More protection is needed for state institutions' server rooms as risks arising from "unsuitable microclimate, fire, water leakage or insufficient security" need to be mitigated, the National Audit Office (NAO) finds in its report published on Thursday.
Eleven state institutions were audited by the NAO which discovered problems with cooling, ventilation equipment, and fire, smoke and water leak detectors.
In some of the rooms, cooling was organized inefficiently, and there were server rooms that did not have precision air conditioning equipment in use.
Combustible materials, such as cardboard boxes, were stored in the server rooms and auxiliary rooms to the server room in some of the audited institutions.
One room lacked an alarm, which the NAO said increases the risk of unauthorized intrusion, leading to the risk of theft or manipulation of data and IT equipment.
In another, the video surveillance system of another audited institution was not sufficiently protected and available to a large number of people. Several institutions did not specify the minimum amount of time the recordings need to be kept.
One authority had not specified the period for the retention of access and security logs. This means it was not possible to know who had accessed the room.
If logs and video recordings are not stored long enough, it makes it difficult to resolve incidents of physical access.
There were also issues with the outer security perimeter of server room buildings. One had not fitted the necessary sensors.
Problems were also found with access management. For example, the server room could be accessed with one-factor authentication, using only an access control card. In another institution, it was possible to access the central unit of the access system with administrator rights from a security desk computer.
The NAO made more detailed observations about the security of each audited institution and gave recommendations on how to improve the situation.
Editor: Helen Wright