Säpo

The Security Service’s protective security audit of the Transport Agency

2017-08-09

Anders Thornberg, Head of the Swedish Security Service, participated in a press conference on 24 July 2017 called by Prime Minister Stefan Löfven, in order to give an account of the Service’s protective security audit of the Transport Agency. The audit revealed shortcomings in the Transport Agency’s procurement procedures for the outsourcing of its IT operations.

The Security Service provides oversight and advice to civilian agencies, based on the Swedish Protective Security Act and Protective Security Ordinance.  However, each agency is itself responsible for ensuring that protective measures are in place.

“We have an important role as an oversight body for public agencies of critical importance to our country. We examine their operations and give them advice and support. In this capacity, we advised the Transport Agency to increase their protective security, as they were about to outsource some of their IT operations,” said Anders Thornberg.

As a result of its audit, the Service found that the Transport Agency had not fulfilled its protective security obligations, as it had not carried out and documented the required security analyses and security measures and had intentionally disregarded protective security legislation.

“Inadequately protected information must be regarded as having possibly fallen into the wrong hands. Although this has not necessarily happened, each agency concerned has to assume that it could have and take appropriate measures.”

What has happened is very serious but any possible effects on our Service can be handled. We will continue discussing this matter with the Transport Agency and supporting them in their work”, said Anders Thornberg.

Protective security: Protecting critical assets

About the audit

  •  In the summer of 2015, the Security Service was informed that the Transport Agency was in the process of outsourcing some of its IT operations to suppliers abroad.
  • The Security Service investigated the matter and began its audit of the protective security arrangements of the Transport Agency in September 2015.
  • The Security Service informed the Government Offices, from which it receives its remit, of the matter in September 2015.
  • In November 2015, a communication, “Recommendations for immediate measures to increase protective security”, was sent from the Security Service to the Director General of the Transport Agency
  • A criminal investigation into carelessness in handling secret information was initiated on 26 January 2016, headed by a prosecutor of the National Security Unit
  • Due to what had emerged in the investigation, the Security Service held a special interview in February 2016 with the Transport Agency’s Director General at that time
  • In May 2016, the Security Service reported the results of its audit to the Transport Agency
  • The Security Service officially concluded its audit in June 2017.