Procedures and regulations for approval of IT-systems within the Swedish Armed Forces

Authors:

  • Amund Gudmundson Hunstad

Publish date: 2018-02-19

Report number: FOI-R--4526--SE

Pages: 29

Written in: Swedish

Keywords:

  • IT-security
  • accreditation
  • authorization
  • information security declaration
  • IT-process of the Swedish Armed Forces
  • informal inspection

Abstract

Requirements for the Swedish Armed Forces approval from an IT-security perspective of IT-systems is set by procedures and regulations, which contribute to reliable and relevant IT-system approvals. FOI arranged an IT-defence focused day of seminars the 8th of November 2017, during which observations indicating deficiencies and difficulties within the cyber security domain where made. With these observations as a starting point, this report describes the scope of approval in terms of normative regulations and how three different procedures for handling approval of IT-systems have been developed within the Swedish Defence Materiel Administration and the Swedish Armed Forces. On a general level the three different procedures are compared. As a conclusion, this study concludes that procedures and regulations are requisites, but it is not obvious that their usage leads to immediate and reliable decisions of approval. Procedures and regulations focus on confidentiality, while availability and integrity also is necessary for adequate and relevant security.