Efficiency audit for IT-systems of state management strategic objects

Hackers' attacks at the end of 2016 and at the beginning of 2017 р. on governmental information and telecommunication systems, including Ministry of Finance in Ukraine, and State Treasury Department, caused vast delays in budgetary payments. They showed «sensitiveness» and insecurity of governmental institutions for cyber-attacks because of control absence of three main security measures, such as technical limitations for downloading programs, limited use of rights for local administrators, systematical software renewals. International experience shows these security measures of governmental IT-systems have to be the audit subject of state financial control authorities. The base of information technology audit was initiated in the studies of І.К. Drozd, S.V. Іvachnenkova, М.М. Benko, Ju.А. Кuxminskiy, А.V. Мamyshev. Simultaneously, the issue of IT-system state audit was examined in theoretical researches partially because there is no practice of such audit in Ukraine. That is why it is necessary to learn international practice of efficiency audit for IT-systems and world standards for establishments of state management sector. The research allowed to propose the methodology of efficiency audit for IT-systems for state institutions; the methodology provides planning and conducting the main procedures on the base of risk estimation of security threats for information systems. The author determines the peculiarities in security risk management for IT-systems by means of risk estimation of security components of IT-systems while conducting efficiency audit. The author sets the method of descending step-by-step detailing for audit estimation of IT-system risk management efficiency at strategic enterprises belonging to state management sector by means of adaptation of ISSAI standard norms. The paper proposes three possible options of management solution concerning IT-system risk management efficiency on the base of information about the risk levels according to the results of efficiency audit. To document the IT-system efficiency audit results the author develops the standard forms of auditor's working documents, that is, «Statement about information vulnerability and determining the category of protection», «Estimation of results and threats for activity». The further research of the issue of IT-system efficiency audit is to develop organizational actions as to carrying out the check-ups (by Account Chamber) of IT-system security at strategic enterprises belonging to state management sector.