IT security compliance of Nor…

IT security compliance of Norway’s public agencies ‘above average’

30/04/2015
Norway’s public administrations’ compliance with IT security rules and policies is above average, according to a study conducted on behalf of DIFI, Norway’s Agency for Public Management and eGovernment. The report is based on a survey of the state of software security in 20 government organisations. However, the report warns that few public administrations have a comprehensive IT security strategy.   Norway’s Direktoratet for forvaltning og IKT (DIFI) published the report on its website on 14 April. The study by Sintef, a Norwegian research firm, uses the Building Security in Maturity Model (BSIMM), a collection of software security best practices, to check how Norway’s public administrations handle IT security threats. As was to be expected, the public administrations are good at complying with laws, rules and guidelines, Sintef writes. However, the researchers found wide variation between public administrations, with the best having implemented 87 of BSIMM’s 112 best practices, and the worst just 9.   Furthermore, with regards to their strategy for IT security, systematic testing for problems and the ability to deflect attacks, they are “considerably worse” (than average), Sintef warned. The research firm also noted that there is room for improvement in training. “Public administrations do not routinely prepare for software security issues, cannot measure the impact this will have on their services and do not work systematically to identify and understand the risks.”   When it comes to software security, the public administrations depend on the interests and expertise of their developers, Sintef notes. “There are strong indications that there is still a distinction between ‘developers’ and ‘IT security specialists’; and too many developers seem to think IT security is a task for the IT administrators.   More information: DIFI announcement (in Norwegian) Report (pdf, in Norwegian)  
Login or create an account to comment.