The Supreme State Audit Office has assessed that the e-Taxation system of the General Directorate of Taxation still exhibits deficiencies in several aspects, making it exposed to potential cyber risks.
In a dedicated audit, the auditors highlight that although important steps have been taken towards improving cybersecurity in Albania, the audit highlighted the immediate need to strengthen and harmonize the legal and regulatory framework, particularly with regard to the implementation of security measures in critical and important information infrastructures.
"Legal inconsistencies, lack of training and documentation for end users, as well as gaps in specialized human resources, both in the Cyber Monitoring and Protection Directorate and in the Data Security sector, significantly increase exposure to cyber risks and limit incident response capacity," the audit summary states.
The same judge believes that from a technical perspective, the audit identified a lack of documentation and insufficient environmental controls in the event of floods or fires at the Government Data Center.
"Also, in the eTaxation system, the lack of data encryption, irregular review of logs, and the lack of controls for external access by third parties pose a threat to information security," the audit highlights.
According to the SAI, what is striking is the failure to fill all the positions foreseen in the staffing list where vacancies appear.
Specifically, the Directorate of Monitoring and Cyber Protection for e-Gov Systems and Infrastructures, located at the National Agency for the Information Society, is understaffed and currently operates with only 15 employees out of the 29 foreseen in the organic structure.
"Also, at the General Directorate of Taxation, the attached ICT structure of the National Agency for the Information Society has an approved staff of 41 employees, including the Data Security Sector with 3 approved positions. However, this sector is completely unfilled and all positions are vacant," the audit states.
Based on these findings, the SAI has recommended a series of measures that should be taken by both Taxes and the National Agency for the Protection of Information and Communications Technology (NASHI) regarding increasing cybersecurity.
