Escolar Documentos
Profissional Documentos
Cultura Documentos
de Tecnologías
de la Comunicación
In collaboration with:
This publication belongs to the National Communications Technologies Institute (INTECO) and is under a Creative
Commons Spain 2.5 Attribution Non-commercial license, and for this reason copying, distributing and displaying this work is
permitted under the following circumstances:
• Attribution: The content of this report can be totally or partially reproduced by third parties, specifying its source and
expressly referring to both INTECO and its website: www.inteco.es. This attribution can in no event suggest that INTECO
provides this third party support or supports the use made of its work.
• Non-commercial Use: The original material and the resulting works can be distributed, copied and shown as long provided
that it is not for commercial purposes.
When the work is reused or distributed, its license terms must be made very clear. Some of these conditions may be not be
applicable if the copyright license is not obtained from INTECO. Nothing in this license impinges or restricts INTECO's moral
rights.
Full license text:
http://creativecommons.org/licenses/by-nc/2.5/es/
TABLE OF CONTENTS
1 Introduction...................................................................................................................5
1.1 Presentation ........................................................................................................................ 5
1.2 Study on Information Security and e-Trust within Local Organisations ...................... 5
1.2.1 Overall Objectives ........................................................................................................ 5
1.2.2 Framework of Reference .............................................................................................. 6
8 Annexes.......................................................................................................................54
8.1 List of Participating Experts ............................................................................................ 54
List of tables.......................................................................................................................64
1 INTRODUCTION
1.1 Presentation
The publication of this report, produced by the Instituto Nacional de Tecnologías de la
Comunicación (INTECO, National Communications Technology Institute), has as the main
objective of analysing for the first time the state of information security and e-Trust in Local
Public Organisations in Spain. The report identifies the main risks to which Local
Administration information and communication systems are exposed and proposes security
management and e-Trust practices that should be adopted in order to guarantee the
confidentiality, integrity and availability of information relating to citizens and companies, as
well as communications with these users and with other organisations.
The study has been produced with the support of the Federación Española de
Municipios y Provincias (Spanish Federation of Municipalities and Provinces), the
participation of all staff working in the field of information security in Local
Government: politicians, technical staff and administrative personnel in the Town Councils,
Provincial Governments and Island Departments; the views of well-known experts from
both the public and the private sector to identify the best practices in security management
and e-Trust, together with three major companies manufacturing and supplying computing
security solutions on a global scale: McAfee, Symantec and Trend Micro.
• To identify new fields and lines of action for introducing advances in security
programs and tools that will improve information security within Local
Government.
The analysis carried out has taken into account the differentiating features of the
organisations involved in terms of size (number of inhabitants in the respective
municipalities) and the territory within their remit (in the case of Provincial Governments,
Island Departments and autonomous cities).
http://www.inteco.es
culture of information security and e-Trust by defining trends that will be of use in future
decision-making by public authorities.
To achieve this, the Observatory has designed an Activities and Studies Plan with
particular emphasis on Internet security; monitoring the main indicators and public policies
related to information security and confidence in the national and international contexts,
building a database enabling analysis and evaluation of security and confidence from a
temporal perspective, and assessing Public Administration in matters of information
security and confidence, supporting the production, monitoring and evaluation of public
policy in this context.
http://observatorio.inteco.es
http://www.femp.es
2 METHODOLOGICAL DESIGN
The analysis was carried out on purely primary information sources based on personal
interviews with experts/professionals in the subject and surveys of administrative and
technical staff and general users of Local Administration information systems.
A total of 520 Local Governments took part, consisting in 471 Town Councils and 49
Provincial Governments and Island Departments.
1
INE, Classification: Relación de unidades poblacionales (List of population units). www.ine.es
Municipalities: by stratum
Participation was also high in each of the strata, as shown by Table 3, enabling the
analysis of the possible differences between security measures put in place by Local
Governments and information security and e-Trust in Town Councils located in municipal
areas with the largest number of inhabitants in the country.
In this case, participation by large town organisations was very high. The participating
Town Councils in areas with more than 50,000 inhabitants made up over 50% of the
total population and in the case of those with 50,000 to 100,000 inhabitants, coverage
of the participant population was up to 70%.
Table 3: No. of municipalities by stratum: pre-sample, sample and coverage by stratum (%)
2.2.2 Fieldwork
Carried out between 21 February and 11 May 2007.
2
INE: Detail population total in Classification: List of population units. www.ine.es
2.2.5 Weighting
A stratified weighting has been carried out by number of inhabitants in municipal areas,
according to population figures in the List of Municipalities provided by the Instituto
Nacional de Estadística for 2006. 3
3
INE, Classification: List of population units. www.ine.es
0.0%
Wireless network (Wi-Fi) 22.2%
13.2%
12.8%
0.0%
LMDS (rural ADSL) or PCL 0.0%
3.8%
8.5%
100%
Broadband 100%
(DSL, Cable, Fibre
98.1%
Optic, Via Satellite) 97.9%
25.0%
Basic telephone network 11.1%
(modem, ISDN) 7.5%
4.3%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Town Councils with over 500 staff
Town Councils with 100 to 500 staff
Town Councils with 50 to 100 staff
Provincial Governments and Island Departments
Source: INTECO
Broadband is most popular method in all strata. This system is the one used by all
the Town Councils in municipalities of more than 100,000 inhabitants, as can be seen
4
ISDN, Integrated Services Digital Network: a network for digital connection between various individuals enabling services to
be integrated through a single access system.
