National Audit Office
- Publications
Publications
You may browse through our online list of NAO publications which include audit reports and annual reports. The audit reports are categorised according to the Classification of the Functions of Government (COFOG) developed by the OECD.
All Publications- Careers
- About Us
General Public Services February 2017Information Technology Audit: Cyber Security across Government Entities
Download PublicationPress Release
The National Audit Office (NAO) has issued an IT Audit report on Cyber Security across Government entities.
The principal aim of this comprehensive report was to evaluate the level of adoption of selected Cyber Security controls across ten Government Entities, namely: Malita Investments p.l.c., Malta College of Arts, Science and Technology, Malta Competition and Consumer Affairs Authority, Malta Enterprise Corporation, Malta Freeport Corporation Ltd., Manoel Theatre, Commission for the Rights of Persons with Disability, Refugee Commission, Regulator for Energy and Water Services and Wasteserv Malta Ltd.
The aspects of cyber security reviewed by the NAO in the selected audit sites essentially dealt with critical issues such as the management of IT services; confidentiality and integrity of data; cyber security awareness; antivirus protection; business continuity and disaster recovery; IT hardware and software inventories; physical security; server monitoring and software access control.
Some of the key findings in this report include the following:
• Small Government entities are opting to fully out-source their IT services despite lacking capacity to manage these out-sourced services;
• Certain entities which do not have internal IT capabilities are opting for cloud hosting without seeking the necessary technical advice;
• Only one of the 10 audited entities has a Data Retention and Storage Policy;
• The NAO observed a general lack of cyber security awareness amongst users;
• None of the audited entities has a formally written Business Continuity and Disaster Recovery Plan;
• 50% of the entities audited do not have a software inventory;
• In most of the selected audit sites, best practices are not being followed in terms of password complexity, password expiry, password history and the need to force the user to change his/her password upon first logon;
• In many instances, offline mailboxes are not being duly backed up; and
• Inadequate and insecure server environments.
The NAO recommended that all entities which have participated in this audit should review their IT operations with the support of their respective Ministry CIO, with the aim of improving their level of preparedness in the area of Cyber Security. Indeed, evidence in hand suggests that the recommendations listed in this report may, in some way or other, apply to all Government departments and entities and, thus, it is recommended that all entities follow the best practices listed in this document.
- Careers
Download Publication