INFORMATIVE REPORT Riga /2012

Transcription

1 INFORMATIVE REPORT Riga /2012 Software management assessment in local governments and local government educational institutions Legal Justification of the Audit 1. According to the Section 2 of the State Audit Office Law and Audit Assignment No /2012 of December 3, 2012 of the Audit and Methodology Department, a legality audit Software management assessment in local governments and local government educational institutions was conducted. At the stage of audit planning, the understanding of information technology environment was obtained in 28 local governments in local governments of the cities of Riga, Ventspils, Jelgava and Jekabpils (Jēkabpils), Ogre region, Bauska region, Kekava (Ķekava) region, Ozolnieki region, Ikskile (Ikšķile) region, Saulkrasti region, Vecumnieki region, Iecava region, Plavinas (Pļaviņas) region, Vecpiebalga region, Jaunpiebalga region, Jaunpils region, Aluksne (Alūksne) region, Livani (Līvāni) region, Aloja region, Jekabpils region, Koknese region, Krustpils region, Cesvaine region, Rauna region, Rundale (Rundāle) region, Seja (Sēja) region, Skriveri (Skrīveri) region and Alsunga region. Of them, after the initial risk assessment audit inspections were continued in 14 local governments in local governments of the cities of Riga and Ventspils, Aluksne (Alūksne) region, Livani (Līvāni) region, Aloja region, Jekabpils region, Koknese region, Krustpils region, Cesvaine region, Rauna region, Rundale (Rundāle) region, Seja (Sēja) region, Skriveri (Skrīveri) region and Alsunga region. 2. The audit was conducted by Valdis Kalupnieks (Valdis Kaļupnieks), Information System Auditor, Liga Nagle (Līga Nagle), Information System Auditor, Anzelika Nikitina (Anželika Ņikitina), State Auditor-Lawyer and Janis Silinieks (Jānis Silinieks), Assistant. Objective of the Audit 3. The objective of the audit was to verify compliance of software recording and management with regulatory enactments, as well as to assess the effectiveness of software management in local governments and local government educational institutions. Accountability of the Auditors of the State Audit Office 4. The auditors of the State Audit Office are responsible for the audit report based on appropriate, reasonable and credible audit evidence obtained during the audit. Accountability of Local Governments 5. Local governments are responsible for compliance with the laws and regulations and truthfulness of information submitted to auditors.

2 Scope of the Audit 6. The audit was conducted in accordance with international auditing standards recognised in the Republic of Latvia. The audit was planned and conducted so to gain sufficient assurance regarding compliance of software recording and management with regulatory enactments, as well as the effectiveness of software management in local governments and local government educational institutions. 7. The audit was conducted for the period from January 1, 2011 to December 31, 2012.The audit procedures, after the software programs installed on the computer hardware were established, were conducted in local governments within the period from April to June The following was verified in the audit: 8.1. software management, establishing the software programs installed on the computer hardware and assessing the right to use them according to the license terms for software use or source documents regarding the purchase; 8.2. compliance of the organization of the management of information technology security with the requirements of the Law on Security of Information Technologies 1 ; 8.3. effectiveness of the management of information technologies, assessing whether the information technology environment is homogeneous, using small number of software programs for the fulfilment of one function, as well as assessing whether the software purchased by local governments is being used; 8.4. organization of accounting and control over the recording of expenditures related to information technologies, assessing the completeness of the register of computer hardware and software recording and the recording of expenditures related to information technologies according to the aim of performance of expenditures within the period from January 1, 2011 to December 31, In order to obtain audit evidence, the verification, assessment and analysis of documents and inspections of computer hardware were conducted in 14 local government administrations, five parish administrations, 16 libraries and 24 schools (in total in 59 institutions) (Annex 1), as well as responsible employees of local governments were interviewed. 10. Within the period from April to June 2013, 717 units of computer hardware were randomly inspected, recording the list of software installed on each unit of computer hardware. The number of the inspected units of computer hardware was determined randomly, without encompassing all of the computer hardware available in the local government, wherewith the obtained results are to be referred only to the number of inspected units of computer hardware, yet are sufficient to assess the organization of software management in the local government. 8,328 software programs were were found on the inspected computer hardware; of them 5,519 software programs were randomly inspected, of which 4,048 are free software programs and 1,471 are paid software programs. 11. As a result of the audit, 14 audit reports were prepared for the local governments and an informative report was prepared on the compliance of software recording and management with regulatory enactments, as well as the effectiveness of software management in local governments and local government educational institutions. 1 Section 1 and Section 8 of the Law on the Security of Information Technologies.

