KOSOVO: Highlights of IT audit from SAI Kosovo
The National Audit Office of Republic of Kosovo* has conducted the IT audit for the Civil Status Information System in the Civil Registry Agency. The Civil Registry Agency (CRA) as an agency within the Ministry of Internal Affairs, is the main source of personal data of Kosovo citizens, which are registered and kept in the civil status registry, attesting birth, family status, death, their relationships and any changes that occur. Civil status data is administered through the information system, which has been developed on the .NET and SQL platform and interacts with other information systems in the public and private sectors for the exchange of data in electronic form, providing updated and timely information.
Figure 1: Data flow in the Civil Status System
CRA must ensure the accuracy and completeness of the data recorded in the information system. Great importance should be given to the confidentiality, privacy, and data integrity protection.
Figure 2: Principles of information security
Our research for this IT audit and analysis of CSS documents have identified shortcomings in the protection of personal data, policies and procedures. The process of connecting the CSS with the unique address system has not yet been implemented, which is an obligation arising from the implementation of recommendations from the European Reform Agenda program.
The review of problem indicators identified by various sources, as well as our evaluations based on the Active IT Audit Manual for identifying the high-risk areas, direct us to the main problem of administering and securing the information of the CSS.
This audit is aimed at providing recommendations for the relevant parties in order to improve IT services.
The issues arising from the audit are also related as follows.
Figure 3: Structure of audit issues/findings for CSS
ARC has not established appropriate and functional Information Technology Governance mechanisms. The structure and controls in IT operations are not well defined, exposing the organization to the risk of achieving objectives, ensuring the continuity of information systems.
The information protection and security system implemented in the ARC does not sufficiently guarantee system continuity and data integrity at all times. The users of the system do not guarantee that they have properly preserved data integrity and confidentiality in the information system.
Application controls implemented in CSS do not ensure that only correct and valid data is entered and updated in the system. There is a lack of connection between CSS and the database of the Cadastral Agency for address registration.
In conclusion
Therefore, the risks identified in IT governance, information security and application controls indicate that the CRA, which administers the CSS and the end user institutions of this system, needs improvements in order to ensure citizens that data is protected and that the provision of electronic services to citizens is not interrupted. In this regard, we have given 27 recommendations.
* This designation is without prejudice to positions on status and is in line with UNSCR 1244/1999 and the ICJ Opinion on the Kosovo declaration of independence.