Only one state institution has an information security certificate

All institutions do not have enough human resources to prevent and deal with ICT security incidents, while 40 percent of institutions do not have a person responsible for information security appointed, the State Audit Office reported.

The total value of the contracts concluded in the field of information security of the ICT systems of all state institutions in the period from 1.1.2020 to 15.12.2023 is 6,1 million euros, announced the State Audit Office. However, at the same time, the auditors assessed that "institutions and bodies do not provide effective and complete protection of critical information systems due to the absence of legislation in the field of information systems security, non-compliance with European directives and insufficient staffing".

The SAO performed a performance audit on the topic "Effectiveness of the measures taken by the competent authorities for the protection of critical information systems".

"With the audit, an analysis of the responses on the state of IT management in the section of strategic documents as well as measures and standards for information security was performed, which showed that 53% of the institutions that answered the questionnaire did not approve the ICT strategy, while 40% they have not covered information security in the strategic documents at all. "Only one institution has a certificate for information security, while the prescribed documents for handling and responding to ICT incidents are absent in 27% of the institutions," said the SAO.

The auditors once again confirmed the unsatisfactory situation with IT staff in the administration.

"With the increase in the number of information incidents, the demand for qualified professionals who can protect ICT systems from increasingly sophisticated cyberthreats is increasing significantly, making the process of hiring them, and at the same time retaining and motivating existing staff, especially challenging and with increasing demand from this staff. From the answers to the questionnaires sent to the institutions about the state of human resources, the audit determined that not all institutions have enough human resources to prevent and deal with ICT security incidents, while 40% of the institutions have not appointed a person responsible for information security, in order to promptly reporting incidents and exchanging information about incidents, vulnerabilities, threats and risks related to the security of information systems to the National Computer Incident Response Center MKD-CIRT," the auditors wrote.

Regarding the National Cyber ​​Security Strategy 2018-2022, the auditors say that there are authorities that implement activities that are part of the Strategy, but there is a need for better coordination and inter-institutional cooperation.

The national regulator has promoted cyber security through its National Computer Incident Response Center. Incidents related to cyber security were reported in 145 entities, such as state institutions, banking, health, energy, transport and communication organizations," the auditor stated.
In the European Commission's report on North Macedonia for 2023, in chapter 10: Digital transformation and media, the country is assessed as moderately prepared in the field of digital transformation and media.

Dear reader,

Our access to web content is free, because we believe in equality in information, regardless of whether someone can pay or not. Therefore, in order to continue our work, we ask for the support of our community of readers by financially supporting the Free Press. Become a member of Sloboden Pechat to help the facilities that will enable us to deliver long-term and quality information and TOGETHER let's ensure a free and independent voice that will ALWAYS BE ON THE PEOPLE'S SIDE.


Video of the day