3 12. The informative report contains the main facts established and conclusions made in the course of the audit. Brief Description of the Audited Area 13. The head of an institution shall manage the administrative work of the institution by ensuring the continuity, effectiveness and the lawfulness thereof, as well as manage the financial, personnel and other resources of the institution and establish an internal control system of the institution, supervise and improve it Local governments and local government institutions shall administer the financial resources and property rationally actions shall be such as to achieve objectives with the minimum use of financial resources and property Local governments have the duty to manage the local government movable and immovable property rationally and efficiently and in conformity with the approved local government budget, use the local government financial resources rationally and efficiently 4. Protection of intellectual property 16. A computer program is a protected copyright object, which is prohibited from being used, unless the permission of the rightholder is received 5. To obtain the right to use, the user of the computer program, for each type of use of the computer program and each time it is to be used, has to receive the permission of the rightholder in the form of a licensing agreement or a license prior the use of the computer program The rights of the user of the computer program or the terms of use of the computer program are determined by the software license. A licence constitutes permission to use a particular work in such a way and in accordance with such provisions as are indicated in the license 7. Organization of the management of information technology security 18. In order to improve the security of information technologies, the Law on the Security of Information Technologies has been developed, specifying the most important requirements for the organization of information technology security of state and local government institutions The management of the security of information technologies of local government institutions shall be ensured by the head of each relevant institution The Information Technologies Security Incidents Response Institution promotes the security of information technologies in the Republic of Latvia, and state and local government institutions have a duty to co-operate with the Information Technologies 2 Section 17, Part one and Part two, Paragraph 1 and 6, Section 30, Part two of the State Administration Structure Law. 3 Section 3, Paragraph 1 of the Law on Prevention of Squandering of the Financial Resources and Property of the Public Entity (title of the law in edition of ). 4 Section 14, Part two, Paragraph 3 and 6 of the Law on Local Governments. 5 Section 40, Part one of the Copyright Law. 6 Section 40, Part one, two and three, Section 41, Part one and Section 42, Part one of the Copyright Law. 7 Section 42, Part one of the Copyright Law. 8 Section 1, Part one and Section 8 of the Law on Security of Information Technologies. 9 Section 8, Part one of the Law on the Security of Information Technologies.

4 Security Incidents Response Institution, providing it with the necessary information and implementing its lawful requests In accordance with the information published by the Information Technologies Security Incidents Response Institution 11 : in 2012, 4,798 high-priority security incidents related to the use of computer viruses and malicious software programs were registered in Latvia; outdated and unsafe software programs are often installed on computer hardware; in 2011, 110 different vulnerabilities of Microsoft software programs were registered. Software management 22. Regulatory enactments do not determine any principles of management of information technologies at an institution, therefore in order to assess the organization of the management of information technologies, the standards of good practice in management of information technologies, which are recommended to be used by the Information Technologies Security Incidents Response Institution, were used during the audit 12 : to assess the management of information technologies COBIT standard was used 13 ; to assess the processes of information technologies ITIL standard 14, on how to perform planning and management of information technology services, reducing the costs of information technologies. 23. On April 8, 2014 maintenance and technical support of operation system Window XP and office software Office 2003 will be discontinued 15 : development of software security patches will not be ensured; both paid and free technical support will not be available; online solution of technical problems will not be ensured; compatibility of software programs developed by third parties with these products will not be ensured, for instance, development of device drivers. Organization of accounting 24. The accounting shall clearly reflect all economic transactions of the local government. Accounting shall be conducted so that a third person qualified in the area of accounting may obtain a true and clear representation of the financial position of the local government at the date of the balance sheet, the results of the activities thereof, as well as be able to determine the beginning of each economic transaction and trace its course Section 4, Part one and four of the Law on the Security of Information Technologies. 11 CERT.LV publication Chain of Spreading of Computer Viruses (Internet page: CERT.LV statistics data (Internet page: (resource viewed on: )). 12 Information Technologies Security Incidents Response Institution (CERT>LV), IT security standards (Internet page: (resource viewed on )). 13 COBIT description (Internet page: (resource viewed on )). 14 ITIL description (Internet page: (resource viewed on )). 15 Microsoft Internet page (Internet page: (resource viewed on )). 16 Section 2 of the Law On Accounting.

