that the Director General of the Information System Authority initiate an amendment of the Regulation “Data Exchange Layer for Information Systems” governing the operation of X-Road that would make the established requirements more precise and unambiguous so that data service providers could implement the requirements and the Information System Authority could check up on the implementation thereof. Necessary guidelines for implementing the requirements arising from the Regulation should also be prepared and necessary training should be organised for authorities using X-Road.

The National Audit Office also recommended assessing the risks to the security of databases arising from the failure to enter into data service contracts and implementing activities to mitigate these risks. Consideration should also be given to adding the functionality of entering into data service contracts and petition management to make opening and using the data services of the X-Road portal less bureaucratic.

The National Audit Office recommended developing a system for auditing private legal persons using the X-Road services to ensure the integrity, confidentiality and availability of data. In addition, the National Audit Office recommended performing regular recovery tests on the central components of X-Road and documenting them. In the event of deficiencies, the necessary corrective actions must be taken.

Background:

X-Road is a technical infrastructure and environment that enables secure Internet-based data exchange with evidential value. 834 institutions have connected to X-Road as at 2 February 2021. In 2020, approximately 1.57 billion inquiries were made via X-Road. As at 1 December 2020, 200 public sector authorities (incl. local government authorities) and 525 private sector institutions had joined X-Road, and approximately indirectly 52,000 companies and institutions used X-Road services.

The audited period was the time from the beginning of 2020 when only version 6 of X-Road, including its solutions, legislations, guidelines, implements measures, etc., was available.

The audit was based on the current version of the X-Road Regulation (Government of the Republic Regulation no. 105 “Data Exchange Layer of Information Systems” of 23 September 2016).

The audit examined the organisation of work associated with X-Road and the rules for the development of X-Road at the Information System Authority. In addition, the organisation of work associated with X-Road was audited in the following authorities: Ministry of Education and Research, Ministry of Defence, Ministry of Economic Affairs and Communications, Ministry of Culture, Ministry of the Environment, Ministry of Rural Affairs, Ministry of Foreign Affairs, the Tax and Customs Board, Road Administration, Health and Welfare Information Systems Centre, IT and Development Centre of the Ministry of the Interior, IT Centre of the Ministry of Finance, and Centre of Registers and Information Systems. In addition, three local governments and three state-owned associations were examined: Pärnu, Tartu and Tallinn City Governments, and Elering AS, OÜ TS Laevad and State Forest Management Centre, respectively.

 

 

Priit Simson
Head of Communications of the National Audit Office of Estonia
+372 640 0102
+372 5615 0280
priit.simson@riigikontroll.ee
press@riigikontroll.ee
http://www.riigikontroll.ee/

  • Posted: 3/2/2021 10:00 AM
  • Last Update: 3/2/2021 10:12 AM
  • Last Review: 3/2/2021 10:12 AM

Failure to check the level of security measures of private companies poses a security risk for the X-Road.

Information System Authority

Additional Materials

Documents

More News