SLOVENIA: Efficiency of ensuring cybersecurity in the Republic of Slovenia, short audit resume
The Court of Audit of the Republic of Slovenia (hereinafter: Court of Audit) audited how does the Republic of Slovenia ensure cybersecurity. It was the first audit reviewing the topic of cybersecurity by the Court of Audit, which started in 2019, three years after the Republic of Slovenia adopted Cybersecurity strategy and a year after the Parliament of the Republic of Slovenia adopted its first act on cyber/information security – the Information Security Act.
The Court of Audit audited efficiency of the Government, the Government Office for the Protection of Classified Information and the Ministry of Public Administration in ensuring cybersecurity. Audit focused on the efficiency of the realization of strategic goals and their planned measures. The audited period was from January 1st 2016 to September 30th 2019.
The Court of Audit has found out that the Government did not adopt an action plan or other operational document for the implementation of measures to ensure cybersecurity and also failed to provide resources to implement a cybersecurity strategy. The Government neither introduced any new cybersecurity awareness programmes nor introduced cybersecurity content into the education and training system, besides those established more than a decade ago which are still successfully run by non-governmental organisations (SI CERT, Safe.si and similar).
The Government Office for the Protection of Classified Information carried out the assigned activities in a very limited extend due to lack of resources (both staff and finances). It participated in international cybersecurity exercises and international working bodies and associations in the field of cybersecurity; but did not conduct a national cybersecurity exercise due to lack of resources.
The Ministry of Public Administration did not prepare a draft or a proposal for an information security strategy. It produced an assessment of cyber risks but did not carry out an analysis of the situation in the field of cybersecurity on the basis of which it would assess needs and provide adequate resources. Furthermore it did not provide concrete proposals for individual tasks to improve cybersecurity. The Ministry did not implement cybersecurity awareness programmes but it did provide resources for the operation of the national CSIRT and prepared in-house courses on information security. It has also participated in international cybersecurity exercise, and international working bodies and associations in the field of cybersecurity. The Ministry did not fully monitor the provision of conditions and implementation of tasks in the field of cybersecurity in accordance with the Information Security Act, as the providers of essential services were not identified and determined.
The Court of Audit's opinion is that auditees' activities regarding cybersecurity were not efficient in the audited period, despite intensified activities in 2019. The Court of Audit issued several demands and recommendations.
Audit infographic is available at https://www.rs-rs.si/en/audits-auditing/audit-archive/audit/efficiency-of-ensuring-cybersecurity-in-the-republic-of-slovenia-2643/