5 25. The accounting information provided shall be truthful, comparable, timely, significant, understandable and complete. If codes, abbreviations, single letters or symbols are used in the accounting records, explanations shall be provided thereof Budget institutions shall record all long-term investments, current assets and liabilities existing in and falling under the ownership, possession and holding thereof. Long-term investments shall be recognized, if it is credible that the budget institution uses them to ensure fulfilment of functions, the period of useful utilisation thereof exceeds 12 months following their acceptance into operation (exploitation), as well as the expenditures thereof can be credibly assessed Long-term investments (fixed assets and intangible investments) and stocks used by the budget institution in accordance with lending contracts shall be recorded on the belowline account Leased assets 19. According to the regulatory enactment 20, a lending contract (a loan for use) is a contract by which property is transferred without compensation, but for a specific use, with the condition that the same property is returned. The subject-matter of a lending contract may be either movable or immovable property. 28. The classification of budget expenditures by economic categories, which are applied in planning of budgets set by the regulatory enactments in the field of budget and finance management, is determined in recording (according to the principle of cash flow and accumulation) and preparation of reports by the regulatory enactment 21. On organization of information technology environment in local governments 29. The function of information technology support, which comprises maintenance of computer hardware diagnostics of computer hardware and replacement of damaged parts, and administration thereof preparation of a workstation for operation, installation of software, installation of the newest versions and management of user rights, shall be ensured in local governments and local government educational institutions the following way: centralized way maintenance of information technologies in the local government and all local government institutions is ensured by one provider of information technologies by local government workers or an outsourcing provider contracted by the local government; decentralized way maintenance of information technologies in the local government administration is ensured by local government workers, whereas in educational institutions by the worker of the educational institution in cooperation with the worker of the local government administration. 30. Local governments participated in the public library development project Trešais tēva dēls 22, within the framework of which local government public libraries of Latvia were supplied with computer hardware and software. Administration of the computer hardware 17 Section 2 and 6 of the Law On Accounting. 18 Paragraph 2 and 10 of the Regulations of the Cabinet of Ministers No.1486 of Procedures According to which Budget Institutions Maintain Accounting Records. 19 Annex 1, Paragraph 299 of the Regulations of the Cabinet of Ministers No.1486 of Procedures According to which Budget Institutions Maintain Accounting Records. 20 Civil Law, Part Four: Obligations Law, Section 1947 and Paragraph 1 and Annex of the Regulations of the Cabinet of Ministers No.1031 of Regarding Classification of Budget Expenditures by Economic Categories. 22 Public library development project Trešais tēva dēls (Internet page: (resource viewed on )).

6 supplied within the framework of the project Trešais tēva dēls is carried out by the state agency Culture Information Systems, whereas the local government ensures its maintenance in working order. 31. At the stage of audit evidence, 14 local governments were visited: as of December 31, ,329 workers were employed and 13,068 units of computer hardware were installed (Annex 1); in 11 local governments, the computer hardware was not linked together into a shared centralized computer network, but rather into separate local computer networks, and the users thereof used the accounts of local computer users for authentication in computer hardware In the local government administrations of the cities of Riga and Ventspils, as well as Livani region, the computer hardware was linked together into a shared centralized computer network, whereas, the computer hardware in the institutions of these local governments was linked together into separate local computer networks. 32. On the computers of the local government and local government educational institutions, depending on the computer hardware performance and financial resources of the local government allocated for provision of information technologies, both free and paid software programs are used. In most of the cases, paid software licenses were purchased as OEM licenses along with the new computer hardware. 33. In local governments, the expenditures related to information technologies are mostly planned only within the framework of the current budget year, including expenses for the most crucial services of the maintenance of information technologies that pass from year to year, as well as providing for minimum replacement of computer hardware (three to five years) in case of damages or functional inability of the computer hardware. Summary of the Audit units of computer hardware, on which 8,328 software programs were installed, were randomly inspected in local governments and local government educational institutions. Of them, 5,519 software programs were randomly inspected, of which 4,048 are free software programs and 1,471 are paid software programs. In the audit, the right to use the software installed, management of information technology security, effectiveness of software management and accounting of expenditures related to information technologies was assessed. The right to use software 35. Since 73% of randomly selected software programs used in local governments are available free of charge, the terms of software developers for free software use were assessed in the audit. In the audit, it was established that in 15% of cases the local governments use software, the use of which in a local government or local government educational institution is prohibited in accordance with the software licensing terms or the free trial period of software, after which in order to continue using the software, the local government has had to purchase the right to use, has expired (Annex 2). 36. Most of the cases (58%) of free software use contrary to the licensing terms was established in local government educational institutions, in comparison in local government administrations 35%. According to the auditor s calculation, the cost of