DSL, Digital Subscriber Line: digital connection through a telephone network.
LMDS, Local Multipoint Distribution Service: wireless connection by radio which, because of its bandwidth, allows voice,
Internet access and connection between individuals on a network.
ADSL, Asymmetric Digital Subscriber Line: type of DSL whose special feature is that incoming and outgoing connections do
not use the same channel or the same speed (asymmetry).
PCL, Power Line Communication: technology using electrical power lines for Internet access and for peripheral or network
connections.
19.3%
8.9%
Wireless network (Wi-Fi) 16.1%
11.3%
17.9%
10.2%
7.3%
5.4%
LMDS (rural ADSL) or 12.9%
PCL 21.0%
20.5%
18.6%
95.4%
Broadband 85.7%
(DSL, Cable, Fibre 82.3%
53.2%
Optic, Satellite) 59.0%
30.5%
1.8% 10.7%
Basic telephone network 12.9% 22.6%
(modem, ISDN) 20.5%
44.1%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Town Councils with 10 to 50 s
Town Councils with 5 to 10 staff
Town Councils with 2 to 5 staff
Town Councils with 1 to 2 staff
Town Councils with 0.5 to 1 staff
Town Councils with less than 0.5 staff
Source: INTECO
Only Town Councils in municipalities of less than 500 do not have broadband as the
predominant system. On the other hand, Town Councils in small municipalities with
less than 2,000 inhabitants, have a greater variety of connection systems than those
in large towns.
5
VPN (Virtual Private Network) is a technology that allows a local network of computers to be connected, or to expand the
network, using a public network. The most common case is connection from a public computer (e.g. through the Internet) to a
local network or computer.
Anti-virus 98.1%
Firewall 74.7%
Authentication/Access
71.4%
control
Anti-spam 70.8%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: INTECO
Table 4 shows the combined distribution of security measures in Local Government and
Spanish homes in descending order by level of popularity 6 . Local Government Offices
show a greater concern for safeguarding access control to information
(authentication measures/access control) and protecting against malicious code
(malware). In homes, individual computer protection is reflected in measures
focused more on the system itself, and measures such as VPN are really only suitable
for Local Organisations. In Local Administration, measures such as communication
encryption or electronic signature are also more common, since they are of a more
technical nature and not normally within the scope of domestic users, who place them last
(document encryption).
Town Councils in
Town Councils in Small Town Councils in Large
Medium-sized
Municipalities Municipalities
Municipalities
More Prov.
Less 0.5 to 50 to 100 to Dept.
1 to 2 2 to 5 5 to 10 10 to 50 than
than 0.5 1 100 500
500 Council
Anti-virus 94.9% 92.3% 96.8% 98.4% 100.0% 99.1% 100.0% 100.0% 100.0% 100.0%
Anti-spam 39.0% 41.0% 58.1% 56.5% 73.2% 83.5% 96.2% 92.6% 75.0% 97.9%
Contents filter 23.7% 25.6% 33.9% 45.2% 42.9% 64.2% 52.8% 66.7% 100.0% 66.0%
Firewall or Internet
54.2% 51.3% 46.8% 62.9% 80.4% 86.2% 94.3% 100.0% 100.0% 100.0%
access protection
Authentication and
access control for
27.1% 43.6% 50.0% 74.2% 89.3% 95.4% 83.0% 92.6% 25.0% 76.6%
computers and
applications
Other systems for
preventing malicious 18.6% 30.8% 37.1% 45.2% 67.9% 79.8% 64.2% 51.9% 50.0% 57.4%
code (malware)
Electronic signature
30.5% 35.9% 32.3% 48.4% 53.6% 57.8% 73.6% 63.0% 100.0% 76.6%
and digital certificates
Communication
62.7% 66.7% 82.3% 85.5% 85.7% 70.6% 49.1% 59.3% 75.0% 57.4%
encryption
VPN (remote access) 8.5% 12.8% 9.7% 21.0% 30.4% 43.1% 86.8% 100.0% 100.0% 80.9%
Data backup 8.5% 12.8% 9.7% 22.6% 39.3% 54.1% 98.1% 96.3% 100.0% 97.9%
Source: INTECO
The general trend shows that the larger the municipality on which the local
organisation depends, the greater number of measures are adopted and in a larger
percentage. The greater number of differences between Governments of small and large
municipalities can be seen in security tools such as other malware prevention systems,
electronic signature, content filter, backup copies and remote access.
