Recommendations for Improvement of Security Requirements in Norwegian Public Procurements
MetadataShow full item record
Every year, the Norwegian government and its organisations acquire a large number of new IT-systems. These must be bought through a well regulated and rigid procurement process, where system requirements must be clearly formulated ahead of time. This is especially a challenge for security requirements, as changes to the system and the technological development might render such requirements outdated quickly. This thesis investigates the security requirements of publicly procured IT-systems and how they are impacted by the procurement process. In total, 14 participants were interviewed to provide insight into the three research questions: (1) How is the current state of security requirements in public procurements viewed by procurers and suppliers? (2) What challenges exists when procuring IT-systems, and how does this affect security requirements? (3) What recommendations can be given to improving the current state of security requirements in public procurements? The participants reported insufficient security focus and competence both for procurers and suppliers, and generally inadequate security requirements. Security requirements were often given low priority by both procurers and suppliers. While the procurement process was viewed as a good tool to ensure fair competitions, security requirements were dropped or modified in order to ensure enough competition for bids, too few tenders were reported to be using negotiated processes, and the transparency demands were seen to impact security requirements especially. The thesis provided four recommendations for improving the state of security requirements in Norwegian public procurements: (1) A negotiated process should be used when procuring IT-systems. (2) Standardised checklists for security requirements should be developed. (3) Security competence must be retained in procuring organisations, and (4) The security focus in the governmental standard terms and conditions (SSA) must be improved. The main limitations of the study were the number of participants, and the fact that participants were recruited from the personal network of the author and advisors, and were thus not representative of the industry as a whole. Further recommended work includes an extended study with a random selection of participants, case studies of single procurements, and the development of the recommended checklists.