Vi samler statistik ved hjælp af cookies for at forbedre brugeroplevelsen.

Vi begynder dog først, når du klikker dig videre til næste side.

Læs mere om cookies

New strategy: Six key initiatives for for the Danish Agency for Digitisation

18-02-2015 News UK

The government's strategy for cyber and information security was published on 16 December 2014. The strategy presents 27 initiatives. The Agency for Digitisation is responsible for, and has already commenced implementation of, six of these initiatives.

The primary goal of the six initiatives with which the Agency for Digitisation has been tasked, is to raise the level of security across all government authorities.  The Agency for Digitisation is in the process of preparing action plans for the six initiatives that are to be addressed in 2015 and 2016. The Agency will consult external stakeholders during this process to ensure relevant input from experts and specialists in order to find the best solutions.

Enhanced information security with the ISO27001 information security standard

Of the six initiatives, the initiative to implement the ISO27001 information security standard is the most important. All government authorities must implement and work systematically with security concerns in their daily processes.  All authorities must therefore have implemented the internationally recognised information security standard, ISO27001, by early 2016. Efforts to implement the standard are already underway in the authorities, and the Agency for Digitisation is offering its assistance with guidelines and tools.

The Agency's six initiatives in the strategy

1. Implementation of the information security standard ISO27001 and tightened IT supervision and inspection
2. Security risk assessment in public-sector IT projects
3. Common public-sector coordination of information security concerns
4. Security requirements in tendering procedures and contracts in the IT area
5. Continuous follow-up on security-related supplier management
6. Greater information security awareness among citizens

The desired result is that all public authorities establish fixed procedures structuring their information security efforts. This includes carrying out systematic risk assessment and establishing an organisational structure in which the top management is involved in prioritising security concerns. This will ensure that the information security management of the individual authority takes place within a fixed framework and is included in all contexts. This will allow the individual authority to discover possible vulnerabilities and, hopefully, experience fewer security-related incidents in which sensitive personal data is exposed.

As a natural continuation of work with the ISO 27001 standard, it is important to carry out thorough IT supervision and inspection of the ministerial areas of responsibility. The individual ministry is responsible for this supervision and inspection, and the Agency for Digitisation will prepare a joint concept which all ministries will be obliged to use unless special circumstances prescribe otherwise. The Agency for Digitisation will include relevant stakeholders in this work, in particular through SISF, the state's information security forum (Statens Informationssikkerhedsforum).

Information for companies and individuals

Another important initiative addresses the need for increased information security awareness. It is important that everyone is appropriately informed about information security needs. Therefore, communication efforts aimed at citizens throughout Denmark will be strengthened. An information security campaign targeting companies and individuals will be conducted along with efforts concerning IT security in primary and lower secondary schools. It is important that stakeholders with extensive outreach throughout Denmark work together, and the Agency for Digitisation will therefore aim to realise these efforts in collaboration with relevant public-sector and private-sector partners. The objective of the campaign is to make companies and individuals more aware of relevant security threats and to make them better able to protect their data and technology; e.g. by avoiding disclosing their bank account data to criminals who prey on individuals for such sensitive data. The collaborative efforts also include participation from individuals and companies, who themselves share in the responsibility for securing their data and technology.

 

Initiative   Objective Impact 

1. Implementation of the information security standard
ISO27001 and tightened IT supervision and inspection

Professionalise information security work

This will ensure that the information security management of the individual
authority takes place within a fixed framework and is included in all contexts.
This will allow the individual authority to discover possible vulnerabilities and,
hopefully, experience fewer security-related incidents in which sensitive
personal data is exposed.

2. Security risk assessment in public-sector IT projects

Implement security risk assessment in public-sector IT projects In this way, any serious risks in the project will be dealt with on the basis of
a risk assessment. This will ensure more secure IT solutions and will minimise
security flaws such as loss of data.
3. Common public-sector coordination of information security concerns Improve common public-sector coordination, knowledge sharing and incident management If an incident is discovered, knowledge will be disseminated throughout the
public sector and more public bodies will be able to protect themselves against
similar incidents. This will help minimise the risk of leakage of critical data.
4. Security requirements in tendering procedures and contracts in the IT area Ensure systematic security requirements in IT tendering and contracts As a result, the public sector will have a uniform level of security across
government authorities. This means that security requirements will be incorporated
in all IT contracts. This will minimise the number of security incidents.
Furthermore, suppliers can standardise their security work for public authorities.
5. Continuous follow-up on security-related supplier management Regularly follow up on requirements for external suppliers This will ensure that suppliers live up to the security requirements in contracts,
and the likelihood of IT supplier scandals will be reduced.
6. Greater information security awareness among individuals and companies Raise the level of security awareness among individuals and companies in Denmark Companies and individuals will become more aware of relevant security threats
and will be better able to protect their data and technology; e.g. by avoiding
disclosing their bank account data to criminals who prey on individuals for such
sensitive data. The collaborative efforts also include participation from individuals and companies, who themselves share in the responsibility for securing their data and technology.

 

Read the complete strategy (pdf)