6
INTECO: Study on Information Security and e-Trust in Spanish households (1st wave: Dec-Jan 07)- www.inteco.es
The various aspects and practices of managing information security set out in international
standard ISO/IEC 27002:2007, Code of Good Practice for Information Security
Management have been analysed.
0.0%
Information classification and/or 37.0%
labelling 32.1%
31.9%
Existence of a person
75.0%
responsible for security of
85.2%
information 52.8%
55.3%
25.0%
Existence of a security of 51.9%
information policy document 39.6%
27.7%
Source: INTECO
existence of a security policy document, this may not have been fully approved by the
management or has not been disseminated to all employees. Town Councils with less than
50,000 inhabitants were asked about implementation, in general terms, of information
security procedures, which were more common in medium-sized Councils (Graph 5).
66.1%
64.3%
56.5%
Computing security
procedures
38.7%
38.5%
30.5%
Source: INTECO
25.0%
Information protection and
confidentiality policy 29.6%
against loss, damage or 35.8%
unauthorised use
27.7%
100%
Deletion of information from 100%
obsolete computing
equipment 96.2%
91.5%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Town Councils with over 500 staff
Town Councils with 100 to 500 staff
Town Councils with 50 to 100 staff
Provincial Governments and Island Departments
Source: INTECO
Table 6: Protection of technological equipment and facilities to reduce the risk associated
with accidents and natural disasters in local organisations. (%)
Regarding access control to private areas (Table 7), this physical security measure is
predominant in Town Councils in medium-sized and large municipalities.
Table 7: Protection of private areas with appropriate access controls to ensure entry for
authorised local organisation personnel only (%)
Confidentiality Agreements with employees, details of which are shown in Table 8, are
currently a topic of increasing importance.
Table 9: Training for employees and external collaborators in security policies and
procedures in Local Organisations (%)
Another significant issue is that of security training for staff to update them on the
organisation's security policies and procedures.
Graph 7: Other human resources security practices in large Town Councils, Provincial
Governments and Island Departments (%)
0.0%
17.0%
50.0%
77.8%
Reporting to Management on security incidents
67.9%
70.2%
Source: INTECO
in the organisation, through appropriate information channels for correct planning and
speed of response in the event of a security incident.
67.9%
60.7%
43.5%
Procedures for managing system access
and application passwords
32.3%
38.5%
30.5%
Town Councils with 10 to 50 staff 0% 10% 20% 30% 40% 50% 60% 70% 80%
Town Councils with 5 to 10 staff
Town Councils with 2 to 5 staff
Town Councils with 1 to 2 staff
Town Councils with 0.5 to 1 staff
Town Councils with less than 0.5 staff
Source: INTECO
3 out of every 4 Town Councils in municipalities of more than 500,000 inhabitants have set
up security requirements with contractors and external suppliers, and have included these
clauses in their contracts.
Graph 9: Appropriate security measures set up with contractors and included in contracts in
Town Councils, Provincial Governments and island Departments (%)
75.0%
48.1%
Security measures set up with
contractors and included in
contracts
49.1%
46.8%
Source: INTECO
Table 10: Existence of prevention and detection controls for protection against malicious
software (malware) in Local Organisations (%)
Another widely adopted practice in all strata is making backup copies of information
and/or essential programs (backup). This measure is the most widely used, both in the
public sphere (Table 11) and in businesses 7 ; but not in homes, where it only reaches
34.2% 8 . In this case the existence of devices to make backup copies was also analysed
(backup support, such as data servers, and copying processes on individual machines on
all the machines in the organisation).
Table 11: Existence of backup copies of data and/or essential software in Local
Organisations (%)
In respect of controls to guarantee the security of data networks (e.g. firewalls some
Town Councils acquire tools of this kind, such as firewalls, but do not make the most of
their features: after configuring them at installation, their logs are not analysed, their
typologies are not documented or the firmware is not updated, 9 , etc.; therefore, the figures
for the presence of these tools in Local Government offices (Table 5) are higher than the
actual data referred to in Table 12.
7
INE: According to data from the Survey of the use of ICT and Electronic Commerce in Companies 2005-2006, 59.4% of
companies who have implemented internal security measures use backup copies. www.ine.es
8
INTECO: Study on Information Security and e-Trust in Spanish households (1st Wave: Dec-Jan 07)- www.inteco.es
9
Firmware: The program that establishes the logic for controlling the electronic circuits of a device.
Table 12: Existence of technical measures for guaranteeing the security of communication
networks in Local Organisations (%)
Graph 10: Other security practices in large municipalities, Provincial Governments and Island
Departments (%)
50.0%
Operations records kept
40.7%
47.2%
48.9%
100%
Security controls in web sites with 66.7%
online transactions 52.8%
51.1%
25.0%
Policy for the correct use of 77.8%
electronic mail 60.4%
66.0%
100%
Control procedures for removable
computer media and printed
96.3%
reports 92.5%
100%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Town Councils with over 500 staff
Town Councils with 100 to 500 staff
Town Councils with 50 to 100 staff
Provincial Governments and Island Departments
Source: INTECO
Where the Local Government offices do have it, the implementation of controls to
guarantee Internet web site security has been studied, with the possibility of carrying out
online transactions (consulting records, making payments, etc.), using practices and tools
such as the https protocol, digital signature or identity management 10 .
