When the General Audit Office (AGN, for its acronym in Spanish) wanted to measure the "maturity and the risks" of the technology used by the National Institute of Statistics and Census (INDEC, for its acronym in Spanish) to handle its data, it found just that: risks and maturity; quite mature. According to the Audit’s report "the equipment, on average, is outdated by ten years, PCs, network connectivity tools, and servers are, for the most part, obsolete."
Such is the case that the auditors found some computers that "couldn’t have the Institute’s standard antivirus installed because of their low power, due to seniority, that prevents installation." The report, released this year on data from the end of 2009, added that, "to partially solve this problem, a 90-day trial version from a different vendor was installed."
"There are PC users who are administrators of their own computers," states the AGN, and explains, "This allows them to install, without supervision of INDEC’s Information Technology Department, software that may contain viruses or whose license is not legal.” This threatens the data network and at the same time, the Institute is exposed to possible legal sanctions.
Back to the Future
The work of the Audit argues that "the data network of the Institute is outdated by three generations, putting at risk the information circulating in it. In fact, it adds, it was not the newest technology when it first arrived for installation in 1993.”
In the same way, the technicians defined the data network as "precarious, not only for its technological antiquity, but by lack of proper maintenance." Furthermore, "dispersion between different database technologies, some discontinued for years, preventing its integrity and compatibility" with the mechanisms of the Institute is registered. The technicians also observed a "large number of operating systems that, because of their antiquity, can no longer count on the manufacturer’s support."
Also, INDEC did not impose a unified standard format for the data, complicating the possibility of automated controls that centralizes information from various sources.
For the Audit, the situation is "compounded by the lack of maintenance of the network, hardware, and software." This is due to the fact that "there are no policies or procedures to ensure that the system (technology) and maintenance are performed according to a defined and properly approved framework."
Moreover, the Institute has recognized that it does not have a complete and updated inventory of their computer equipment. From the data received, the AGN stated that “great diversity of technologies and platforms could be observed. The servers that deal with auxiliary tasks are powered-PCs that have excessive antiquity for the tasks they are providing.”
The audit also highlighted an aspect of INDEC’s structure: "In terms of its organization, the IT subject is internally decentralized. Of the seven National Offices, which report to the first line of the entity, three have their own system development sector," says the report, and lists the following offices: Statistics External Sector; Price of Production and Trade; and Living Conditions, which is responsible for developing the consumer price index (IPC, for its acronym in Spanish).
These addresses -autonomous computer structures, as put by the AGN- do not answer to the head of Computers at INDEC, on the contrary they program, maintain, and operate their applications data "with a level of autonomy which prevents operation of an organic whole and causes additional risk to those already mentioned. "The watchdog adds a fact: the actions of autonomous directions are carried out "without complying with the requirements to ensure correct operation."
"The data center is located in a place that does not meet the minimum safety requirements; it does not have an automatic fire suppression and detection does not work due to lack of maintenance," explain the auditors, and also add that "the office has no technical floor, it is carpeted and in poor condition."
Furthermore, the AGN held that the provision of equipment does not facilitate maintenance work, and "there is a risk that an involuntary movement might disconnect the grid" of the equipment installed in offices.
The audit report (which devotes considerable space to clarify that the procedures for calculation of indices and methods of data selection are not checked), analyzed INDEC’s situation according to a framework known as Control Objectives for Information and Related Technology (COBIT).
From these parameters, it was concluded that "96.9% of the control objectives are at the lowest levels of the model and none reaches the minimum recommended value" in COBIT. Specifically, the AGN states that the average level of risk was at 74%, when it is acceptable not exceed 20%.
Because INDEC’s function is to collect large amounts of data, and process them for national-level statistics, the Audit emphasized that "we recommend the careful use of best practices in Information Technology."