Steering measures have been targeted to single agencies, but the need to control larger entities is continuously growing. In the future, a shared vision and shared goals will be of utmost importance in the preparation of the strategies. This document contains a summary of the main results of the audit. The entire audit report is available only in Finnish.
Conclusions and recommendations of the National Audit Office
The purpose of the audit was to ensure that the current steering system is developed in a manner which ensures that the steering system can verify the necessary operational reliability and availability of electronic services to the public administration.
The audited entities included the authorities governing the operational reliability of electronic services (the Prime Minister’s Office, the Ministry of Finance, the Ministry of Transport and Communications). Functionality of steering was audited for the following authorities: the Prime Minister’s Office and the Government’s administrative services unit (VNHY), Government ICT Centre Valtori, the Population Register Centre, the Finnish Transport Safety Agency Trafi, the Enforcement Service and its performance guidance agency, the Ministry of Justice, and its ICT service centre, the Legal Register Centre.
Steering relations must be assessed and instructions must be updated to comply with the quickly changing needs of society
The Ministry of Finance and the Ministry of Transport and Communications have steered the continuity of services and operational reliability based on their own needs. The division of labour between the departments of the Ministry of Finance, such as the JulkICT department and the Government financial controller’s function, seems to be somewhat overlapping, which is reflected in the instructions and recommendations given by these departments. The steering measures of the ministries do not always reach the correct target groups within the agencies. For example, steering has focused on ICT services even though the correct target group would have been the party responsible for the agency’s services. Different authorities have interpreted the steering actions differently. The steering relations and responsibilities regarding electronic services need to be regularly revised in order to keep them compliant with the needs of the quickly changing society. Interpretations, those on the sectors of the ministries in particular, should be uniform. Furthermore, the steering measures should be more effectively coordinated.
Several strategies to ensure operational reliability have been prepared, but their steering power is poor in their current form. The relations between the strategies are unclear. A party responsible for implementation has only rarely been clearly named, and no schedules for the measures have been prepared. Monitoring of the implementation of the strategy and achievement of the goals have not been planned. In the future, a shared vision and shared goals will be of utmost importance in the preparation of the strategies.
Steering measures have been targeted to single agencies, but the need to control larger entities is continuously growing
Information security in central government has in practice been steered through VAHTI instructions issued by the Government digital security management board. The VAHTI instructions are known among the people responsible for ICT management in central government, but not necessarily in much detail, as the instructions are extensive. The VAHTI instructions are directed to specific authorities and they do not take into account new requirements and needs of the networked society. The VAHTI instructions should be clarified to make them easier to maintain and use, and updated to better correspond to the networked service production model. The Ministry of Finance has taken action to reform the structure of the VAHTI instructions. This work must be continued in a determined manner, and the content of the instructions must also be reformed.
Centralisation of data security and contingency planning competencies, management and technologies in Valtori was expected to secure a significantly higher level of data security and contingency planning than a distributed model. So far, Valtori has been unable to meet this goal. The implementation of centralised solutions requires careful planning, as well as skilful change and risk management. The problems with Valtori suggest that the preparation for the risks involved with the startup phase of Valtori was insufficient.
Centralised solutions would also require standardisation of the practices throughout central government. In May 2017, the Government financial controller’s function published a risk management policy model that is considered a recommendation, but the centralisation of functions would require the creation of the prerequisites required by risk management also at the level of the administrative sectors and the state level.
Costs and benefits of the securing of operational reliability and the adequacy of measures must be assessed in relation to risks
The authorities consider reliability of their services an important issue, but the securing of operational reliability can rarely be seen in the performance agreements or strategies of government agencies. Furthermore, any goals of the administrative sectors on operational reliability or information security are usually targeted to the ICT units. An operational architecture and strategic service thinking would develop the planning of operational reliability and expand the perspective to outside information management.
Risk management measures that will improve operational reliability are being identified and implemented. The costs arising from these measures, the required resources and benefits in relation to the risks should also be assessed, however, and the effects of the measures should be monitored in order to make the securing of operational reliability more cost-efficient.
Transparency of supply chains must be ensured
Ultimately, the authorities carry the responsibility for the operational reliability and information security of their own services. If the authority is unable to select is own service providers, a transparent supply chain is a necessity. The state’s own service providers, such as Valtori and the Population Register Centre, must be able to provide reports and describe how continuity of the services has been secured and how any disturbances will be addressed. At present, communication in the supply chain is not fully functional and the supply chains are not transparent enough.
The authorities pose requirements on the availability of information systems, but the limited service portfolio of Valtori has made it more difficult to take these requirements into account. Conducting negotiations with Valtori on information security of the services has been difficult. The customers are obligated by law to use the basic technology services provided by Valtori. The customers have a limited opportunity to influence the services provided by Valtori or the service portfolio.
Operational reliability of services throughout the change process must be secured in the case of major organisational or structural changes
Problems in the management of the continuity of services had been encountered by the audited organisations that had been formed as the result of major organisational changes. Responsibilities for disturbances, in particular, can easily remain unclear, which means that it will take longer to resolve the disturbances. Even though the planning of the change projects had emphasised the importance of the continuity of services, the risks had not been managed to a sufficient extent. The experiences on operational reliability, in particular, of organisations that have been involved in change processes should be taken into account when planning organisational and structural changes in the future.
Recommendations of the National Audit Office
The Ministry of Finance must ensure that its departments and units continue the coordination and reconciliation of risk management and information management steering measures.
The Ministry of Finance must create procedures that will make the instructions meant to support practical operations, such as VAHTI, more easy to use and maintain, as well as more susceptible to changes in the operating environment.
The Ministry of Finance must plan and provide instructions on how the risk management practices are to be implemented in each administrative sector and at the state level, taking into account the different needs.
The Ministry of Finance must assess and correct its steering measures to improve the situation with Valtori and standardise the steering of the shared information and communications technology solutions and electronic services of central government.
The Ministry of Transport and Communications must ensure that the cooperation methods used by it offer a good starting point (a shared vision and commitment, etc.) for the success of (steering) measures that require actions from the organisations in the other administrative sectors. Furthermore, the ministry should plan the monitoring of its steering measures in compliance with the principles of continuous improvement.