Policies for the correct use of electronic mail include protective measures against e-
mail attacks, possibility of interception, handling attachments and guidelines on the use of
organisational e-mail. Removable computing equipment and printed reports include
handling tapes, disks and paper documents. Control procedures for these items are
focused on deleting their content when no longer required, recording destroyed items and
safe storage.
Another practice adopted by Local Administration offices in municipalities with less than
50,000 inhabitants is secure storage of copies, which has insufficient take-up, and
updating operating systems and other computing applications in order to keep the
system healthy and prevent vulnerabilities that could affect both the computers and the
programs installed in them.
Graph 11: Other security practices in small and medium-sized municipalities (%)
73.4%
50.0%
Storage of security copies in a 48.4%
protected place 28.4%
33.9%
32.3%
89.0%
75.0%
Updating of operating systems and 62.9%
other computing applications 20.2%
39.3%
50.0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Town Councils with 10 to 50 staff
Town Councils with 5 to 10 staff
Town Councils with 2 to 5 staff
Town Councils with 1 to 2 staff
Town Councils with 0.5 to 1 staff
Town Councils with less than 0.5 staff
Source: INTECO
10
https protocol (HyperText Transfer Protocol Secure): a set of rules that govern the communication and requests for access
and response between machines. In the case of https, information is encrypted before being transmitted from one machine to
another.
Digital signature: a cryptographic system that certifies the identity of the person sending information.
In terms of rules for controlling and managing user access and passwords (Table 13),
access control and management involves the correct assignation of each individual's
privileges, as well as their documented records; secure password management implies that
both parties sign an agreement, that a first substitute password is assigned and that secure
channels for transmitting passwords are set up.
Table 13: Existence of documented rules for registering and unregistering users and/or
assigning passwords in Local Organisations (%)
Secure access (user authentication) for remote connection and control of user
access to the operating system are practices generally implemented in municipalities. In
this sense, the systems in Town Councils of large municipalities and Provincial
Governments are the only ones to control access to configurations and changes to
equipment parameters. Likewise, maintenance of audit logs and other security incidents
for a fixed period of time is quite common in Local Government offices.
Secure access to applications and particularly those for high level information
management (sensitive information) outside normal office hours is not a commonly adopted
practice in Spanish Local Administration.
Graph 12: Other access and data security practices in Town Councils in large municipalities,
Provincial Governments and Island Departments (%)
100%
Remote access to the network
achieved by means of a secure
88.9%
identification process 81.1%
91.5%
100%
Controlling that operating system
configuration is only carried out
100%
by authorised personnel 92.5%
91.5%
25.0%
Restrictions on the use of high
risk applications outside office
37.0%
hours 34.0%
42.6%
75.0%
Storage of audit records and other
security incidents for a specific
81.5%
period of time 64.2%
76.6%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Town Councils with over 500 staff
Town Councils with 100 to 500 staff
Town Councils with 50 to 100 staff
Provincial Governments and Island Departments
Source: INTECO
Graph 13: Other access and data security practices in small and medium-sized municipalities
(%)
84.4%
62.5%
Organisational 53.2%
communication filtering 20.2%
23.2%
46.8%
43.1%
23.2%
Wireless connection 19.4%
encryption 8.3%
16.1%
8.1%
Source: INTECO
This group of practices was the object of specific analysis in the Local Administration
offices in municipalities with more than 50,000 inhabitants (Graph 14). They include basic
principles on security features affecting the control and management of the security of
application systems, cryptographic controls, security of system files and security in
development and support processes.
Graph 14: Security of system development and maintenance practices in Town Councils in
large municipalities, Provincial Governments and Island Departments (%)
75.0%
Operating systems and other 81.5%
programs are updated 81.1%
83.0%
100%
Authorised personnel control 100%
the installation of operating
systems and other programs 94.3%
93.6%
25.0%
Data is encrypted to protect 29.6%
confidentiality of critical or
sensitive information 30.2%
48.9%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Town Councils with over 500 staff
Town Councils with 100 to 500 staff
Town Councils with 50 to 100 staff
Provincial Governments and Island Departments
Source: INTECO
Updating operating systems and installed programs with the latest security patches is
of fundamental importance in order to prevent potential vulnerabilities. Control over the
installation of applications and operating systems carried out by authorised staff is a
widespread practice. The use of cryptographic controls includes encryption of sensitive
data or use of digital signatures to protect the confidentiality, authenticity and integrity of
critical information.
