The IT Operations Inquiry (IT-driftsutredningen) recently presented its report on “Secure and cost-effective IT operations” with a special focus on the legal conditions for public sector outsourcing. The conclusion is that an amendment to the law is required in the Public Access to Information and Secrecy Act to simplify cloud operations, but the report also exposes extensive shortcomings in the information security work of the Swedish public sector.

A prerequisite for any outsourcing of IT operations, regardless of whether it is to Swedish, European or American providers, is that a risk assessment is made. Such a risk assessment requires that one know what information will be outsourced. To know this, the information must have been analyzed and classified.

To gain an insight into the current situation, the IT operations investigation has carried out a survey of government agencies’ IT operations targeting 200 government agencies, case studies of five agencies and a digital workshop with 16 agencies. The results are surprising.

All authorities state that they have classified parts of the information, but not all information.

The report therefore states that “The biggest obstacles to secure IT operations are a lack of information classification and a lack of competence in IT and security”.

It is stated that “the key to a flexible and cost-effective use of cloud services is a well-executed information classification” and that “a systematic information security work and information classification is the basis for being able to take the correct decisions.” “Information classification as part of a systematic information security work is of central importance.”

“Lack of information classification and lack of competence are the biggest obstacles to secure IT operations.”

The inquiry is based on public sector IT operations, but since the GDPR has also been analyzed, the conclusions are also relevant for the private sector. It is noted that any decision about outsourcing IT operations requires a risk analysis based on a completed information classification.

GDPR also has its own requirements for documentation of personal data processing and in detail specifies which metadata must be documented. The processing and storage of undocumented personal data, including present in files and e-mails, is considered “a serious violation of the general principles of data protection” and leads to the higher level of sanctions.

A well-implemented and continuously updated information classification is therefore a prerequisite for the systematic information security work, the use of cloud services and compliance with the GDPR.

Aigine Inventory automates this essential information classification with world-leading data mining from IBM and collaborative, continuously trained, artificial intelligence.

The report in swedish:–rattsliga-forutsattningar-for-utkontraktering-sou_2021_1