Although basic security measures are generally implemented in the server rooms and supporting technical rooms of state institutions, risks arising from unsuitable microclimate, fire, water leakage or insufficient security should be mitigated in some places, the National Audit Office finds in its report published on Tuesday.
Having audited 11 state institutions, the National Audit Office discovered problems in ensuring the necessary conditions in the server rooms of several state institutions. For example, in several cases, the operation of cooling and ventilation equipment as well as fire, smoke and water leak detectors was not ensured with sufficient reliability.
In some of the server rooms observed, cooling of the room was organized inefficiently, and there were server rooms that did not have precision air conditioning equipment in use. Combustible materials, such as cardboard boxes, were stored in the server rooms and auxiliary rooms to the server room in some of the audited institutions.
The National Audit Office made observations about the security of server rooms and office premises and the protection of security systems. In one of the audited institutions, the server room was not under alarm. The National Audit Office points out that leaving the office building partially unguarded increases the risk of unauthorized intrusion, leading to the risk of theft or manipulation of data and IT equipment.
The video surveillance system of another audited institution was not sufficiently protected, and the central unit of video surveillance was accessible to an excessively large number of users. In several institutions, the procedures did not specify the minimum period for retention of video surveillance recordings, and one authority had not specified the period for retention of access and security logs.
The National Audit Office points out that in the absence of an access and security log, it is not possible to get an overview of who and when has been in the server room and office premises and when technical surveillance has been activated. If logs and video recordings are not stored long enough, it makes it difficult to resolve incidents of physical access.
In the protection of the outer security perimeter of the buildings of server rooms, there were problems with the protection of facilities necessary for the operation of server rooms. For example, the outer perimeter of the building of one of the audited institutions was not covered with the necessary sensors.
In the organization of access management, the National Audit Office found problems in the implementation of both organizational and technical measures. For example, the server room of one of the audited institutions was accessed with one-factor authentication, using only an access control card. In another institution it was possible to access the central unit of the access system with administrator rights from a security desk computer.
As a result of the audit, the National Audit Office made more detailed observations about the security of each audited institution and gave recommendations on how to improve the situation.
(Reproduction of BNS information in mass media and other websites without written consent of BNS is prohibited.)