Table 14: Availability of a continuity plan for after any factor causing activity disruption in the
local organisations (%)
11
LSSI-CE: Information Society and Electronic Commerce Services Act 34/2002, dated 11 July (Servicios de la Sociedad de
Información y Comercio Electrónico)
12
LPI: Intellectual Property Act 22/1987, dated 11 November (Ley de Propiedad Intelectual).
13
LGT: General Taxation Act 58/2003, dated 17 December (General Tributaria).
14
LOPD: Data Protection Act 15/1999, dated 13 December (Protección de Datos de Carácter Personal).
15
Electronic Signature Act: Electronic Signature Act 59/2003, dated 19 December (Firma Electrónica).
Graph 15: Compliance with regulations in Town Councils in large municipalities, Provincial
Governments and Island Departments (%)
25.0%
Monitoring of Data Protection 88.9%
Act 77.4%
63.8%
25.0%
Compliance with regulations 55.6%
such as LSSI-
CE, LPI, LGT, etc. 64.2%
63.8%
0,0%
22.2%
Audits of security policies
32.1%
23.4%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Town Councils with over 500 staff
Town Councils with 100 to 500 staff
Town Councils with 50 to 100 staff
Provincial Governments and Island Departments
Source: INTECO
Graph 16: Availability of an updated security document in small and medium-sized Town
Councils (%)
47.7%
35.7%
32.3%
Availability of up-to-date Security
Document
11.9%
16.1%
9.7%
Source: INTECO
5 EXPERTS' OPINION
These professionals have contributed their qualified opinion in respect of two issues:
• The state and the requirements of security issues in Local Public Organisations
(current availability of resources and their possible evolution in the medium and
long term, together with anticipated future implementation actions).
• The best security and digital confidence practices that should be implemented for
efficient risk management, and their current implementation level.
Table 15: Strengths and Opportunities for Improvement identified by the experts
Source: INTECO
Source: INTECO
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: INTECO
Source: INTECO
Source: INTECO
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: INTECO
Source: INTECO
Source: INTECO
*Control over the selection of data transfer channels between servers Source: INTECO
As can be observed in Table 16, there are two practices that the experts consider to be
more relevant than the others: the clean desk and blocked screen policy, as part of the
protection of confidentiality of information policy against loss, damage or unauthorised use,
and control over the user's computer. These belong under the sections of Asset
Security, as physical and environment security, and Access and Data Security, groups
which cover the majority of top practices in the list referred to by the experts consulted
(Table 16).
Specifically, the clean desk and blocked screen policy includes the following theoretical
definition:
• Clean desk entails the organisation providing a series of conditions under which the
user's work station is kept clear and movable storage provided.
• Blocked screen consists in the screen being blocked at the moment as soon as the
user is no longer at their usual work station, and is aimed at reducing the risk of
unauthorised access, loss or damage to the information both within and outside
normal working hours. In this case the information and data on the desk is also
included.
It can be seen that 89.7% of the experts consulted consider the clean desk and
blocked screen policy as the most important practice for the correct management of
Information Security.
In order to define the security level of information and communication systems in Local
Administration offices, the best security practices in each stratum have been evaluated and
any possible differences have been analysed, taking as reference the surveys carried out
in Town Councils, Provincial Governments and Island Departments on the implementation
of the best practices as identified by the experts.
Security
Security
Authentication of connections to
81.1% 88.9% 100.0% 91.5%
remote computer systems
Security
legislation
Ensuring compliance with national
agreements, laws, regulations and 64.2% 55.6% 25.0% 63.8%
other access control instruments
Source: INTECO
Table 18: Degree of implementation of best security practice in medium-sized Town Councils
(%)
Town Town
Town
Councils Councils
Area Practice Councils
Munic. 5- Munic.10-
Munic. 2-5
10 50
Security Organisation and
Security Policy Document 56.5% 64.3% 66.1%
Management
Controls and guidelines in secure
Asset Security areas that improve security using 30.6% 46.4% 50.5%
physical controls
Source: INTECO
Table 19: Degree of implementation of best security practice in small Town Councils (%)
Source: INTECO
In terms of methodology used to assess each area, the strata were arranged into the
groups used to segment Local Administration offices according to the size of the
municipalities they serve (small, medium and large), and the Provincial Governments and
Island Departments. Subsequently, the different items for each area of security in which
they were surveyed were taken separately for each group. The result is a breakdown for
each Local Government group of the items included in each area. Finally, a statistical
homogenisation was carried out in order to group the values for the various items in the
different strata within each group and an average indicator was calculated for each group
and area of security studied.
The information security situation in Spanish local public organisations was assessed
according to the classification of security areas recommended by the Information Security
Management Good Practice Code in the ISO/IEC 27002:2007 International Standard.
By way of opening comment, it should be pointed out that in the area of Systems
Development and Maintenance (Application Security) the medium-sized and small Local
Organisations were not consulted because of the format of the questionnaire, which was
designed to be as succinct as possible and not affect the normal activity of the Local
Government interviewed.