7 free software programs, the use of which in local governments is not provided for by the license terms, would be Ls 9, Having assessed source documents for 1,471 paid software programs, which were installed on computer hardware inspected in local governments, it was established that in 24% of cases the software with the value of Ls 35,571, whose right to use in the local government cannot be proved by the source documents, is used. Problems in presentation of source documents were mostly (56% of cases) established in local government administrations and parish administrations, whereas in educational institutions in 37% of cases. 38. When explaining non-availability of source documents, the local governments drew attention to the problems of adoption of accounting documents during the administrative territorial reform in 2009, as well as drew attention to that the time period for storage of accounting source documents is five years 23. Wherewith, local governments have not assessed the need for further storage of source documents, if the use of a particular software program or computer hardware, which includes software, is continued. 39. In total, 975 software programs or in 18% of cases of the software programs included in the audit selection, the software is used without complying with the requirements set in the software licensing terms or on the purchase of which no source documents are available. 40. The problems were established in all visited local governments (see Picture 1). According to the auditor s calculation, the software with the value of Ls 45,076 is used violating the norms in protection of intellectual property rights 24, harming the image of the local government, as well as putting the local government under the risks, which occur when computer programs are used without the certification of the right to use or without complying with the licensing terms 25. % Figure 1. The proportion of software lacking a permit to use in local governments (in percentage form). 41. While assessing the circumstances that promote unlimited installation of software on the users computer hardware, several crucial control deficiencies are to be mentioned: computer hardware users are granted unlimited rights or administrator rights to work with the computer hardware, which allow users to perform installation of software independently. With exception of the city of Riga, city of Ventspils, local 23 Section 10 of the Law On Accounting. 24 Copyright Law. 25 Methodical Aid of BSA TheSoftwareAlliance and State Revenue Service of the Republic of Latvia Recommendations for the Use of Licensed Computer Programs" (with amendments of ). Methodical aid is published on the Internet page: (resource retrieved on ).

8 government administrations of Livani region and Koknese region, in the administrations of the remaining ten local government administrations it was established that in 80% to up to 100% of cases the users use unlimited access rights for everyday work; on average, every third user in local government administrations uses the same user name, for instance, administrator, lietotajs, user, which hinders controlled approach to different information technology resources and information of the institution. In the local government administrations of the city of Riga, city of Ventspils and Livani region the control is ensured, as well as unique user names have been assigned to the computer hardware for the access of the users; the access to every third computer in local government administrations and every second computer in educational institution or library is not restricted by the need of a password. Password control is ensured in local government administrations of the city of Riga, city of Ventspils, Livani region and Aloja region; in nine local governments, in the computer hardware the file exchange software 26, with the help of which users can download movies, music, software, as well as other copyright objects available in the Internet environment, thus increasing the risk of using non-licensed software, was established. 42. In general, in local governments and local government educational institutions antivirus solutions are used to protect the computer system from viruses and security threats, however, in 10% of cases no antivirus software was installed on the computer hardware, or the license period of the antivirus software has expired, or the latest update of the antivirus database has not been received for over a month. In five cases, malicious software or malware 27, which can be used for prohibited purposes, for instance, infecting computer hardware with viruses, was installed on the computer hardware, the software might have trapdoors for illegal remote administration of the computer hardware, builtin keyboard readers or for software password reading. Management of information technology security 43. In local governments, deficiencies were also established in management of information technology security, since the basic requirements set in the regulatory enactment 28 are not complied with in this field: in seven local governments, the workers responsible for management of information technology security were not appointed; in nine local governments, regulations on the security of information technologies were not developed; in nine local governments, briefing of the workers on the issues of information technology security was not carried out; in ten local governments, inspections of information technology security were not carried out; in five local governments, training organized by the Security Incidents Response Institution on the issues of information technology security was not visited. 26 Software programs DC++, Bittorrent, μtorrent. 27 Publication by the developer of antivirus software Kaspersky Security ABC (Internet page: (resource retrieved on )). 28 Section 1, Part one, Section 2, Part one and Section 8, Part one, Part two, Part three, Clause 2, 3 and 4, Part four of the Law on the Security of Information Technologies.

