TALLINN, 2 November 2023 – Although basic security measures are generally implemented in the server rooms and supporting technical rooms of state institutions, risks arising from unsuitable microclimate, fire, water leakage or insufficient security should be mitigated in some places, the National Audit Office finds in its report published today.
Having audited 11 state institutions, the National Audit Office discovered problems in ensuring the necessary conditions in the server rooms of several state institutions. For example, in several cases, the operation of cooling and ventilation equipment as well as fire, smoke and water leak detectors was not ensured with sufficient reliability. In some of the server rooms observed, cooling of the room was organised inefficiently, and there were server rooms that did not have precision air conditioning equipment in use. Combustible materials, such as cardboard boxes, were stored in the server rooms and auxiliary rooms to the server room in some of the audited institutions.
The National Audit Office made observations about the security of server rooms and office premises and the protection of security systems. In one of the audited institutions, the server room was not under alarm. The National Audit Office points out that leaving the office building partially unguarded increases the risk of unauthorised intrusion, leading to the risk of theft or manipulation of data and IT equipment.
The video surveillance system of another audited institution was not sufficiently protected, and the central unit of video surveillance was accessible to an excessively large number of users. In several institutions, the procedures did not specify the minimum period for retention of video surveillance recordings, and one authority had not specified the period for retention of access and security logs.
The National Audit Office points out that in the absence of an access and security log, it is not possible to get an overview of who and when has been in the server room and office premises and when technical surveillance has been activated. If logs and video recordings are not stored long enough, it makes it difficult to resolve incidents of physical access.
In the protection of the outer security perimeter of the buildings of server rooms, there were problems with the protection of facilities necessary for the operation of server rooms. For example, the outer perimeter of the building of one of the audited institutions was not covered with the necessary sensors.
In the organisation of access management, the National Audit Office found problems in the implementation of both organisational and technical measures. For example, the server room of one of the audited institutions was accessed with one-factor authentication, using only an access control card. In another institution it was possible to access the central unit of the access system with administrator rights from a security desk computer.
As a result of the audit, the National Audit Office made more detailed observations about the security of each audited institution and gave recommendations on how to improve the situation.
Background information
The aim of the audit was to assess whether the prescribed security measures are implemented in the server rooms, rooms necessary for the operation of server rooms and in office premises and whether risks are mitigated to an acceptable level. The following criteria were used as a basis for giving an overall audit assessment:
- Security measures ensuring the physical safety of rooms have been implemented in the server rooms of state authorities and in technical rooms necessary for the operation of server rooms.
- State authorities have implemented an internal control system, which mitigates the risk of unauthorised access to buildings and rooms to an acceptable level.
Institutions whose server rooms were included in the selection for expert assessment:
- State Infocommunication Foundation
- Information Technology Centre of the Ministry of Finance
- Tax and Customs Board
- Ministry of Rural Affairs (now Ministry of Regional Affairs and Agriculture)
- Agricultural Registers and Information Board
- Estonian Public Broadcasting
- Health and Welfare Information Systems Centre
- Information Technology Centre of the Ministry of the Environment (now reorganised under the Ministry of Climate)
- Centre of Registers and Information Systems
- Information Technology and Development Centre of the Ministry of the Interior, and
- Estonian Information and Communication Technology Centre.
Institutions whose office premises were included in the selection for expert assessment:
- State Infocommunication Foundation
- Estonian Information and Communication Technology Centre
- Ministry of Rural Affairs
- Agricultural Registers and Information Board
- Information Technology Centre of the Ministry of the Environment
- Centre of Registers and Information Systems
- Information Technology Centre of the Ministry of Finance
- Information Technology and Development Centre of the Ministry of the Interior, and
- Health and Welfare Information Systems Centre
The audit period was from January to June 2023.
Priit Simson
Head of Communications of the National Audit Office of Estonia
+372 640 0102
+372 5615 0280
[email protected]
[email protected]
http://www.riigikontroll.ee/
-
Posted:
11/2/2023 10:00 AM
-
Last Update:
11/1/2023 2:13 PM
-
Last Review:
11/1/2023 2:13 PM
In several cases, the operation of cooling and ventilation equipment as well as fire, smoke and water leak detectors was not ensured with sufficient reliability.
CARO
Additional Materials
Documents