Graph 24: Comparison of indicators by security area and group size (%)
90%
78.4
80% 74.0
72.9
75.2
70% 62.3 61.9 68.5
72.8 73.2
60% 59.6
52.8 48.4
50% 53.8 37.8
46.8 50.9
40% 44.2
46.8
33.5
30% 35.9 29.0
29.4 23.3
20% 24.9
15.5
10% 7.8
0%
Security Assets security Human Network and Data Access Regulatory Applications
organisation Resources Operations security Compliance and security
and security security business
management continuity
Councils in small towns (less than 2,000 inhabitants)
Councils in medium-sized towns (2,000 to 50,000 inhabitants)
Councils in large towns (more than 50,000 inhabitants)
Provincial Governments and Island Departments
Source: INTECO
Also significant is the practically perfect coincidence between structures and values in
Provincial Governments and Island Departments in relation to Town Councils in
municipalities of more than 500,000 inhabitants, since the former have an organic
In the case of large Local Organisations, an exception must be made in the area of security
organisation and management. The variability of the data is due to the smaller size sample
in these strata and to the considerably lower average figures for the existence of a security
policy document (Table 17 and Table 18).
In general, the situation of security measures and practices shows values in an average
state of implementation greater than 50% for almost all sizes of organisation and area, with
the exception of the Local Administration offices in the less populated municipalities, where
a greater potential for action and growth is observed.
7.1 Conclusions
As indicated in the opening paragraph, the aim of this report is to find out the level of
information security and e-Trust in Spanish Local Public Organisations. The study is
remarkable for its originality, as none of the issues referred to have ever been the object of
analysis before this research was carried out by the INTECO Observatory.
The analysis has the dual perspective of using primary sources based on carrying out
interviews with Local Public Organisations and also interviewing a group of experts in
information security.
The state of the security tools and practices show values to be at an average rate of over
50% for Local Public Organisations in almost all sizes of municipality and security areas.
Exceptions to this are the Town Councils in smaller municipalities, where there is greater
potential for action and growth. The study establishes as a principle that the greater the
municipality served by the local organisation, a greater number of measures are
implemented and with greater coverage rates.
A number of stronger areas of information security have been found within the structures of
these organisations:
• Network and Operations Security this includes, for example, controls against
malware and backup copies of data and software.
• Access and Data Security including tools and practices for restricting and controlling
privileges or remote connection authentication.
• Asset Security encompassing widespread practices such as deleting data from out
of service machines or recycling them.
The procedures included in these areas are standardised by the ISO 27002 Standard and
certified by ISO 27001, and are the most widely known amongst users and professionals in
Local Public Organisations, therefore they are the most widely implemented.
The most widely used tools in Local Organisations are anti-virus applications and
programs, present in 98.1% of these governments, followed by firewall programs (74.7%).
A feature of the analysis is that the greater the town size the more widespread the
incidence of security measures in the Local Administration. In smaller sized towns, local
public bodies have more scattered security policies that are focused on specific issues,
giving much lower priority to some tools and practices.
The experts coincide in that the areas of Asset Security and Access and Data Security are
the most important and should provide the base on which other tools and practices are
adopted; these two areas come top of the list of security practices referred to by the
professionals consulted. Nevertheless, the top recommended practice (clean desk and
blocked screen policy) is not widely implemented in Spanish Local Organisations.
These same experts also coincide in stating that Local Administrations are becoming
increasingly aware of this area of information security, which should encourage a general
improvement in security conditions. Measures such as access control, making backup
copies or confidentiality agreements make up the main group of strengths in a system. In
contrast, insufficient budgets and general training and the lack of resources and formal
policies in small Local Organisations mean that there is opportunity for improvement in
these areas.
7.2 Recommendations
Firstly, the following should be taken as guidance when defining improvement programmes
to be designed and carried out, both in Local Public Organisations and for other players
taking part in the processes of assessment, definition and implementation of measures for
digital security and confidence. The initiatives that can contribute to the expansion of best
security practices proposed by the experts consulted are described.
• Public support: Electronic access for citizens to Public Services, Act 11/2007, makes
Local Organisations key players, as they carry out numerous services demanded by
citizens and businesses, often with insufficient funding. The implementation of new
digital security and confidence measures and controls will require long-term financial
investment.
• Awareness and training at all levels. The high regard for digital security and confidence
observed at management level in the majority of Local Organisations should be
extended to encompass all users and their organisational collaborators. The process
should be supported by structured training programmes, defined and tailored to the
needs and requirements of Local Organisations, with an emphasis on practical
guidance and continuous skills updating, using distance learning and train the trainer
programmes.
• Widespread use of the digital signature. The widespread use of basic methods of
protection such as anti-virus, anti-spam and anti-spyware in Spanish Local
Organisations should be viewed favourably as a first level of maturity in digital security
and confidence. This process must be completed by the widespread implementation
and use of the digital signature and secure identification as ideal authentication
methods for organisations and their representatives in their dealings with other
administrations, citizens and companies.