9 44. Deficiencies in management of information technology security cause a risk that the threats to the security of information technologies are not timely forecasted and eliminated, and threats are caused to the operation of information systems of the local government and local government institutions, duly and to the data protection. Effectiveness of software management 45. Coordinated management of information technologies and fulfilment of processes is more effective, if a software accounting register, which comprises the full range of software programs used in the local government, is used in maintenance of information technologies and planning of costs, as well as if minimum number of user programs is used for fulfilment of one function on the computer hardware In most of the local governments, with exception of local governments of the cities of Riga and Ventspils, Aluksne region, Rundale region and Seja region, the only register that contains information on the software purchased in the local government is the inventory listslist of intangible investments. It was established that the stock list of intangible investments used in local governments is incomplete and cannot be used for software management, since it does not include the whole software used in the local government and its installation on particular computers, does not contain information on the software purchased together with the computer hardware and included in its composition; thus, the accounting information cannot be used as a software register. It was established that in 33% of cases, the stock lists of intangible investments included technologically outdated software, which is not used in local governments. 47. Even though the maintenance, administration of homogeneous software environment and incident elimination requires smaller investment of resources, in the local governments it was established that on average two or three different software programs or the versions thereof are used for fulfilment of one and the same function. For instance, at the institution it was established that in order to protect the computer hardware from computer viruses even 11 different antivirus software programs or the versions thereof are used. Wherewith software management in local governments is not effective enough. 48. In the audit, it was established that 38% of the computer hardware inspected in the audit use Microsoft software, for which, in accordance with the information provided by the software manufacturer 30, the maintenance and provision of technical support will be discontinued on April 8, 2014, which means that the software will have no available security patches, in order to eliminate software vulnerabilities, as well as compatibility with the software programs developed by other software manufacturers will not be ensured. Accounting of expenditures related to information technologies 49. Organization, control of accounting and exchange of information in assessment of expenditures related to information technologies is incomplete, as a result of which in the accounting: expenditures related to information technologies in the amount of Ls were incorrectly recognized long-term investments with the total accounting value of Ls 467,413 were recorded, which are impossible to be identified by a qualified third person without 29 ITIL Standard, Chapter Service Design, Sub-chapter 5.3 Application management; ITIL Standard, Chapter Service Operation, Sub-chapter 6.5 Application management. 30 Microsoft Internet page (Internet page: (resource viewed on )).

10 consideration of source documentations, the composition of which is impossible to be determined or for the fulfilment of which functions they are required; in six local governments, the computer hardware received for unlimited use was not recorded on the below-line account of the local government accounting In 10 local governments, long-term investments were not recognized 31, without recording the home page of the local government in the accounting recommendations were provided to local governments during the audit; as a result of implementation of these recommendations: the use of software in compliance with licensing terms will be ensured, eliminating violations of intellectual property rights and risks 32, which occur when computer programs are used without permission management of information technology security will be improved, complying with the basic requirements for management of information technology security set in the regulatory enactment 33 and reducing the threat to the operation of information systems of the institution, data protection and security; improvement of the effectiveness of information technologies will be improved in long-term perspective; organization of accounting will be improved in performance of recording of computer hardware and software, ensuring clear and true representation of longterm investments of information technologies owned and used by the local government. 31 Paragraph 10 of the Regulations of the Cabinet of Ministers No.1486 of Procedures According to which Budget Institutions Maintain Accounting Records. 32 Methodical Aid of BSA TheSoftwareAlliance and State Revenue Service of the Republic of Latvia Recommendations for the Use of Licensed Computer Programs" (with amendments of ). Methodical aid is published on the Internet page: (resource viewed on ). Section 8 of the Law on the Security of Information Technologies.