Experts of Lawful Interception and Security Standards
Lawful Interception Academy

World News

Malta – Information Technology Audit Cyber Security across Government Entities

icon_pdf . The National Audit Office (NAO) has issued an IT Audit report on Cyber Security across Government entities.

Ref: http://nao.gov.mt/en/press-releases/1/150/information-technology-audit-cyber-security-a

Ref: http://nao.gov.mt/en/about-us


The principal aim of this comprehensive report was to evaluate the level of adoption of selected Cyber Security controls across ten Government Entities, namely: Malita Investments p.l.c., Malta College of Arts, Science and Technology, Malta Competition and Consumer Affairs Authority, Malta Enterprise Corporation, Malta Freeport Corporation Ltd., Manoel Theatre, Commission for the Rights of Persons with Disability, Refugee Commission, Regulator for Energy and Water Services and Wasteserv Malta Ltd.

The aspects of cyber security reviewed by the NAO in the selected audit sites essentially dealt with critical issues such as the management of IT services; confidentiality and integrity of data; cyber security awareness; antivirus protection; business continuity and disaster recovery; IT hardware and software inventories; physical security; server monitoring and software access control.

Some of the key findings in this report include the following:

  • Small Government entities are opting to fully out-source their IT services despite lacking capacity to manage these out-sourced services;
  • Certain entities which do not have internal IT capabilities are opting for cloud hosting without seeking the necessary technical advice;
  • Only one of the 10 audited entities has a Data Retention and Storage Policy;
  • The NAO observed a general lack of cyber security awareness amongst users;
  • None of the audited entities has a formally written Business Continuity and Disaster Recovery Plan;
  • 50% of the entities audited do not have a software inventory;
  • In most of the selected audit sites, best practices are not being followed in terms of password complexity, password expiry, password history and the need to force the user to change his/her password upon first logon;
  • In many instances, offline mailboxes are not being duly backed up; and
  • Inadequate and insecure server environments.

The NAO recommended that all entities which have participated in this audit should review their IT operations with the support of their respective Ministry CIO, with the aim of improving their level of preparedness in the area of Cyber Security. Indeed, evidence in hand suggests that the recommendations listed in this report may, in some way or other, apply to all Government departments and entities and, thus, it is recommended that all entities follow the best practices listed in this document.

The functions and powers of the Auditor General and the role of the NAO are defined by Section 108 of the Constitution of Malta and the Auditor General and National Audit Office Act of 1997. The NAO audit competences are specified hereunder:

Central level: The NAO has the authority to audit the accounts of Central Government Departments and Offices and may examine whether such Departments and Offices have used the funds and resources available to them effectively, efficiently, and economically.

Local level: The audit of Local Government is also included within the mandate of the Auditor General as amplified and described in the legislation regulating Local Government.

Public bodies: The Office mandate also includes the audit of Public Authorities and Corporations, and other public entities administering, holding, or using funds belonging directly or indirectly to the Government of Malta or where the Government of Malta owns not less than 51 per cent of the shares.

Private entities: The NAO is also empowered to audit Government assistance received by non-Govermental organisations.