The effective implementation of the best information security practices identified should
be addressed and planned in the medium and long term and be accredited both
internally and externally using international standards such as ISO IEC 27001 (2005).
According to INTECO
General State Administration, Autonomous Communities and, at a local level, Town
Councils, Provincial Governments and Island Departments, must play an essential role in
awareness, user training in information security and in the use of the digital signature in
Local Organisations.
Their support will be decisive in allocating funding, coordinating, aligning and consolidating
economies of scale for the following suggested initiatives:
virtual and face-to-face training sessions and the content must be updated
frequently to accommodate regulatory requirements.
2. Relating to the promotion and encouragement of best security and e-Trust practices in
Local Public Organisations.
The INTECO Centro Demostrador de Seguridad would widen its scope of action
– based on the favourable results obtained in its strategy for SMEs – to Local
Administration, in order to promote and disseminate the use of information
security technology and best practice to Spanish small and medium-sized Local
Organisations (which represent the majority of these Local Administration
offices in the Spanish state), contributing to a strengthening of the Information
and Communication Technology Security sector in Spain and to directing its
services and solutions at the real and practical needs of Local Government. Its
vocation is to be an intermediary with companies from the security sector. The
Demonstration would thus become a national centre of excellence for Local
Organisations in matters of security.
In this context, the transformation of the typical bureaucratic relationship is currently one of
the most important challenges, for which the Spanish Local Administration has three
strategic lines of action:
3. Internal control mechanisms, such as action protocols for rigorous personal data
processing, updating as required to keep up with increasingly advanced features
developed by the technology industry.
According to INTECO
As mentioned above, companies in the security sector, whether manufacturers and
distributors of solutions, specialised consultancies or information systems integrators and
external systems providers, have a great business opportunity in the context of Local
Public Administration. Their support will enable the successful implementation of the digital
security and confidence solutions and best practices identified. To achieve this, INTECO
proposes:
Private organisations could play an active part, providing knowledge, resources and
experiences gained in similar successful international or local programmes, in the
dissemination, broadcast and communication of confidence in the security of
Information and Communication Technology. The Information Security Observatory
The companies in the sector should make the effort to adjust their products to the
requirements of Spanish Local Organisations, providing technical and human resources
and making available their capacity for distribution, implementation and after sales in
various market actions (adapting their products and services to the needs of Local
governments, translating them into the official State languages, monitoring standards of
interoperability in design and development of solution architecture, launching update
programs and/or renewing technology).
According to McAfee
At first glance it would appear that computing security in Local Administration is not an
attractive target for possible attackers, especially in the smaller municipalities. However,
the aims they pursue should be taken into account: financial, loss of image, interruption to
the service, etc.
Firstly, all Local Organisations can be vulnerable to threats related to their technological
infrastructure (jobs, operating systems, etc.), corporate systems (navigation, electronic
mail, etc.), applications that are becoming more widespread (instant messaging, VoIP, etc.)
and services to the public (Town Councils are also beginning to use the Internet as a
means of keeping in touch with the public), to which internal threats can be added, whether
intentional or due to errors or lack of staff knowledge about use of technology.
Secondly, Local Organisations have to comply with legislation (Data Protection Act)
because they are handling citizens' personal information, which must be classified and
protected.
Lastly, we should not forget that service to the public implies high levels of availability,
supported by a technological infrastructure.
This is why information security must be managed and must guarantee the Confidentiality,
Integrity and Availability of information and the protection and ease of access for services
offered, by defining a security policy and implementing the measures required for it to
operate.
The security manufacturer must make products adapted to the needs of Local
Organisations, taking into account their requirements for simplicity, cost and degree of
specialisation. The right product for specific solutions must be supplied, providing support
for the security management process with the purpose of reducing impact or preventing
information leaks, and the audit process. The McAfee Security Operations Centres are also
important for guaranteeing the "cleanliness" of electronic mail and navigation, and providing
information about new threats and target environments.
The importance of raising awareness and sensitisation in Local Organisations of the need
for an information security process is also acknowledged, as is the training required to
enable the required security measures to be implemented. These must be supported by the
industry, which should play a consulting role to facilitate the training process and adjusting
the technology to the needs of Local Organisations.
According to Symantec
As corporations, private individuals and our economy come to depend more and more on
the Internet and on information systems, the risks become more important (serious
institutional and company crises, damage to reputation caused by identity impersonation,
loss of business due to system failure, etc.).
The majority of companies, regional or local Administrations and citizens are barely
aware of the dangers faced by their information systems, they do not use the whole
range of tools available to them to manage these situations, nor have they begun to
implement the knowledge and processes they need to manage this type of risk.
Although the study shows that the security measures and practices have
implementation values of over 50% in large municipalities, this average decreases as
we look at the Local Administration in smaller municipalities. This data reveals the
importance of undertaking the vital task of raising awareness and making investment
(the belief exists that with just one anti-virus program systems will be protected and
secure) and making Information Technology available in these environments.
Computing risks can be synonymous with the potential loss of information and data
recovery, or with the continuous use of information. These actions can be placed into
the following six categories: Security, Availability, Performance, Scalability, Compliance
and Recoverability. In Local Administrations, making backup copies of data and
implementing VPNs for remote access to systems are measures very rarely
implemented in Administration offices of smaller municipalities.
From the assessment of the internal processes of information flow, a "security plan" should
be drawn up that defines what type of solution or levels of service are required for each
Town Council.
Trend Micro is aware of this fact and one of its challenges is to drive and deal with the
modernisation of Spanish Town Councils by offering tools that enable a better quality
service to be provided that is more friendly for the citizen using new technology, and
bringing solutions that guarantee secure information transactions in the midst of an
environment characterised by the existence of constant risk.
8 ANNEXES
• Carlos Adín. Quality Service and Modernisation Manager of the Department of Local
Administration of the Regional Government of Navarra.
• Daniel Amaro. Computer and New Technologies Area of the Town Council of Úbeda.
• Federico Serrano Paricio. Deputy Representative of the New Technologies Area of the
Provincial Council of Teruel.
• Francisco José López Carmona. Deputy Director of the File Registry and Consultancy of the
Data Protection Agency of the Community of Madrid.
• Ignacio Sánchez Chumillas. Computer Systems Manager of the Town Council of Móstoles.
• José Luís Tudela Castrando. Head of the Municipal IT Centre of the Town Council of
Zaragoza.
• José Manuel Pazos González. Head of the Information Systems Service of the Town
Council of Gijón.
• Josep Clotet. Manager of the Municipal IT Institute «Accès» and Member of the New
Technologies Advisory Council of the FEMP.
• Luis Arróspide Urbieta. Head of Data Security of the Provincial Society of Computer
Services (IZFE), Provincial Council of Gipuzkoa.
• Luis Manovel. Head of Services of the Regional Government Ministry for Economic
Development, Innovation and Employment of Tres Cantos.
• Lluis Olivella. Manager of the Municipal IT Institute of the Town Council of Barcelona.
• Miguel Ángel Amutio. Head of Planning and Exploitation of the Ministry for Public
Administration.
• Miguel Rego Fernández. Executive Committee of the Security Area of the Ministry of
Defence.
• Rafael Cuenca. Manager of the Public Administration of Trend Micro for Spain and Portugal.
LIST OF TABLES
Table 3: No. of municipalities by stratum: pre-sample, sample and coverage by stratum (%)
.............................................................................................................................................12
Table 6: Protection of technological equipment and facilities to reduce the risk associated
with accidents and natural disasters in local organisations. (%)..........................................20
Table 7: Protection of private areas with appropriate access controls to ensure entry for
authorised local organisation personnel only (%) ................................................................21
Table 8: Existence of confidentiality agreements with Local Organisation employees (%) .21
Table 9: Training for employees and external collaborators in security policies and
procedures in Local Organisations (%)................................................................................22
Table 10: Existence of prevention and detection controls for protection against malicious
software (malware) in Local Organisations (%) ...................................................................24
Table 11: Existence of backup copies of data and/or essential software in Local
Organisations (%) ................................................................................................................25
Table 12: Existence of technical measures for guaranteeing the security of communication
networks in Local Organisations (%) ...................................................................................26
Table 13: Existence of documented rules for registering and unregistering users and/or
assigning passwords in Local Organisations (%) ................................................................28
Table 14: Availability of a continuity plan for after any factor causing activity disruption in
the local organisations (%) ..................................................................................................31
Table 15: Strengths and Opportunities for Improvement identified by the experts..............33
Table 16: Ranking of best security and e-Trust practices (%) .............................................37
Table 19: Degree of implementation of best security practice in small Town Councils (%) 42
LIST OF GRAPHS
Graph 7: Other human resources security practices in large Town Councils, Provincial
Governments and Island Departments (%) .........................................................................22
Graph 9: Appropriate security measures set up with contractors and included in contracts in
Town Councils, Provincial Governments and island Departments (%) ...............................24
Graph 10: Other security practices in large municipalities, Provincial Governments and
Island Departments (%) .......................................................................................................26
Graph 11: Other security practices in small and medium-sized municipalities (%) .............27
Graph 12: Other access and data security practices in Town Councils in large
municipalities, Provincial Governments and Island Departments (%) .................................29
Graph 13: Other access and data security practices in small and medium-sized
municipalities (%).................................................................................................................29
Graph 14: Security of system development and maintenance practices in Town Councils in
large municipalities, Provincial Governments and Island Departments (%) ........................30
Graph 15: Compliance with regulations in Town Councils in large municipalities, Provincial
Governments and Island Departments (%) .........................................................................32
Graph 16: Availability of an updated security document in small and medium-sized Town
Councils (%) ........................................................................................................................32
Graph 17: Practices relating to SECURITY ORGANISATION AND MANAGEMENT (%) ..34
Graph 24: Comparison of indicators by security area and group size (%) ..........................43
In collaboration with: