Study On Security and E-Trust in Local Organisations

Instituto Nacional
de Tecnologías
de la Comunicación
Study on Security and e-Trust in Local

Organisations
In collaboration with:
OBSERVATORIO DE LA SEGURIDAD DE LA INFORMACIÓN

Instituto Nacional
de Tecnologías
de la Comunicación
This publication belongs to the National Communications Technologies Institute (INTECO) and is under a Creative
Commons Spain 2.5 Attribution Non-commercial license, and for this reason copying, distributing and displaying this work is
permitted under the following circumstances:
• Attribution: The content of this report can be totally or partially reproduced by third parties, specifying its source and
expressly referring to both INTECO and its website: www.inteco.es. This attribution can in no event suggest that INTECO
provides this third party support or supports the use made of its work.
• Non-commercial Use: The original material and the resulting works can be distributed, copied and shown as long provided
that it is not for commercial purposes.
When the work is reused or distributed, its license terms must be made very clear. Some of these conditions may be not be
applicable if the copyright license is not obtained from INTECO. Nothing in this license impinges or restricts INTECO's moral
rights.
Full license text:
http://creativecommons.org/licenses/by-nc/2.5/es/
Study on Security and eTrust in Local Organisations Page 2 of 68

Observatorio de la Seguridad de la Información
Instituto Nacional
de Tecnologías
de la Comunicación
TABLE OF CONTENTS
Table of contents .................................................................................................................3
1 Introduction...................................................................................................................5
1.1 Presentation ........................................................................................................................ 5
1.2 Study on Information Security and e-Trust within Local Organisations ...................... 5
1.2.1 Overall Objectives ........................................................................................................ 5
1.2.2 Framework of Reference .............................................................................................. 6
1.3 Participating Organisations .............................................................................................. 7

1.3.1 Instituto Nacional de Tecnologías de la Comunicación ............................................... 7
1.3.2 Federación Española de Municipios y Provincias ........................................................ 8
1.3.3 Collaborating Companies ............................................................................................. 8
2 Methodological Design ..............................................................................................10

2.1 Statistical Reference Framework .................................................................................... 10
2.2 Technical Specification ................................................................................................... 10

2.2.1 Participation Analysis ................................................................................................. 11
2.2.2 Fieldwork .................................................................................................................... 12
2.2.3 Information Gathering Method .................................................................................... 13
2.2.4 Sampling Error............................................................................................................ 13
2.2.5 Weighting .................................................................................................................... 13
3 Information Security Equipment in Spanish Local Administration Offices ..........14

3.1 Computing Equipment and Security Measures ............................................................ 14
3.1.1 Types of Internet Access and Connections ................................................................ 14
3.1.2 Information Security Equipment in Local Administration Offices ............................... 15
4 Analysis of good practice for managing information security in Spanish Local

Administration Offices ......................................................................................................18
4.1 Security Organisation and Management........................................................................ 18
4.2 Asset Security................................................................................................................... 19
4.3 Security in Human Resources ........................................................................................ 21
4.4 Network and Operations Security................................................................................... 23
4.5 Access and Data Security ............................................................................................... 28
4.6 System Development and Maintenance Security: Application Security .................... 30
4.7 Operational Continuity or Business Continuity ............................................................ 31

Instituto Nacional
de Tecnologías
de la Comunicación
4.8 Compliance with Regulations ......................................................................................... 31
5 Experts' Opinion .........................................................................................................33

5.1 Current State of Security and Digital Confidence ......................................................... 33
5.2 Best security practices in local organisations .............................................................. 34

5.2.1 Ranking of best practices ........................................................................................... 37
6 Comparative analysis of best practices by indicators and strata .........................39

6.1 Implementation of the best security practices in Local Government offices ............ 39
6.2 Comparative Analysis by indicators and strata ............................................................ 42
7 Conclusions and Recommendations .......................................................................45

7.1 Conclusions ...................................................................................................................... 45
7.2 Recommendations ........................................................................................................... 46

7.2.1 Lines of action ............................................................................................................ 46
7.2.2 The role of Public Administration ................................................................................ 47
7.2.3 The role of industry ..................................................................................................... 49
8 Annexes.......................................................................................................................54
8.1 List of Participating Experts ............................................................................................ 54
8.2 Participating entities ........................................................................................................ 56

8.2.1 List of participating Town Councils ............................................................................. 56
8.2.2 List of participating Provincial Councils, Consells (Regional Authorities of the Balearic
Islands) and Regional Authorities of the Canary Islands ........................................................... 63
List of tables.......................................................................................................................64
List of graphs .....................................................................................................................66
List of graphs .....................................................................................................................66

Instituto Nacional
de Tecnologías
de la Comunicación
1 INTRODUCTION
1.1 Presentation
The publication of this report, produced by the Instituto Nacional de Tecnologías de la
Comunicación (INTECO, National Communications Technology Institute), has as the main
objective of analysing for the first time the state of information security and e-Trust in Local
Public Organisations in Spain. The report identifies the main risks to which Local
Administration information and communication systems are exposed and proposes security
management and e-Trust practices that should be adopted in order to guarantee the
confidentiality, integrity and availability of information relating to citizens and companies, as
well as communications with these users and with other organisations.
The study has been produced with the support of the Federación Española de
Municipios y Provincias (Spanish Federation of Municipalities and Provinces), the
participation of all staff working in the field of information security in Local
Government: politicians, technical staff and administrative personnel in the Town Councils,
Provincial Governments and Island Departments; the views of well-known experts from
both the public and the private sector to identify the best practices in security management
and e-Trust, together with three major companies manufacturing and supplying computing
security solutions on a global scale: McAfee, Symantec and Trend Micro.
The Subdirección General de Coordinación de Recursos Tecnológicos de la

Administración General del Estado (General State Administration Sub-department for
Technology Resources Coordination), part of the Ministerio de Administraciones Públicas
(Ministry for Public Administrations), has also collaborated by granting access to the results
of the IRIA 2006 report in order to design the fieldwork for this study.
1.2 Study on Information Security and e-Trust within Local Organisations

This document presents the results of the study by first describing its objectives, its most
relevant quantitative findings based on primary information sources, specific surveys and
the views of experts consulted, and lastly a series of conclusions and recommendations
are put forward to improve security measures and practices in Local Administration Offices.
1.2.1 Overall Objectives

The defining feature of this research is that a study of this kind has never been undertaken
before now. The overall objective is to carry out an assessment, for the first time in
Spain, of the main security measures and systems implemented, their operational
status and the risks to which Local Administration information and communication
systems are exposed, with the following specific objectives:

Instituto Nacional
de Tecnologías
de la Comunicación
• To draw up a comprehensive plan for updating and modernising security

systems and measures in order to improve users' e-Trust in Electronic
Administration services.
• To identify new fields and lines of action for introducing advances in security
programs and tools that will improve information security within Local
Government.
• To drive appropriate training for information security professionals and

technicians in Town Councils, Provincial Governments and Island
Departments.
1.2.2 Framework of Reference

The study is structured by areas according to international standard ISO/IEC
27002:2007, Code of Practice for Information Security Management:
• Security Organisation and Management, including the existence of a

documented security policy, organisation of resources and processes,
organisational and interventional procedures, roles and responsibilities and
independent security review.
• Asset Security Management, including drawing up an inventory of information

assets, such as computers, software, data, documentation, backup and service
supports, identifying their owners, location and the use for which they are
authorised, as well as information classification and labelling according their critical
level and asset protection using security perimeters and access control.
• Organisational and Human Resources Security Management, including the

assignment of security responsibilities, confidentiality agreements, user awareness
and training.
• Communications and Operations Security Management, documenting

responsibilities and operational processes, including security requirements in
external services and their supervision. This area includes relevant issues such as
protection against malicious software, access to programs and data by remote
users, security on websites where electronic transactions take place and storage of
audit records.
• Access and Data Security Management, aimed at protecting access to

information, information processing resources and business processes.
• Program Security Management, including all actions aimed at ensuring secure

access to the organisation's information resources by carrying out corrective

Instituto Nacional
de Tecnologías
de la Comunicación
updates of operating systems and programs, encrypting confidential information

and controlling the installation of software and operating systems.
• Operational Continuity or Business Continuity, determined by all the measures

required for recovering and restarting an organisation's activities following an
incident or accident.
• Regulatory Compliance, consists of preventing the organisation from failing to

comply with the law (Data Protection Act, applicable regulations, etc.) and
organisational auditing to ensure compliance with security policies and standards.
The analysis carried out has taken into account the differentiating features of the
organisations involved in terms of size (number of inhabitants in the respective
municipalities) and the territory within their remit (in the case of Provincial Governments,
Island Departments and autonomous cities).
1.3 Participating Organisations
1.3.1 Instituto Nacional de Tecnologías de la Comunicación

The Instituto Nacional de Tecnologías de la Comunicación (INTECO), an organisation
promoted by the Ministerio de Industria, Turismo y Comercio (Ministry of Industry, Tourism
and Trade), is a platform for the development of the Knowledge Society through projects in
the innovation and technology area. Its mission is to drive and develop innovation projects
related to the Information and Communications Technology (ICT) sector and in the context
of the Information Society that will improve Spain's position and increase competitiveness,
both in the European and in the Latin American context. The Institute's vocation is to be a
centre for development that is innovative and that serves the public interest at a national
level in order to enrich and disseminate new technology in Spain in tune with the rest of
Europe.
INTECO's corporate purpose is the management, assessment, promotion and

dissemination of technology projects along the various strategic lines of technological
security, accessibility, innovative ICT solutions for SMEs, e-health and e-democracy.
http://www.inteco.es

The Information Security Observatory falls within INTECO's strategic remit in terms of
technology security, with the aim of providing a detailed and systematic description of
security and confidence levels in the Information Society and generating specialised
knowledge on the subject. It is therefore at the service of the public, companies and
Spanish Public Administration in order to describe, analyse, assess and disseminate a

Instituto Nacional
de Tecnologías
de la Comunicación
culture of information security and e-Trust by defining trends that will be of use in future
decision-making by public authorities.
To achieve this, the Observatory has designed an Activities and Studies Plan with
particular emphasis on Internet security; monitoring the main indicators and public policies
related to information security and confidence in the national and international contexts,
building a database enabling analysis and evaluation of security and confidence from a
temporal perspective, and assessing Public Administration in matters of information
security and confidence, supporting the production, monitoring and evaluation of public
policy in this context.
http://observatorio.inteco.es
1.3.2 Federación Española de Municipios y Provincias

The Federación Española de Municipios y Provincias (FEMP) is a Local Government
association grouping together Town Councils, Provincial Governments and Island
Departments, a total of 7,200 municipalities. Its aims include the promotion and defence of
Local Government autonomy and the general interests of Town Councils, Provincial
Governments and Island Departments in their dealings with other Public Administration
bodies, providing all kinds of services to Local Governments and management of
Government programmes for local areas.
http://www.femp.es
1.3.3 Collaborating Companies

McAFEE, Inc., based in California (U.S.A.) is a leading security technology company
supplying proven and proactive services and solutions to protect networks and systems all
over the world. Its knowledge, security experience and commitment to innovation enable
business customers, individuals, public organisations and service providers to block
attacks, prevent interruptions and continually improve their security.
For more information: http://www.mcafee.com/es
SYMANTEC, Corp., is a company based in California (U.S.A.) and founded in 1982. It is

world leader in solutions that enable individuals, organisations and companies to guarantee
the security and integrity of their information. Present in over 40 countries, it has a wide
Global Intelligence network with three operations centres, eight security response centres
and 40,000 sensors in 180 countries, protecting 120 million systems and 30% of electronic
mail traffic across the world. In Spain, SYMANTEC has bases in Madrid and Barcelona
with more than 100 professionals spread over its various business areas: Professional
Services, Technical Support, Sales and Administration.
For more information, http://www.symantec.com/es/es

Instituto Nacional
de Tecnologías
de la Comunicación
TREND MICRO, Inc, is a pioneering multinational company in the development of content

security solutions and online threat management. Founded in 1988, Trend Micro supplies
software, hardware and services to both individual users and corporations, whatever their
size. Their activity is based on their Enterprise Protection Strategy (EPS), which provides
complete information and data security on all network points, and on their revolutionary
Web Reputation Services. The company's headquarters is in Tokyo and it has operations in
over 30 countries together with its own network of laboratories (TrendLabs) supplying
proactive and cutting-edge solutions, making it a leader in R&D+i in the ICT security sector.
For more information: http://www.trendmicro-europe.com

Instituto Nacional
de Tecnologías
de la Comunicación
2 METHODOLOGICAL DESIGN
The analysis was carried out on purely primary information sources based on personal
interviews with experts/professionals in the subject and surveys of administrative and
technical staff and general users of Local Administration information systems.
2.1 Statistical Reference Framework

The selected framework had a dual focus, on Town Councils, Provincial Governments and
Island Departments as individual statistical elements (information obtained for the survey
from the List of Municipal Areas supplied by the Instituto Nacional de Estadística (National
Statistics Institute - INE 1 ) and also on Local Government employees and industry experts.
2.2 Technical Specification

The target population for the study was:
• 17 Autonomous Communities and 2 Autonomous Cities.
• 8,112 Town Councils and 63 Provincial Governments and Island Departments.
A total of 520 Local Governments took part, consisting in 471 Town Councils and 49
Provincial Governments and Island Departments.
Sampling Procedure for Town Councils

Stratification: the sample of Town Councils was defined employing stratification according
to the number of inhabitants in each town:
Table 1: Stratification by town size
Stratum Size* Category

A More than 500,000 inhabitants
B From 100,000 to 500,000 inhabitants Large
C From 50,000 to 100,000 inhabitants
D From 10,000 to 50,000 inhabitants
E From 5,000 to 10,000 inhabitants Medium-sized
F From 2,000 to 5,000 inhabitants
G From 1,000 to 2,000 inhabitants
H From 500 to 1,000 inhabitants Small
I Less than 500 inhabitants
*Figures shown in thousands in tables of results Source: INTECO
1
INE, Classification: Relación de unidades poblacionales (List of population units). www.ine.es

Instituto Nacional
de Tecnologías
de la Comunicación
2.2.1 Participation Analysis
Municipalities: By Autonomous Communities

The Autonomous Communities in which municipalities have taken part with a sample that
fits most closely to the selected sample were:
• In terms of number of municipalities, the average response rate was very

satisfactory, being 80.5% (471) of the municipalities in the pre-selected
sample (585). This represents a total coverage of 5.8% of all Spanish municipal
areas (8,112). The most significant response data were obtained in Catalonia
(96.7%), Castile and Leon (93.8%), Madrid (93.3%), Galicia (92.5%) and the
Valencian Community (91.7%) and in terms of coverage, in the Canary Islands
(23.9%), Madrid (15.6%) and Asturias (12.8%)
Table 2: No. of municipalities: pre-sample, sample and coverage by Autonomous Community
Autonomous Pre-sample: Sample: Participation Coverage

No.
Municipalities No. No. against pre- against
Community Municipalities sample population
Municipalities
Andalusia 770 70 63 90.0% 8.2%
Aragon 730 50 26 52.0% 3.6%
Asturias 78 15 10 66.7% 12.8%
Balearic Islands 67 10 5 50.0% 7.5%
Canary Islands 88 25 21 84.0% 23.9%
Cantabria 102 13 8 61.5% 7.8%
Castile and Leon 2,249 80 75 93.8% 3.3%
Castile-La Mancha 919 30 24 80.0% 2.6%
Catalonia 946 60 58 96.7% 6.1%
Valencian Comm. 542 60 55 91.7% 10.1%
Extremadura 383 30 19 63.3% 5.0%
Galicia 315 40 37 92.5% 11.7%
Madrid 179 30 28 93.3% 15.6%
Murcia 45 10 5 50.0% 11.1%
Navarre 272 20 10 50.0% 3.7%
Basque Country 251 25 21 84.0% 8.4%
La Rioja 174 15 6 40.0% 3.4%
Ceuta and Melilla 2 2 0 0.0% 0.0%
TOTAL 8,112 585 471 80.5% 5.8%
Source: INTECO

Instituto Nacional
de Tecnologías
de la Comunicación
• The average response of local organisations represents an overall coverage of

34.2% from the total population of Spain (44,708,964) 2 .
Municipalities: by stratum
Participation was also high in each of the strata, as shown by Table 3, enabling the
analysis of the possible differences between security measures put in place by Local
Governments and information security and e-Trust in Town Councils located in municipal
areas with the largest number of inhabitants in the country.
In this case, participation by large town organisations was very high. The participating
Town Councils in areas with more than 50,000 inhabitants made up over 50% of the
total population and in the case of those with 50,000 to 100,000 inhabitants, coverage
of the participant population was up to 70%.
Table 3: No. of municipalities by stratum: pre-sample, sample and coverage by stratum (%)
No. of Pre-sample: Sample: Participation Coverage

Est. inhabitants (in No. Municipalities No. No. against pre- against
thousands) Municipalities Municipalities sample population
A More than 500 6 6 4 66.7% 66.7%

From 100 to
B 500
53 53 27 50.9% 50.9%
From 50 to
C 100
76 76 53 69.7% 69.7%
D From 10 to 50 576 120 109 90.8% 18.9%

E From 5 to 10 547 70 56 80.0% 10.2%
F From 2 to 5 1,016 70 62 88.6% 6.1%
G From 1 to 2 943 70 62 88.6% 6.6%
H From 0.5 to 1 1,069 60 39 65.0% 3.6%
I Less than 0.5 3,826 60 59 98.3% 1.5%
TOTALS 8,112 585 471 80.5% 5.8%
Source: INTECO
Provincial Governments and Island Departments

Participation in this type of Local Public Administration was also significant, with 49
organisations out of 63 taking part. This represents a 78% participation of this type of
local government in the study.
2.2.2 Fieldwork
Carried out between 21 February and 11 May 2007.
2
INE: Detail population total in Classification: List of population units. www.ine.es

Instituto Nacional
de Tecnologías
de la Comunicación
2.2.3 Information Gathering Method
Interviews with experts

Interviews, preferably face-to-face, with the sample of experts selected from well-known
professionals from the public and private sector. The profiles of the 52 participants include
professionals and experts from the Information and Communications Technology (ICT)
industrial sector or from Public Administration and academia, as well as political and
technical managers of information and security system divisions within Local Government.
Survey of Local Governments

With the collaboration of the Federación Española de Municipios y Provincias, the survey
was sent by personalised letter to identified staff in all Town Councils in areas with more
than 50,000 inhabitants and Provincial Governments and Island Departments; and by
general mailshot to Town Councils in areas with less than 50,000 inhabitants.
2.2.4 Sampling Error

The sample was selected using a stratified method, with an estimated +/- 3.9% margin of
error and a confidence level of 95%.
2.2.5 Weighting
A stratified weighting has been carried out by number of inhabitants in municipal areas,
according to population figures in the List of Municipalities provided by the Instituto
Nacional de Estadística for 2006. 3
3
INE, Classification: List of population units. www.ine.es

Instituto Nacional
de Tecnologías
de la Comunicación
3 INFORMATION SECURITY EQUIPMENT IN SPANISH

LOCAL ADMINISTRATION OFFICES
3.1 Computing Equipment and Security Measures
3.1.1 Types of Internet Access and Connections

In the various Local Public Administration Offices, Internet access and connection is carried
out through basic telephone network systems: Modem or ISDN; Broadband: DSL, Cable,
Fibre Optic or Satellite, LMDS: Rural ADSL or PCL; and Wireless network: Wi-Fi 4 :
Graph 1: Type of connection/access to Internet used by Town Councils in large

municipalities and Provincial Governments and Island Departments (%)
0.0%
Wireless network (Wi-Fi) 22.2%
13.2%
12.8%
0.0%
LMDS (rural ADSL) or PCL 0.0%
3.8%
8.5%
100%
Broadband 100%
(DSL, Cable, Fibre
98.1%
Optic, Via Satellite) 97.9%
25.0%
Basic telephone network 11.1%
(modem, ISDN) 7.5%
4.3%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Town Councils with over 500 staff
Town Councils with 100 to 500 staff
Source: INTECO
Broadband is most popular method in all strata. This system is the one used by all
the Town Councils in municipalities of more than 100,000 inhabitants, as can be seen
4
ISDN, Integrated Services Digital Network: a network for digital connection between various individuals enabling services to
be integrated through a single access system.
DSL, Digital Subscriber Line: digital connection through a telephone network.
LMDS, Local Multipoint Distribution Service: wireless connection by radio which, because of its bandwidth, allows voice,
Internet access and connection between individuals on a network.
ADSL, Asymmetric Digital Subscriber Line: type of DSL whose special feature is that incoming and outgoing connections do
not use the same channel or the same speed (asymmetry).
PCL, Power Line Communication: technology using electrical power lines for Internet access and for peripheral or network
connections.

Instituto Nacional
de Tecnologías
de la Comunicación
in Graph 1. However, in the group of Town Councils in municipalities of less than

2,000 inhabitants there is still limited use of broadband.
Graph 2: Type of Internet connection/access in Town Councils of small and medium-sized

municipalities (%)
19.3%
8.9%
Wireless network (Wi-Fi) 16.1%
11.3%
17.9%
10.2%
7.3%
5.4%
LMDS (rural ADSL) or 12.9%
PCL 21.0%
20.5%
18.6%
95.4%
Broadband 85.7%
(DSL, Cable, Fibre 82.3%
53.2%
Optic, Satellite) 59.0%
30.5%
1.8% 10.7%
Basic telephone network 12.9% 22.6%
(modem, ISDN) 20.5%
44.1%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Town Councils with 10 to 50 s
Town Councils with 0.5 to 1 staff
Town Councils with less than 0.5 staff
Source: INTECO
Only Town Councils in municipalities of less than 500 do not have broadband as the
predominant system. On the other hand, Town Councils in small municipalities with
less than 2,000 inhabitants, have a greater variety of connection systems than those
in large towns.
3.1.2 Information Security Equipment in Local Administration Offices

In general and as shown in Table 5, the majority of information security measures are
more likely to be present in large Town Councils than in the smaller ones. In the
smaller towns there is greater disparity in the rates of adoption of security measures
by the Administrations, as will be shown in the comparative analysis by strata. Graph 3
shows the rates at which security measures have been implemented by Local
Administration Offices. The most common security measure adopted by Spanish Local
Governments is anti-virus software, installed in 98.1% of organisations. Making security
copies of data (backup) and VPN for remote access 5 to the system are the least common
measures.
5
VPN (Virtual Private Network) is a technology that allows a local network of computers to be connected, or to expand the
network, using a public network. The most common case is connection from a public computer (e.g. through the Internet) to a
local network or computer.

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 3: Information Security Equipment in Spanish Local Administration Offices
Anti-virus 98.1%
Firewall 74.7%
Authentication/Access
71.4%
control
Anti-spam 70.8%
Communication encryption 70.3%
Other systems (malware) 53.3%

E-signature/digital
52.3%
certificates
Contents filtering 47.9%
Security copies 46.1%
VPN (remote access) 40.2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: INTECO
Comparative analysis of security measures in Local Administration Offices vs.

Spanish homes
Table 4: Comparison between most commonly adopted protective measures in Local

Administration Offices and Spanish homes
Ranking Local Administration Offices Homes

1 Anti-virus programs Anti-virus programs
2 Firewall Firewall
3 Authentication/Access Control Popup blocker
4 Anti-spam Deletion of temporary files and cookies
5 Communication encryption Anti-spam
6 Other systems for protection against Anti-spyware
malware
7 Electronic signature/Digital certificates Passwords (computer and documents)
8 Contents filter OS security updates
9 Backup copies Backup of important files
10 VPN (remote access) Hard disk partition
Source: INTECO

Instituto Nacional
de Tecnologías
de la Comunicación
Table 4 shows the combined distribution of security measures in Local Government and
Spanish homes in descending order by level of popularity 6 . Local Government Offices
show a greater concern for safeguarding access control to information
(authentication measures/access control) and protecting against malicious code
(malware). In homes, individual computer protection is reflected in measures
focused more on the system itself, and measures such as VPN are really only suitable
for Local Organisations. In Local Administration, measures such as communication
encryption or electronic signature are also more common, since they are of a more
technical nature and not normally within the scope of domestic users, who place them last
(document encryption).
Comparative Analysis of Security Measures by Strata
Table 5: Information Security Devices by Strata in Local Organisations (%)
Town Councils in
Town Councils in Small Town Councils in Large
Medium-sized
Municipalities Municipalities
Municipalities
More Prov.
Less 0.5 to 50 to 100 to Dept.
1 to 2 2 to 5 5 to 10 10 to 50 than
than 0.5 1 100 500
500 Council
Anti-virus 94.9% 92.3% 96.8% 98.4% 100.0% 99.1% 100.0% 100.0% 100.0% 100.0%
Anti-spam 39.0% 41.0% 58.1% 56.5% 73.2% 83.5% 96.2% 92.6% 75.0% 97.9%
Contents filter 23.7% 25.6% 33.9% 45.2% 42.9% 64.2% 52.8% 66.7% 100.0% 66.0%
Firewall or Internet
54.2% 51.3% 46.8% 62.9% 80.4% 86.2% 94.3% 100.0% 100.0% 100.0%
access protection
Authentication and
access control for
27.1% 43.6% 50.0% 74.2% 89.3% 95.4% 83.0% 92.6% 25.0% 76.6%
computers and
applications
Other systems for
preventing malicious 18.6% 30.8% 37.1% 45.2% 67.9% 79.8% 64.2% 51.9% 50.0% 57.4%
code (malware)
Electronic signature
30.5% 35.9% 32.3% 48.4% 53.6% 57.8% 73.6% 63.0% 100.0% 76.6%
and digital certificates
Communication
62.7% 66.7% 82.3% 85.5% 85.7% 70.6% 49.1% 59.3% 75.0% 57.4%
encryption
VPN (remote access) 8.5% 12.8% 9.7% 21.0% 30.4% 43.1% 86.8% 100.0% 100.0% 80.9%
Data backup 8.5% 12.8% 9.7% 22.6% 39.3% 54.1% 98.1% 96.3% 100.0% 97.9%
Source: INTECO
The general trend shows that the larger the municipality on which the local
organisation depends, the greater number of measures are adopted and in a larger
percentage. The greater number of differences between Governments of small and large
municipalities can be seen in security tools such as other malware prevention systems,
electronic signature, content filter, backup copies and remote access.
6
INTECO: Study on Information Security and e-Trust in Spanish households (1st wave: Dec-Jan 07)- www.inteco.es

Instituto Nacional
de Tecnologías
de la Comunicación
4 ANALYSIS OF GOOD PRACTICE FOR MANAGING

INFORMATION SECURITY IN SPANISH LOCAL
ADMINISTRATION OFFICES
The various aspects and practices of managing information security set out in international
standard ISO/IEC 27002:2007, Code of Good Practice for Information Security
Management have been analysed.
4.1 Security Organisation and Management

Lines of action must be clearly set out that reflect organisational objectives and
show support and commitment to information security. Therefore, the organisation's
information has to be classified and/or labelled depending on, for example, its
degree of confidentiality, value, etc. The Governments of municipalities with 100,000 to
500,000 inhabitants are those which most frequently have a classified and updated
inventory of all the significant assets associated with each information system.
Graph 4: Organisational and Management Practices in large Town Councils, Provincial

Governments and Island Departments (%)
0.0%
Information classification and/or 37.0%
labelling 32.1%
31.9%
Existence of a classified and 0.0%

updated inventory of users 77.8%
associated with each information 67.9%
system 57.4%
Existence of a person
75.0%
responsible for security of
85.2%
information 52.8%
55.3%
25.0%
Existence of a security of 51.9%
information policy document 39.6%
27.7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Source: INTECO
In terms of a designated person responsible for information security and/or personal

data protection, the figures in Graph 4 show widespread implementation of this role. An
additional tool in the area of Security Organisation and Management is the production of a
security policy document, approved by management and published and disseminated to
all employees. The fact that this is not the most common tool could be because despite the

Instituto Nacional
de Tecnologías
de la Comunicación
existence of a security policy document, this may not have been fully approved by the
management or has not been disseminated to all employees. Town Councils with less than
50,000 inhabitants were asked about implementation, in general terms, of information
security procedures, which were more common in medium-sized Councils (Graph 5).
Graph 5: Existence of computing security procedures in small and medium-sized

municipalities (%)
66.1%
64.3%
56.5%
Computing security
procedures
38.7%
38.5%
30.5%
0% 10% 20% 30% 40% 50% 60% 70%

Source: INTECO
4.2 Asset Security

The main objective of practices and tools for information security in this area consists in
achieving and maintaining adequate protection for the organisation's assets. To do
this, all assets must be inventoried, their owners identified and responsibility for the
maintenance of security controls assigned. Generally speaking, Town Councils in
municipalities of more than 50,000 inhabitants and Provincial Governments do not follow a
confidential information protection policy against loss, damage or unauthorised use.
Included under this heading is the so-called clear desk and blocked screen policy which, in
the view of all the experts consulted in the study, is the most important practice. The data
on deleting information on out-of-service or recyclable computing equipment
suggests there is a great deal of concern about equipment recycling by external
companies. This is being monitored by almost all Local Governments. The figures reach
100% or very close in all the Local Organisations in large municipalities.

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 6: Security practices in Town Councils in large municipalities, Provincial Governments

and Island Departments (%)
25.0%
Information protection and
confidentiality policy 29.6%
against loss, damage or 35.8%
unauthorised use
27.7%
100%
Deletion of information from 100%
obsolete computing
equipment 96.2%
91.5%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: INTECO
Survey participants were also questioned about protection of technological equipment

and facilities in order to reduce the risks arising from accidents and natural
disasters (Table 6).
Table 6: Protection of technological equipment and facilities to reduce the risk associated
with accidents and natural disasters in local organisations. (%)
Population (in thousands) YES NO NA

Town Councils less than 0.5 37.3% 62.7% 0.0%
From 0.5 to 1 30.8% 66.7% 2.5%
Small
From 1 to 2 45.2% 54.8% 0.0%

From 2 to 5 50.0% 50.0% 0.0%
Medium-
sized
From 5 to 10 66.1% 32.1% 1.8%

From 10 to 50 78.9% 20.2% 0.9%
From 50 to 100 56.6% 39.6% 3.8%
Large
From 100 to 500 74.1% 25.9% 0.0%

More than 500 75.0% 25.0% 0.0%
Provincial Governments and Island Departments 68.1% 31.9% 0.0%
Source: INTECO
Regarding access control to private areas (Table 7), this physical security measure is
predominant in Town Councils in medium-sized and large municipalities.

Instituto Nacional
de Tecnologías
de la Comunicación
Table 7: Protection of private areas with appropriate access controls to ensure entry for
authorised local organisation personnel only (%)

Small
From 0.5 to 1 15.4% 82.1% 2.5%

From 1 to 2 27.4% 72.6% 0.0%
From 2 to 5 30.6% 69.4% 0.0%
Medium-
sized
From 5 to 10 46.4% 51.8% 1.8%

From 10 to 50 50.5% 49.5% 0.0%
From 50 to 100 58.5% 39.6% 1.9%
Large
From 100 to 500 66.7% 29.6% 3.7%

More than 500 25.0% 75.0% 0.0%
Source: INTECO
4.3 Security in Human Resources

This is to ensure that all users, whether employees or external collaborators, know
and fulfil their responsibilities regarding information security in order to reduce the
risk of theft, fraud or misuse of resources.
Table 8: Existence of confidentiality agreements with Local Organisation employees (%)

Small
From 0.5 to 1 7.1% 89.9% 3.0%

From 1 to 2 5.5% 90.6% 3.9%
From 2 to 5 12.9% 87.1% 0.0%
Medium-
sized
From 5 to 10 12.5% 85.7% 1.8%

From 10 to 50 9.2% 87.2% 3.6%
From 50 to 100 18.9% 79.2% 1.9%
Large
From 100 to 500 29.6% 63.0% 7.4%

More than 500 25.0% 75.0% 0.0%
Source: INTECO
Confidentiality Agreements with employees, details of which are shown in Table 8, are
currently a topic of increasing importance.

Instituto Nacional
de Tecnologías
de la Comunicación
Table 9: Training for employees and external collaborators in security policies and
procedures in Local Organisations (%)

Small
From 0.5 to 1 7.7% 92.3% 0.0%

From 1 to 2 9.7% 88.7% 1.6%
From 2 to 5 17.7% 82.3% 0.0%
Medium-
sized
From 5 to 10 14.3% 83.9% 1.8%

From 10 to 50 22.0% 77.1% 0.9%
From 50 to 100 28.3% 67.9% 3.8%
Large
From 100 to 500 37.0% 59.3% 3.7%

More than 500 50.0% 50.0% 0.0%
Source: INTECO
Another significant issue is that of security training for staff to update them on the
organisation's security policies and procedures.
Graph 7: Other human resources security practices in large Town Councils, Provincial
0.0%
Inclusion of security roles and responsibilities in job

37.0%
descriptions
32.1%
17.0%
50.0%
77.8%
Reporting to Management on security incidents
67.9%
70.2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Source: INTECO
Town Councils in large municipalities, Provincial Governments and Island Departments

were asked questions about assigning security roles and responsibilities when
defining job descriptions and about communication of security incidents occurring

Instituto Nacional
de Tecnologías
de la Comunicación
in the organisation, through appropriate information channels for correct planning and
speed of response in the event of a security incident.
Likewise, password management procedures for accessing systems and applications

includes signing a confidentiality agreement with the employee, managing regular
password changes and establishing secure channels for transmitting codes in order to
prevent leakages into insecure or external channels.
Graph 8: Existence of password management procedures for accessing systems and

applications in small and medium-sized Town Councils (%)
67.9%
60.7%
43.5%
Procedures for managing system access
and application passwords
32.3%
38.5%
30.5%
Town Councils with 10 to 50 staff 0% 10% 20% 30% 40% 50% 60% 70% 80%
Source: INTECO
4.4 Network and Operations Security

In this case, the secure operation of the organisation's information processing
resources must be certified. To do this, responsibilities and operational procedures must
be set up for all information resources, as well as segregated execution and control
actions, separating task management to reduce the risk of negligence or incorrect use of
information resources, or alternatively, monitor activities, obtain audit trails or supervise
management.
3 out of every 4 Town Councils in municipalities of more than 500,000 inhabitants have set
up security requirements with contractors and external suppliers, and have included these
clauses in their contracts.

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 9: Appropriate security measures set up with contractors and included in contracts in
Town Councils, Provincial Governments and island Departments (%)
75.0%
48.1%
Security measures set up with
contractors and included in
contracts
49.1%
46.8%
0% 10% 20% 30% 40% 50% 60% 70% 80%

Source: INTECO
Prevention and detection controls aimed at protecting systems against malicious

code (malware) is one of the most common measures.
Table 10: Existence of prevention and detection controls for protection against malicious
software (malware) in Local Organisations (%)

Small
From 0.5 to 1 58.9% 38.9% 2.2%

From 1 to 2 47.7% 49.2% 3.1%
From 2 to 5 95.2% 4.8% 0.0%
Medium-
sized
From 5 to 10 96.4% 1.8% 1.8%

From 10 to 50 98.2% 1.8% 0.0%
From 50 to 100 92.5% 5.7% 1.8%
Large
From 100 to 500 100.0% 0.0% 0.0%

More than 500 100.0% 0.0% 0.0%
Source: INTECO
Another widely adopted practice in all strata is making backup copies of information
and/or essential programs (backup). This measure is the most widely used, both in the

Instituto Nacional
de Tecnologías
de la Comunicación
public sphere (Table 11) and in businesses 7 ; but not in homes, where it only reaches
34.2% 8 . In this case the existence of devices to make backup copies was also analysed
(backup support, such as data servers, and copying processes on individual machines on
all the machines in the organisation).
Table 11: Existence of backup copies of data and/or essential software in Local
Organisations (%)

Small
From 0.5 to 1 66.1% 33.6% 0.3%

From 1 to 2 45.9% 51.0% 3.1%
From 2 to 5 95.2% 4.8% 0.0%
Medium-
sized
From 5 to 10 94.6% 3.6% 1.8%

From 10 to 50 98.2% 0.9% 0.9%
From 50 to 100 98.1% 0.0% 1.9%
Large
From 100 to 500 100.0% 0.0% 0.0%

More than 500 100.0% 0.0% 0.0%
Source: INTECO
In respect of controls to guarantee the security of data networks (e.g. firewalls some
Town Councils acquire tools of this kind, such as firewalls, but do not make the most of
their features: after configuring them at installation, their logs are not analysed, their
typologies are not documented or the firmware is not updated, 9 , etc.; therefore, the figures
for the presence of these tools in Local Government offices (Table 5) are higher than the
actual data referred to in Table 12.
7
INE: According to data from the Survey of the use of ICT and Electronic Commerce in Companies 2005-2006, 59.4% of
companies who have implemented internal security measures use backup copies. www.ine.es
8
INTECO: Study on Information Security and e-Trust in Spanish households (1st Wave: Dec-Jan 07)- www.inteco.es
9
Firmware: The program that establishes the logic for controlling the electronic circuits of a device.

Instituto Nacional
de Tecnologías
de la Comunicación
Table 12: Existence of technical measures for guaranteeing the security of communication
networks in Local Organisations (%)

Small
From 0.5 to 1 23.2% 74.9% 1.9%

From 1 to 2 37.6% 54.6% 7.8%
From 2 to 5 53.2% 43.5% 3.3%
Medium-
sized
From 5 to 10 62.5% 30.4% 7.1%

From 10 to 50 84.4% 14.7% 0.9%
From 50 to 100 67.9% 30.2% 1.9%
Large
From 100 to 500 81.5% 18.5% 0.0%

More than 500 25.0% 75.0% 0.0%
Source: INTECO
The conservation and revision of operation records is an insufficiently adopted practice

in the target group of Town Councils and in the Provincial Governments and Island
Departments studied, showing levels that do not exceed 50% in any strata of the Local
Organisations surveyed.
Graph 10: Other security practices in large municipalities, Provincial Governments and Island
Departments (%)
50.0%
Operations records kept
40.7%
47.2%
48.9%
100%
Security controls in web sites with 66.7%
online transactions 52.8%
51.1%
25.0%
Policy for the correct use of 77.8%
electronic mail 60.4%
66.0%
100%
Control procedures for removable
computer media and printed
96.3%
reports 92.5%
100%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: INTECO

Instituto Nacional
de Tecnologías
de la Comunicación
Where the Local Government offices do have it, the implementation of controls to
guarantee Internet web site security has been studied, with the possibility of carrying out
online transactions (consulting records, making payments, etc.), using practices and tools
such as the https protocol, digital signature or identity management 10 .
Policies for the correct use of electronic mail include protective measures against e-
mail attacks, possibility of interception, handling attachments and guidelines on the use of
organisational e-mail. Removable computing equipment and printed reports include
handling tapes, disks and paper documents. Control procedures for these items are
focused on deleting their content when no longer required, recording destroyed items and
safe storage.
Another practice adopted by Local Administration offices in municipalities with less than
50,000 inhabitants is secure storage of copies, which has insufficient take-up, and
updating operating systems and other computing applications in order to keep the
system healthy and prevent vulnerabilities that could affect both the computers and the
programs installed in them.
Graph 11: Other security practices in small and medium-sized municipalities (%)
73.4%
50.0%
Storage of security copies in a 48.4%
protected place 28.4%
33.9%
32.3%
89.0%
75.0%
Updating of operating systems and 62.9%
other computing applications 20.2%
39.3%
50.0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: INTECO
10
https protocol (HyperText Transfer Protocol Secure): a set of rules that govern the communication and requests for access
and response between machines. In the case of https, information is encrypted before being transmitted from one machine to
another.
Digital signature: a cryptographic system that certifies the identity of the person sending information.

Instituto Nacional
de Tecnologías
de la Comunicación
4.5 Access and Data Security

The main objective in this area is focused on controlling correct access to information
by members of the organisation, taking into account the security policy and
authorisations for use of the information, by applying measures relating to control and
management of user access, network access, access to the operating system, access to
applications, remote access and teleworking.
In terms of rules for controlling and managing user access and passwords (Table 13),
access control and management involves the correct assignation of each individual's
privileges, as well as their documented records; secure password management implies that
both parties sign an agreement, that a first substitute password is assigned and that secure
channels for transmitting passwords are set up.
Table 13: Existence of documented rules for registering and unregistering users and/or
assigning passwords in Local Organisations (%)

Small
From 0.5 to 1 38.5% 61.5% 0.0%

From 1 to 2 32.3% 67.7% 0.0%
From 2 to 5 43.5% 56.5% 0.0%
Medium-
sized
From 5 to 10 60.7% 37.5% 1.8%

From 10 to 50 67.9% 32.1% 0.0%
From 50 to 100 60.4% 35.8% 3.8%
Large
From 100 to 500 70.4% 29.6% 0.0%

More than 500 100.0% 0.0% 0.0%
Source: INTECO
Secure access (user authentication) for remote connection and control of user
access to the operating system are practices generally implemented in municipalities. In
this sense, the systems in Town Councils of large municipalities and Provincial
Governments are the only ones to control access to configurations and changes to
equipment parameters. Likewise, maintenance of audit logs and other security incidents
for a fixed period of time is quite common in Local Government offices.
Secure access to applications and particularly those for high level information
management (sensitive information) outside normal office hours is not a commonly adopted
practice in Spanish Local Administration.

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 12: Other access and data security practices in Town Councils in large municipalities,
Provincial Governments and Island Departments (%)
100%
Remote access to the network
achieved by means of a secure
88.9%
identification process 81.1%
91.5%
100%
Controlling that operating system
configuration is only carried out
100%
by authorised personnel 92.5%
91.5%
25.0%
Restrictions on the use of high
risk applications outside office
37.0%
hours 34.0%
42.6%
75.0%
Storage of audit records and other
security incidents for a specific
81.5%
period of time 64.2%
76.6%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: INTECO
The existence communication filters in Town Councils in medium-sized municipalities is

relatively common.
Graph 13: Other access and data security practices in small and medium-sized municipalities
(%)
84.4%
62.5%
Organisational 53.2%
communication filtering 20.2%
23.2%
46.8%
43.1%
23.2%
Wireless connection 19.4%
encryption 8.3%
16.1%
8.1%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Source: INTECO

Instituto Nacional
de Tecnologías
de la Comunicación
Local Organisations using encryption protocols for wireless communication are no

greater than 16.1% in the case of Governments of small municipalities (Graph 13) and,
generally speaking, implementation barely reaches 25%.
4.6 System Development and Maintenance Security: Application Security

The objective of System Development and Maintenance Security is to guarantee that
security plays an integral role in the development and maintenance of information
applications and systems, which includes operating systems and infrastructure, and both
standard and bespoke applications used in the organisation. Security requirements must
be identified and specified and taken into account when making changes to their
maintenance.
This group of practices was the object of specific analysis in the Local Administration
offices in municipalities with more than 50,000 inhabitants (Graph 14). They include basic
principles on security features affecting the control and management of the security of
application systems, cryptographic controls, security of system files and security in
development and support processes.
Graph 14: Security of system development and maintenance practices in Town Councils in
large municipalities, Provincial Governments and Island Departments (%)
75.0%
Operating systems and other 81.5%
programs are updated 81.1%
83.0%
100%
Authorised personnel control 100%
the installation of operating
systems and other programs 94.3%
93.6%
25.0%
Data is encrypted to protect 29.6%
confidentiality of critical or
sensitive information 30.2%
48.9%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: INTECO
Updating operating systems and installed programs with the latest security patches is
of fundamental importance in order to prevent potential vulnerabilities. Control over the
installation of applications and operating systems carried out by authorised staff is a
widespread practice. The use of cryptographic controls includes encryption of sensitive

Instituto Nacional
de Tecnologías
de la Comunicación
data or use of digital signatures to protect the confidentiality, authenticity and integrity of
critical information.
4.7 Operational Continuity or Business Continuity

In this case the objective is that the organisation should be able to react in the event of
an interruption to its activities and to protect its critical business processes from
disasters or serious incidents in its information systems, guaranteeing their timely
recovery. This plan should consider how to react in the event of natural disasters,
accidents, equipment failure or deliberate attack, analysing risks and impact and identifying
possible origins of incidents and a strategy for recovering normal activity.
Table 14: Availability of a continuity plan for after any factor causing activity disruption in the
local organisations (%)

Small
From 0.5 to 1 5.4% 92.8% 1.8%

From 1 to 2 3.7% 88.6% 7.7%
From 2 to 5 6.5% 93.5% 0.0%
Medium-
sized
From 5 to 10 1.8% 94.6% 3.6%

From 10 to 50 15.6% 84.4% 0.0%
From 50 to 100 24.5% 73.6% 1.9%
Large
From 100 to 500 40.7% 51.9% 7.4%

More than 500 75.0% 25.0% 0.0%
Source: INTECO
4.8 Compliance with Regulations

The objective is to prevent failure to comply with any legal, statutory, regulatory or
contractual obligation acquired in the area of intellectual property rights (personnel data or
contact details), contained in LSSI-CE 11 , LPI 12 , LGT 13 , LOPD 14 , regulation for the use of
code (cryptography), hardware, software and methods used that are regulated by the
Electronic Signature Act 15 , as well as undertaking audits on compliance with security
policy.
11
LSSI-CE: Information Society and Electronic Commerce Services Act 34/2002, dated 11 July (Servicios de la Sociedad de
Información y Comercio Electrónico)
12
LPI: Intellectual Property Act 22/1987, dated 11 November (Ley de Propiedad Intelectual).
13
LGT: General Taxation Act 58/2003, dated 17 December (General Tributaria).
14
LOPD: Data Protection Act 15/1999, dated 13 December (Protección de Datos de Carácter Personal).
15
Electronic Signature Act: Electronic Signature Act 59/2003, dated 19 December (Firma Electrónica).

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 15: Compliance with regulations in Town Councils in large municipalities, Provincial
25.0%
Monitoring of Data Protection 88.9%
Act 77.4%
63.8%
25.0%
Compliance with regulations 55.6%
such as LSSI-
CE, LPI, LGT, etc. 64.2%
63.8%
0,0%
22.2%
Audits of security policies
32.1%
23.4%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: INTECO
The availability of an updated security document that complies with LOPD

requirements is not a common feature in Town Councils in small and medium-sized
municipalities.
Graph 16: Availability of an updated security document in small and medium-sized Town
Councils (%)
47.7%
35.7%
32.3%
Availability of up-to-date Security
Document
11.9%
16.1%
9.7%
0% 10% 20% 30% 40% 50% 60%

Source: INTECO

Instituto Nacional
de Tecnologías
de la Comunicación
5 EXPERTS' OPINION
The participation of experts in information, communication and security technologies has

been highly valuable in achieving the end purpose of the study. They have been able to
enrich the data collected with their experience and knowledge of the management and/or
techniques in the context of public organisations; their responsibilities in the management
of information and communication systems in terms of both demand and supply of services
and solutions; and their representation at the various levels of Local Public Organisations
and their specialisation in information security and/or digital confidence.
These professionals have contributed their qualified opinion in respect of two issues:
• The state and the requirements of security issues in Local Public Organisations
(current availability of resources and their possible evolution in the medium and
long term, together with anticipated future implementation actions).
• The best security and digital confidence practices that should be implemented for
efficient risk management, and their current implementation level.
5.1 Current State of Security and Digital Confidence
Table 15: Strengths and Opportunities for Improvement identified by the experts
Ranking Strengths Opportunities for improvement
1 Insufficient budget for information security in all

High awareness of the importance of security
local organisations
2 Person in charge of security and data in
Absence of training
compliance with regulations
3 Inventory of assets to control computing Impossibility of having available resources in
equipment and resources small Town Councils
4 Inclusion of security clauses and conditions in Lack of policies for the correct use of electronic
contracts with third parties mail
5 Physical protection and access controls for Absence of mechanisms to ensure inactivity in
equipment* high risk terminals
6 Lack of policies and controls addressing the risks
Management of identification, passwords and
of working with mobile computing infrastructures,
user privileges*
particularly in the case of teleworking
7 Making backup copies and managing removable Absence of policies for the use of cryptographic
devices controls and under-use of encryption
8 Unequal adoption of control over the installation
Management of security incidents*
of software or operating systems in computers
9 Limited compliance with data protection rules
Controls for preventing and detecting malware
(audits and facilitating the exercise of rights)
10 Unequal availability of plans for business
Updating operating systems and applications
continuity despite high level of awareness
Source: INTECO

Instituto Nacional
de Tecnologías
de la Comunicación
5.2 Best security practices in local organisations

According to the experts, the most significant practices for each area of security were:
Graph 17: Practices relating to SECURITY ORGANISATION AND MANAGEMENT (%)
Security requirements for others with access 69.1%
Contact maintained with authorities responsible for law enforcement 61.2%
Management of authorisation for new infrastructures 59.3%
Assets inventory 54.9%
Security Policy document 45.4%
Defined responsibilities for assets protection 45.3%
Information Security Manager 45.1%
Control of classification and protection of information 44.9%
Implemented procedures for labelling and handling information 41.9%
Security requirements for outsourcing contracts 38.1%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Source: INTECO
Graph 18: Practices relating to ASSET SECURITY (%)
"Clean desk and locked screen" policy 89.7%
Interception and telecommunications equipment protected 62.1%
Security areas protected by access controls 62.1%
Authorisation management process for using equipment 58.6%
Equipment maintenance to ensure integrity and availability 58.6%
Information deleted from equipment withdrawn from service 44.8%
Equipment protected against power failures and other electrical

anomalies 44.8%
Controls and directives in secure areas that improve security by physical

controls 44.8%
Secure areas with special security requirements 44.8%
Controlled loading and downloading areas 31.0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: INTECO

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 19: Practices relating to HR SECURITY. (%)
Mechanisms for quantifying and monitoring the number and cost

of security incidents 51.7%
Warning by users of vulnerability or security threats 37.9%
Detection of security incidents 37.9%
Procedures for informing of software malfunction 34.5%
Training in security Procedures and Policies 34.5%
Confidentiality Agreements 34.5%
Verification in Personnel Recruitment process 24.1%
Security Roles and Responsibilities 24.1%
Disciplinary procedures related to violation of security policies and

procedures 20.7%
Security Responsibilities included in employment contracts 20.7%
0% 10% 20% 30% 40% 50% 60%
Source: INTECO
Graph 20: Practices related to NETWORK AND OPERATIONS SECURITY (%)
External management services infrastructure with contractor security

controls 65.5%
Policies for controlling business risks 58.6%
Management procedures for removable computer media 58.6%
Operational activity log is kept and reviewed 58.6%
Agreements for exchanging (electronically or manually) information and

software 55.2%
Range of security controls on networks 55.2%
Backup or security copies for data and software 55.2%
Controls for prevention and detection of malicious software 55.2%
Separation of development and testing infrastructures 51.7%
Responsibilities and Procedures for incident management 51.7%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Source: INTECO

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 21: Practices relating to DATA SECURITY (%)
Computing Services control over the user terminal 86.2%
Access control over diagnostic ports 69.0%
Routing controls over business applications 65.5%
Authentication of connections to remote information systems 65.5%
Password management system 62.1%
Users with unique identifier (user ID) 62.1%
Sensitive systems have isolated and dedicated environments 58.6%
Restriction and control of privileges 58.6%
User access rights reviewed 55.2%
Control of password allocation 51.7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: INTECO
Graph 22: Practices relating to APPLICATION SECURITY (%)
Control of unrecommended modifications to software packages 55.2%
System validation for detecting data corruption 55.2%
Control and protection of test data 48.3%
Formal procedures for change control 44.8%
Strict access control to source code libraries 44.8%
Use of encryption control for protection of information 41.4%
Review and testing of changes to application systems 37.9%
Specific control requirements based on business requirements of

new systems 37.9%
Non-repudiation services to resolve disputes about events or actions 34.5%
Message authentication to protect the integrity of message contents 34.5%
0% 20% 40% 60%
Source: INTECO

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 23: Practices relating to BUSINESS CONTINUITY AND COMPLIANCE WITH

REGULATIONS (%)
Protection of important records against loss, destruction or falsification 58.6%
Protected access to audit tools 55.2%
Authorisation to use information processing infrastructures 51.7%
Controls for protecting personal information according to legislation 51.7%
Information systems review to verify compliance with security standards 41.4%
Capture of evidence according to legal regulations 41.4%
Guarantee of compliance with national agreements, laws, regulations and

other instruments of access control 37.9%
Relevant regulatory, legal and contractual requirements defined and

documented for each information system 34.5%
Plans for maintaining or restoring normal business operations periodically 34.5%
Arrangements for developing and maintaining business continuity

throughout the organisation 34.5%
0% 10% 20% 30% 40% 50% 60% 70%
Source: INTECO
5.2.1 Ranking of best practices

The ten security practices most agreed on by the experts were:
Table 16: Ranking of best security and e-Trust practices (%)
No. Practice Relevance Area
1 Clean desk and blocked screen policy 89.7% Asset Security
2 Computing service control over user terminal 86.2% Data security

Security conditions for third parties with access to Security Organisation and
3 69.0%
infrastructures Management
4 Access control over diagnostic ports 69.0% Data security
External management services infrastructure with
5 65.5% Network and Operations Security
security controls over contractors
Authentication of connections to remote computer
6 65.5% Data security
systems
7 Control of routing* to business applications 65.5% Data security
8 Security areas protected by entry controls 62.1% Asset Security

Equipment protected against interceptions and
9 62.1% Asset Security
telecommunications
10 Users with unique identifier 62.1% Data security
*Control over the selection of data transfer channels between servers Source: INTECO

Instituto Nacional
de Tecnologías
de la Comunicación
As can be observed in Table 16, there are two practices that the experts consider to be
more relevant than the others: the clean desk and blocked screen policy, as part of the
protection of confidentiality of information policy against loss, damage or unauthorised use,
and control over the user's computer. These belong under the sections of Asset
Security, as physical and environment security, and Access and Data Security, groups
which cover the majority of top practices in the list referred to by the experts consulted
(Table 16).
Specifically, the clean desk and blocked screen policy includes the following theoretical
definition:
• Clean desk entails the organisation providing a series of conditions under which the
user's work station is kept clear and movable storage provided.
• Blocked screen consists in the screen being blocked at the moment as soon as the
user is no longer at their usual work station, and is aimed at reducing the risk of
unauthorised access, loss or damage to the information both within and outside
normal working hours. In this case the information and data on the desk is also
included.
It can be seen that 89.7% of the experts consulted consider the clean desk and
blocked screen policy as the most important practice for the correct management of
Information Security.
It is remarkable, as observed in Graph 6, that the protection of confidentiality of

information policy against loss, damage or unauthorised use, in cases where the
practice of clean desk and blocked screen is included, is only implemented in
approximately 1 out of every 3 Spanish Local Government offices.

Instituto Nacional
de Tecnologías
de la Comunicación
6 COMPARATIVE ANALYSIS OF BEST PRACTICES BY

INDICATORS AND STRATA
In order to define the security level of information and communication systems in Local
Administration offices, the best security practices in each stratum have been evaluated and
any possible differences have been analysed, taking as reference the surveys carried out
in Town Councils, Provincial Governments and Island Departments on the implementation
of the best practices as identified by the experts.
6.1 Implementation of the best security practices in Local Government

offices
Councils in municipalities with more than 50,000 inhabitants, Provincial

Governments and Island Departments
The data show that the greatest implementation of measures was in the areas of Access
and Data Security and Network and Operations Security. Practices such as making backup
copies of data and software or control of prevention and detection of malicious code are
implemented in practically all cases.
It is in the area of Human Resources Security where implementation is weakest, both in

confidentiality agreements and in assigning roles and responsibilities.
Table 17: Degree of implementation of best practices in Town Councils in large

municipalities, Provincial Governments and Island Departments (%)
Town Town Town Provincial

Councils Councils Councils Governments
Area Practice
Munic. 50 to Munic. 100 to Munic. more and Island
100 500 than 500 Departments
Person Responsible for Information
Organisation and
52.8% 85.2% 75.0% 55.3%

Management
Security
Security
Security Policy Document 39.6% 51.9% 25.0% 27.7%
Classification and Protection of

32.1% 37.0% 0.0% 31.9%
Information
Assets Inventory 67.9% 77.8% 0.0% 57.4%

Asset Security
Clean desk+blocked screen Policy 35.8% 29.6% 25.0% 27.7%
Security areas protected by entry

58.5% 66.7% 25.0% 51.1%
controls
Information deleted from out of

96.2% 100.0% 100.0% 91.5%
service computing equipment

Instituto Nacional
de Tecnologías
de la Comunicación
Town Town Town Provincial

Councils Councils Councils Governments
Area Practice
Munic. 50 to Munic. 100 to Munic. more and Island
100 500 than 500 Departments
Security Incident Detection 67.9% 77.8% 50.0% 70.2%

HR Security
Confidentiality Agreements 18.9% 29.6% 25.0% 29.8%
Training and Awareness 28.3% 37.0% 50.0% 17.0%
Roles and Responsibilities 32.1% 37.0% 0.0% 17.0%
Security Controls for Outsourced

49.1% 48.1% 75.0% 46.8%
Management Services
Network and Operations Security
Operation Activities Log kept and

47.2% 40.7% 50.0% 48.9%
reviewed
Controls for preventing and detecting

92.5% 100.0% 100.0% 100.0%
malware
Backup copies of data and software 98.1% 100.0% 100.0% 97.9%
Range of controls for network

67.9% 81.5% 25.0% 72.3%
security
Agreements for exchange (electronic
and manual) of information and 52.8% 66.7% 100.0% 51.1%
software
Access and Data
Authentication of connections to
81.1% 88.9% 100.0% 91.5%
remote computer systems
Security
Restriction and control of privileges 92.5% 100.0% 100.0% 91.5%
Control over assigning passwords 60.4% 70.4% 100.0% 63.8%

Application
Security
Use of cryptographic controls 30.2% 29.6% 25.0% 48.9%

Continuity
Business
Plans for maintaining or restoring

business operations on a regular 24.5% 40.7% 75.0% 42.6%
basis
Controls for protecting personal

Regulations
Compliance
information in compliance with 77.4% 88.9% 25.0% 63.8%

with
legislation
Ensuring compliance with national
agreements, laws, regulations and 64.2% 55.6% 25.0% 63.8%
other access control instruments
Source: INTECO

Instituto Nacional
de Tecnologías
de la Comunicación
Governments in municipalities with 2,000 to 50,000 inhabitants

In this case, all practices related to Network and Operations Security are widespread.
Prevention and detection controls against malicious code (malware) have been widely
adopted, particularly in the strata of Local Government in medium-sized municipalities,
where the rate is over 95%. In contrast, data relating to Operational or Business Continuity
are the lowest (Table 18). In conclusion, Local Organisations in smaller municipalities the
difference between their well covered security issues and those less well addressed is
much greater than in large municipalities.
Table 18: Degree of implementation of best security practice in medium-sized Town Councils
(%)
Town Town
Town
Councils Councils
Area Practice Councils
Munic. 5- Munic.10-
Munic. 2-5
10 50
Security Organisation and
Security Policy Document 56.5% 64.3% 66.1%
Management
Controls and guidelines in secure
Asset Security areas that improve security using 30.6% 46.4% 50.5%
physical controls
Confidentiality Agreements 12.9% 12.5% 9.2%

HR Security
Training in Security Procedures and
17.7% 14.3% 22.0%
Policies

95.2% 96.4% 98.2%
malware
Network and Operations
Security
Backup or security copies of data and
95.2% 94.6% 98.2%
software
Control of routing to business

53.2% 62.5% 84.4%
applications
Access and Data Security
Control over assigning passwords 43.5% 60.7% 67.9%

Business Continuity business operations on a regular 6.5% 1.8% 15.6%
basis
Compliance with Regulations information in compliance with 32.3% 35.7% 47.7%
legislation
Source: INTECO
Governments in municipalities with less than 2,000 inhabitants

Table 19 shows how small Local Organisations also have high rates of incidence in
practices relating to Network and Operations Security. As in the previous case, figures for
the Operational or Business Continuity Area are the lowest. However, Human Resources
Security is the lowest in all groups, with rates that in no case exceed 10%.

Instituto Nacional
de Tecnologías
de la Comunicación
Table 19: Degree of implementation of best security practice in small Town Councils (%)
Town Town Town

Councils Councils Councils
Area Practice
less than Munic. 0.5 Munic.1 to
0.5 to 1 2
Security Organisation and
Security Policy Document 30.5% 38.5% 38.7%
Management
Controls and guidelines in secure
Asset Security areas that improve security using 20.3% 15.4% 27.4%
physical controls
Confidentiality Agreements 4.8% 7.1% 5.5%

HR Security
Training in Security Procedures and
3.4% 7.7% 9.7%
Policies

88.7% 58.9% 47.7%
malware
Network and Operations
Security
Backup or security copies of data and
82.3% 66.1% 45.9%
software
Control of routing to business

46.8% 23.2% 20.2%
applications
Access and Data Security
Control over assigning passwords 30.5% 38.5% 32.3%

Business Continuity business operations on a regular 0.0% 5.4% 3.7%
basis
Compliance with Regulations information in compliance with 9.7% 16.1% 11.9%
legislation
Source: INTECO
6.2 Comparative Analysis by indicators and strata

The situation of the implementation of security practices and tools shows a differentiating
feature: the greater the size of the municipality and the government, the greater the number
of measures established and with greater frequency in Town Councils, Provincial
Governments and Island Departments.
In terms of methodology used to assess each area, the strata were arranged into the
groups used to segment Local Administration offices according to the size of the
municipalities they serve (small, medium and large), and the Provincial Governments and
Island Departments. Subsequently, the different items for each area of security in which
they were surveyed were taken separately for each group. The result is a breakdown for
each Local Government group of the items included in each area. Finally, a statistical
homogenisation was carried out in order to group the values for the various items in the
different strata within each group and an average indicator was calculated for each group
and area of security studied.

Instituto Nacional
de Tecnologías
de la Comunicación
The information security situation in Spanish local public organisations was assessed
according to the classification of security areas recommended by the Information Security
Management Good Practice Code in the ISO/IEC 27002:2007 International Standard.
By way of opening comment, it should be pointed out that in the area of Systems
Development and Maintenance (Application Security) the medium-sized and small Local
Organisations were not consulted because of the format of the questionnaire, which was
designed to be as succinct as possible and not affect the normal activity of the Local
Government interviewed.
In general, it can be seen that there is a high incidence of implementation of good

practices in the areas of Asset Security, Network and Operation Security, Access
and Data Security and Systems Development and Maintenance Security. In all graphs,
these practices are the most frequent and applied to a greater degree in any group of
strata.
Graph 24: Comparison of indicators by security area and group size (%)
90%
78.4
80% 74.0
72.9
75.2
70% 62.3 61.9 68.5
72.8 73.2
60% 59.6
52.8 48.4
50% 53.8 37.8
46.8 50.9
40% 44.2
46.8
33.5
30% 35.9 29.0
29.4 23.3
20% 24.9
15.5
10% 7.8
0%
Security Assets security Human Network and Data Access Regulatory Applications
organisation Resources Operations security Compliance and security
and security security business
management continuity
Councils in small towns (less than 2,000 inhabitants)
Councils in medium-sized towns (2,000 to 50,000 inhabitants)
Councils in large towns (more than 50,000 inhabitants)
Source: INTECO
In contrast, the distribution in Town Councils in medium-sized and large municipalities, as

well as in Provincial Governments and Island Departments, clearly shows a higher level
than that of small Local Governments.
Also significant is the practically perfect coincidence between structures and values in
Provincial Governments and Island Departments in relation to Town Councils in
municipalities of more than 500,000 inhabitants, since the former have an organic

Instituto Nacional
de Tecnologías
de la Comunicación
functional structure typical of regional organisations, and are considered, in terms of

information security, as large-sized Local Governments.
In the case of large Local Organisations, an exception must be made in the area of security
organisation and management. The variability of the data is due to the smaller size sample
in these strata and to the considerably lower average figures for the existence of a security
policy document (Table 17 and Table 18).
In the group of Local Administrations in medium-sized municipalities, between 2,000 and

5,000 inhabitants, slight variations can be seen in certain areas, due to distorted behaviour
in certain items within Access and Data Security, Regulatory Compliance and Operational
Continuity. Concepts such as control over assigning passwords or the existence of plans
for maintaining or restoring operations are sufficiently less implemented than in the
Governments in large municipalities, Provincial Governments and Island Departments
(Table 18) to show lower levels of implementation.
In general, the situation of security measures and practices shows values in an average
state of implementation greater than 50% for almost all sizes of organisation and area, with
the exception of the Local Administration offices in the less populated municipalities, where
a greater potential for action and growth is observed.

Instituto Nacional
de Tecnologías
de la Comunicación
7 CONCLUSIONS AND RECOMMENDATIONS
7.1 Conclusions
As indicated in the opening paragraph, the aim of this report is to find out the level of
information security and e-Trust in Spanish Local Public Organisations. The study is
remarkable for its originality, as none of the issues referred to have ever been the object of
analysis before this research was carried out by the INTECO Observatory.
The analysis has the dual perspective of using primary sources based on carrying out
interviews with Local Public Organisations and also interviewing a group of experts in
information security.
The state of the security tools and practices show values to be at an average rate of over
50% for Local Public Organisations in almost all sizes of municipality and security areas.
Exceptions to this are the Town Councils in smaller municipalities, where there is greater
potential for action and growth. The study establishes as a principle that the greater the
municipality served by the local organisation, a greater number of measures are
implemented and with greater coverage rates.
A number of stronger areas of information security have been found within the structures of
these organisations:
• Network and Operations Security this includes, for example, controls against
malware and backup copies of data and software.
• Access and Data Security including tools and practices for restricting and controlling
privileges or remote connection authentication.
• Asset Security encompassing widespread practices such as deleting data from out
of service machines or recycling them.
The procedures included in these areas are standardised by the ISO 27002 Standard and
certified by ISO 27001, and are the most widely known amongst users and professionals in
Local Public Organisations, therefore they are the most widely implemented.
Areas such as Human Resources Security (e.g. confidentiality agreements or established

roles and responsibilities), Operational or Business Continuity or Regulatory Compliance
show the lowest percentages in terms of tools and practices and, consequently, are where
any future action can be focused.
The most widely used tools in Local Organisations are anti-virus applications and
programs, present in 98.1% of these governments, followed by firewall programs (74.7%).

Instituto Nacional
de Tecnologías
de la Comunicación
A feature of the analysis is that the greater the town size the more widespread the
incidence of security measures in the Local Administration. In smaller sized towns, local
public bodies have more scattered security policies that are focused on specific issues,
giving much lower priority to some tools and practices.
The experts coincide in that the areas of Asset Security and Access and Data Security are
the most important and should provide the base on which other tools and practices are
adopted; these two areas come top of the list of security practices referred to by the
professionals consulted. Nevertheless, the top recommended practice (clean desk and
blocked screen policy) is not widely implemented in Spanish Local Organisations.
These same experts also coincide in stating that Local Administrations are becoming
increasingly aware of this area of information security, which should encourage a general
improvement in security conditions. Measures such as access control, making backup
copies or confidentiality agreements make up the main group of strengths in a system. In
contrast, insufficient budgets and general training and the lack of resources and formal
policies in small Local Organisations mean that there is opportunity for improvement in
these areas.
7.2 Recommendations
Firstly, the following should be taken as guidance when defining improvement programmes
to be designed and carried out, both in Local Public Organisations and for other players
taking part in the processes of assessment, definition and implementation of measures for
digital security and confidence. The initiatives that can contribute to the expansion of best
security practices proposed by the experts consulted are described.
7.2.1 Lines of action

Lastly, the intention is to set priorities, assign resources and focus results in order to obtain
the best cost-benefit ratio demanded by the management of any publicly funded
programme, under the following premises:
• Public support: Electronic access for citizens to Public Services, Act 11/2007, makes
Local Organisations key players, as they carry out numerous services demanded by
citizens and businesses, often with insufficient funding. The implementation of new
digital security and confidence measures and controls will require long-term financial
investment.
• Awareness and training at all levels. The high regard for digital security and confidence
observed at management level in the majority of Local Organisations should be
extended to encompass all users and their organisational collaborators. The process
should be supported by structured training programmes, defined and tailored to the
needs and requirements of Local Organisations, with an emphasis on practical

Instituto Nacional
de Tecnologías
de la Comunicación
guidance and continuous skills updating, using distance learning and train the trainer
programmes.
• Widespread use of the digital signature. The widespread use of basic methods of
protection such as anti-virus, anti-spam and anti-spyware in Spanish Local
Organisations should be viewed favourably as a first level of maturity in digital security
and confidence. This process must be completed by the widespread implementation
and use of the digital signature and secure identification as ideal authentication
methods for organisations and their representatives in their dealings with other
administrations, citizens and companies.
• Information security and digital confidence certification.
The effective implementation of the best information security practices identified should
be addressed and planned in the medium and long term and be accredited both
internally and externally using international standards such as ISO IEC 27001 (2005).
7.2.2 The role of Public Administration
According to INTECO
General State Administration, Autonomous Communities and, at a local level, Town
Councils, Provincial Governments and Island Departments, must play an essential role in
awareness, user training in information security and in the use of the digital signature in
Local Organisations.
Their support will be decisive in allocating funding, coordinating, aligning and consolidating
economies of scale for the following suggested initiatives:
1. Related to awareness and training:
a. Carrying out programmes for disseminating, broadcasting and building

confidence in Information and Communication Technologies, in order to
increase awareness of public servants and other staff in security issues,
generate confidence in ICTs and promote the safe use of the Internet in Local
Organisations.
b. Designing, producing and delivering a distance learning course in

Information and Communication Technologies security, taking into account
different levels of ability and their various academic loads according to assigned
security roles, delivering a programme that is approved by the relevant official
bodies (INAP, Autonomous Communities), and taught in the various co-official
languages of the Spanish State. Tutors and instructors will have to support both

Instituto Nacional
de Tecnologías
de la Comunicación
virtual and face-to-face training sessions and the content must be updated
frequently to accommodate regulatory requirements.
2. Relating to the promotion and encouragement of best security and e-Trust practices in
Local Public Organisations.
a. Regular diagnostic carried out by the INTECO Information Security

Observatory on the state of security in Local Administration offices.
On at least an annual basis, a research project will diagnose the state of

security and e-Trust and include a series of recommendations for Local
Government offices. The Observatory will thus be consolidated as a national
and international benchmark in matters of security and e-Trust in Local
Administration. In addition, it would undertake other tasks such as producing
monographs and guides aimed at the Local Administrations and professionals
who work in them, monitoring the principal indicators and public policies related
to information security and confidence in the local context, generating
databases and knowledge for analysing and assessing security and confidence
in Local Government on a timely basis, and creating a network of experts and
collaborators for acquiring experience and getting to know the kind of security
incidents that occur in Local Organisations.
b. Extending the services provided by the INTECO Centro Demostrador de

Seguridad y e-Confianza (Security and e-Trust Demonstration Centre) to
small and medium-sized Local Organisations.
The INTECO Centro Demostrador de Seguridad would widen its scope of action
– based on the favourable results obtained in its strategy for SMEs – to Local
Administration, in order to promote and disseminate the use of information
security technology and best practice to Spanish small and medium-sized Local
Organisations (which represent the majority of these Local Administration
offices in the Spanish state), contributing to a strengthening of the Information
and Communication Technology Security sector in Spain and to directing its
services and solutions at the real and practical needs of Local Government. Its
vocation is to be an intermediary with companies from the security sector. The
Demonstration would thus become a national centre of excellence for Local
Organisations in matters of security.
According to the FEMP

In their capacity as the public administration closest to citizens, Spanish Local Government
– Town Councils, Provincial Governments and Island Departments – are a vital part of the
development and implementation of new technology, using its tools and instruments for

Instituto Nacional
de Tecnologías
de la Comunicación
modernising administrative procedures and achieving transparency in local public

administration, thus facilitating citizens' participation in the decision-making process by
guaranteeing an ideal environment in which citizens and administration can interact and in
which their interests will be managed rapidly, effectively and efficiently and safeguarding
their rights.
In this context, the transformation of the typical bureaucratic relationship is currently one of
the most important challenges, for which the Spanish Local Administration has three
strategic lines of action:
1. The successful implementation of adequate staff training, by organising courses, and

monitoring good practices in new technology are fundamental for developing, evolving
and refreshing skills and promoting continuous learning.
2. Providing the technical means and training staff to use them.
3. Internal control mechanisms, such as action protocols for rigorous personal data
processing, updating as required to keep up with increasingly advanced features
developed by the technology industry.
The Federación Española de Municipios y Provincias (FEMP) is the association currently

representing over 7,200 Town Councils, Provincial Governments and Island Departments
and acts as permanent interlocutor with the General State Administration. It is the ideal
framework through which to channel the experience and good practices that have taken
place over the last few years and to share information and knowledge between all Public
Administration offices.
7.2.3 The role of industry
According to INTECO
As mentioned above, companies in the security sector, whether manufacturers and
distributors of solutions, specialised consultancies or information systems integrators and
external systems providers, have a great business opportunity in the context of Local
Public Administration. Their support will enable the successful implementation of the digital
security and confidence solutions and best practices identified. To achieve this, INTECO
proposes:
1. Collaborating in Public Administration initiatives.
Private organisations could play an active part, providing knowledge, resources and
experiences gained in similar successful international or local programmes, in the
dissemination, broadcast and communication of confidence in the security of
Information and Communication Technology. The Information Security Observatory

Instituto Nacional
de Tecnologías
de la Comunicación
would collaborate with Local Organisations. The Centro Demostrador de Seguridad y e-

Confianza would be extended to include specialised services, bringing supply (industry)
closer to demand (Local Government) of security products and services in the local
context.
2. By free market initiative
The companies in the sector should make the effort to adjust their products to the
requirements of Spanish Local Organisations, providing technical and human resources
and making available their capacity for distribution, implementation and after sales in
various market actions (adapting their products and services to the needs of Local
governments, translating them into the official State languages, monitoring standards of
interoperability in design and development of solution architecture, launching update
programs and/or renewing technology).
According to McAfee
At first glance it would appear that computing security in Local Administration is not an
attractive target for possible attackers, especially in the smaller municipalities. However,
the aims they pursue should be taken into account: financial, loss of image, interruption to
the service, etc.
Firstly, all Local Organisations can be vulnerable to threats related to their technological
infrastructure (jobs, operating systems, etc.), corporate systems (navigation, electronic
mail, etc.), applications that are becoming more widespread (instant messaging, VoIP, etc.)
and services to the public (Town Councils are also beginning to use the Internet as a
means of keeping in touch with the public), to which internal threats can be added, whether
intentional or due to errors or lack of staff knowledge about use of technology.
Secondly, Local Organisations have to comply with legislation (Data Protection Act)
because they are handling citizens' personal information, which must be classified and
protected.
Lastly, we should not forget that service to the public implies high levels of availability,
supported by a technological infrastructure.
This is why information security must be managed and must guarantee the Confidentiality,
Integrity and Availability of information and the protection and ease of access for services
offered, by defining a security policy and implementing the measures required for it to
operate.
The security manufacturer must make products adapted to the needs of Local
Organisations, taking into account their requirements for simplicity, cost and degree of
specialisation. The right product for specific solutions must be supplied, providing support

Instituto Nacional
de Tecnologías
de la Comunicación
for the security management process with the purpose of reducing impact or preventing
information leaks, and the audit process. The McAfee Security Operations Centres are also
important for guaranteeing the "cleanliness" of electronic mail and navigation, and providing
information about new threats and target environments.
The importance of raising awareness and sensitisation in Local Organisations of the need
for an information security process is also acknowledged, as is the training required to
enable the required security measures to be implemented. These must be supported by the
industry, which should play a consulting role to facilitate the training process and adjusting
the technology to the needs of Local Organisations.
According to Symantec
As corporations, private individuals and our economy come to depend more and more on
the Internet and on information systems, the risks become more important (serious
institutional and company crises, damage to reputation caused by identity impersonation,
loss of business due to system failure, etc.).
1. The reality of IT Risk Management
The majority of companies, regional or local Administrations and citizens are barely
aware of the dangers faced by their information systems, they do not use the whole
range of tools available to them to manage these situations, nor have they begun to
implement the knowledge and processes they need to manage this type of risk.
Although the study shows that the security measures and practices have
implementation values of over 50% in large municipalities, this average decreases as
we look at the Local Administration in smaller municipalities. This data reveals the
importance of undertaking the vital task of raising awareness and making investment
(the belief exists that with just one anti-virus program systems will be protected and
secure) and making Information Technology available in these environments.
2. Increased knowledge of computing risks
Computing risks can be synonymous with the potential loss of information and data
recovery, or with the continuous use of information. These actions can be placed into
the following six categories: Security, Availability, Performance, Scalability, Compliance
and Recoverability. In Local Administrations, making backup copies of data and
implementing VPNs for remote access to systems are measures very rarely
implemented in Administration offices of smaller municipalities.

Instituto Nacional
de Tecnologías
de la Comunicación
3. Knowledge of impact and approaches for IT Risk Management
It is essential to understand the risks in terms of probability of an event being able to

generate a situation involving loss of data, access or availability, and the temporal value
of exposure to danger in the event of the risk materialising. Computing risks have a
variety of origins and, therefore, different approaches are needed to manage and
mitigate them, which generally require a combination of personal, technological and
information processes. The current situation is far from ideal. The ideal would be that
technology is not only implemented, but also that all the existing mechanisms for
establishing comprehensive security criteria and policies are known and used.
4. Adjusting costs to manage computing risks according to business value
Investment is needed in processes, technology and computing personnel in order to

mitigate risks, but avoiding over- as well as under-investment in IT risk management by
organisations, especially in the case of the institutions serving smaller municipalities.
5. Creating institutional capacity for controlling IT risks
Improvement of IT Risk Management should be included in the plans of all institutions,

whatever their size. Management must be aware of the computing risks to which they
may be exposed and know about the available tools for managing these situations. The
appropriate institutional capacity should be established for helping them, giving them
the ability and the equipment to enable them to satisfy their needs and controls carried
out to ensure their compliance.
According to Trend Micro

The purpose of Town Councils, like that of any other Public Administration body, is to
provide a service to the public. Tax collection, obtaining licences, police forces, social and
educational services are only a small part of the service managed by Town Councils. To do
this, these organisations handle vast amounts of information that, because of its nature,
requires different types of treatment, since public and private data is handled and they all
need management processes that maintain information confidentiality and integrity.
Contact is required with policies, procedures, infrastructures and technological resources

that help to ensure that services and information are available, that allow transactions to be
simplified and speeded up, facilitate mutual assistance to be provided and encourage
exchange of information, at the same time as preventing information leaks or possible
attacks. In summary, very high levels of confidentiality and security are required because of
the nature of the information being handled (tax, health, social, etc.) and it is the task of the
municipal Administration to offer, safeguard and guarantee these factors.

Instituto Nacional
de Tecnologías
de la Comunicación
From the assessment of the internal processes of information flow, a "security plan" should
be drawn up that defines what type of solution or levels of service are required for each
Town Council.
Trend Micro is aware of this fact and one of its challenges is to drive and deal with the
modernisation of Spanish Town Councils by offering tools that enable a better quality
service to be provided that is more friendly for the citizen using new technology, and
bringing solutions that guarantee secure information transactions in the midst of an
environment characterised by the existence of constant risk.

Instituto Nacional
de Tecnologías
de la Comunicación
8 ANNEXES
8.1 List of Participating Experts

• Arístides Moreno Suárez. Computer Manager and Head of Information Society of the
Regional Government of the Canary Islands.
• Carlos Adín. Quality Service and Modernisation Manager of the Department of Local
Administration of the Regional Government of Navarra.
• Carlos Manuel Fernández. Head of Information Systems Security of AENOR.
• Cristina Bazaga Gazapo. Rural Development of the Regional Government of Extremadura.
• Daniel Amaro. Computer and New Technologies Area of the Town Council of Úbeda.
• Diego Hernández Gallardo. Manager of FNMT-RCM CERES.
• Federico Serrano Paricio. Deputy Representative of the New Technologies Area of the
Provincial Council of Teruel.
• Francisco José López Carmona. Deputy Director of the File Registry and Consultancy of the
Data Protection Agency of the Community of Madrid.
• Graciliano Álvarez Fernández. Institute for Economic Development, Training and

Employment of Leon.
• Ignacio Sánchez Chumillas. Computer Systems Manager of the Town Council of Móstoles.
• Jesús Sánchez. Commercial Manager of the Public Administration Area. McAfee.
• José Ignacio Uribe Ladrón de Cegama. Telecommunications Area of the Regional

Government Ministry for Promotion of the Regional Government of Castile and Leon.
• José Luís Tudela Castrando. Head of the Municipal IT Centre of the Town Council of
Zaragoza.
• José Manuel Pazos González. Head of the Information Systems Service of the Town
Council of Gijón.
• José María Martín. Department of Technological Development of the Town Council of

Aranjuez.
• José Miguel Galán Bueno. Manager of Aragonesa de Servicios Telemáticos. Regional

Government of Aragón.

Instituto Nacional
de Tecnologías
de la Comunicación
• Josep Clotet. Manager of the Municipal IT Institute «Accès» and Member of the New
Technologies Advisory Council of the FEMP.
• Juan Ramón Fontán. Advisory Services Principal. Consulting Services. Symantec.
• Luis Arróspide Urbieta. Head of Data Security of the Provincial Society of Computer
Services (IZFE), Provincial Council of Gipuzkoa.
• Luis Manovel. Head of Services of the Regional Government Ministry for Economic
Development, Innovation and Employment of Tres Cantos.
• Lluis Olivella. Manager of the Municipal IT Institute of the Town Council of Barcelona.
• Marcos Sanz Salas. Town Councillor Representative of Administrative Modernisation and

Services to Citizens of the Town Council of Rivas-Vaciamadrid.
• Miguel Ángel Amutio. Head of Planning and Exploitation of the Ministry for Public
Administration.
• Miguel Rego Fernández. Executive Committee of the Security Area of the Ministry of
Defence.
• Pablo Pérez San-José. Manager of the Security Observatory. INTECO.
• Rafael Cuenca. Manager of the Public Administration of Trend Micro for Spain and Portugal.
• Ramón Martín Miralles López. Coordinator of Tecnologies i Seguretat de la Informació de la

Agència Catalana de Protecció de Dades («Information Technologies and Security of the
Catalonian Data Protection Agency»).
• Senén Casal Iglesias. Director-General of Services of the Town Council of Gijón.
• Valentín Pérez Martínez. Manager of the Autonomous Organisation for Economic

Management and Collection of the Town Council of Salamanca.
• Virginia Moreno. Information Systems Manager of the Town Council of Leganés.

Instituto Nacional
de Tecnologías
de la Comunicación
8.2 Participating entities
8.2.1 List of participating Town Councils

Autonomous Community Province No Municipality
Andalucía Almería 1 Alboloduy
Andalucía Almería 2 Almería
Andalucía Almería 3 Níjar
Andalucía Almería 4 Roquetas de Mar
Andalucía Cádiz 5 Algar
Andalucía Cádiz 6 Benaocaz
Andalucía Cádiz 7 Bornos
Andalucía Cádiz 8 Chiclana de la Frontera
Andalucía Cádiz 9 Jerez de la Frontera
Andalucía Cádiz 10 Línea de la Concepción (La)
Andalucía Cádiz 11 Olvera
Andalucía Cádiz 12 Puerto Real
Andalucía Cádiz 13 Rota
Andalucía Cádiz 14 San Fernando
Andalucía Cádiz 15 Sanlúcar de Barrameda
Andalucía Cádiz 16 Setenil de las Bodegas
Andalucía Cádiz 17 Tarifa
Andalucía Cádiz 18 Trebujena
Andalucía Córdoba 19 Benamejí
Andalucía Córdoba 20 Córdoba
Andalucía Córdoba 21 Lucena
Andalucía Córdoba 22 Montilla
Andalucía Córdoba 23 Villaharta
Andalucía Córdoba 24 Villanueva de Córdoba
Andalucía Córdoba 25 Zuheros
Andalucía Granada 26 Gabias (Las)
Andalucía Granada 27 Huétor de Santillán
Andalucía Granada 28 Jayena
Andalucía Granada 29 Lecrín
Andalucía Granada 30 Padul
Andalucía Granada 31 Taha (La)
Andalucía Granada 32 Zubia (La)
Andalucía Huelva 33 Cala
Andalucía Huelva 34 Huelva
Andalucía Huelva 35 Lepe
Andalucía Huelva 36 Punta Umbría
Andalucía Jaén 37 Iruela (La)
Andalucía Jaén 38 Torre del Campo
Andalucía Málaga 39 Alpandeire
Andalucía Málaga 40 Antequera
Andalucía Málaga 41 Archidona
Andalucía Málaga 42 Casares
Andalucía Málaga 43 Cortes de la Frontera
Andalucía Málaga 44 Estepona
Andalucía Málaga 45 Málaga
Andalucía Málaga 46 Manilva
Andalucía Málaga 47 Marbella
Andalucía Málaga 48 Mijas
Andalucía Málaga 49 Montejaque
Andalucía Málaga 50 Rincón de la Victoria
Andalucía Málaga 51 Riogordo
Andalucía Málaga 52 Torremolinos
Andalucía Málaga 53 Vélez-Málaga
Andalucía Málaga 54 Villanueva de Algaidas
Andalucía Sevilla 55 Alcalá de Guadaíra
Andalucía Sevilla 56 Alcolea del Río
Andalucía Sevilla 57 Burguillos
Andalucía Sevilla 58 Carrión de los Céspedes
Andalucía Sevilla 59 Castilleja del Campo
Andalucía Sevilla 60 Coripe
Andalucía Sevilla 61 Dos Hermanas
Andalucía Sevilla 62 Mairena del Aljarafe
Andalucía Sevilla 63 Sevilla
Aragón Huesca 64 Alcubierre
Aragón Huesca 65 Altorricón
Aragón Huesca 66 Angüés
Aragón Huesca 67 Barbastro

Instituto Nacional
de Tecnologías
de la Comunicación

Aragón Huesca 68 Castejón de Sos
Aragón Huesca 69 Castiello de Jaca
Aragón Huesca 70 Huesca
Aragón Huesca 71 Monzón
Aragón Huesca 72 Panticosa
Aragón Huesca 73 Sabiñánigo
Aragón Huesca 74 Sesué
Aragón Teruel 75 Alcorisa
Aragón Teruel 76 Allepuz
Aragón Teruel 77 Miravete de la Sierra
Aragón Teruel 78 Mora de Rubielos
Aragón Teruel 79 Teruel
Aragón Teruel 80 Villarroya de los Pinares
Aragón Zaragoza 81 Alagón
Aragón Zaragoza 82 Chiprana
Aragón Zaragoza 83 Figueruelas
Aragón Zaragoza 84 Jaraba
Aragón Zaragoza 85 Leciñena
Aragón Zaragoza 86 Monegrillo
Aragón Zaragoza 87 Tarazona
Aragón Zaragoza 88 Zaragoza
Aragón Zaragoza 89 Zuera
Asturias Asturias 90 Aller
Asturias Asturias 91 Bimenes
Asturias Asturias 92 Cangas del Narcea
Asturias Asturias 93 Castropol
Asturias Asturias 94 Colunga
Asturias Asturias 95 Navia
Asturias Asturias 96 Oviedo
Asturias Asturias 97 Ribadedeva
Asturias Asturias 98 Santo Adriano
Asturias Asturias 99 Villayón
Baleares Illes Balears 100 Calvià
Baleares Illes Balears 101 Mahón
Baleares Illes Balears 102 Manacor
Baleares Illes Balears 103 Muro
Baleares Illes Balears 104 Sant Joan de Labritja
Canarias Las Palmas 105 Agüimes
Canarias Las Palmas 106 Arrecife
Canarias Las Palmas 107 Arucas
Canarias Las Palmas 108 Firgas
Canarias Las Palmas 109 Palmas de Gran Canaria (Las)
Canarias Las Palmas 110 San Bartolomé de Tirajana
Canarias Las Palmas 111 Santa Brígida
Canarias Las Palmas 112 Sta. María de Guía de Gran Canaria
Canarias Las Palmas 113 Telde
Canarias Las Palmas 114 Teror
Canarias Las Palmas 115 Tías
Canarias Las Palmas 116 Valsequillo de Gran Canaria
Canarias Santa Cruz de Tenerife 117 Adeje
Canarias Santa Cruz de Tenerife 118 Arico
Canarias Santa Cruz de Tenerife 119 Garachico
Canarias Santa Cruz de Tenerife 120 Orotava (La)
Canarias Santa Cruz de Tenerife 121 San Juan de la Rambla
Canarias Santa Cruz de Tenerife 122 Santa Cruz de Tenerife
Canarias Santa Cruz de Tenerife 123 Tijarafe
Canarias Santa Cruz de Tenerife 124 Valverde
Canarias Santa Cruz de Tenerife 125 Vallehermoso
Cantabria Cantabria 126 Arenas de Iguña
Cantabria Cantabria 127 Cabezón de la Sal
Cantabria Cantabria 128 Camargo
Cantabria Cantabria 129 Comillas
Cantabria Cantabria 130 Rasines
Cantabria Cantabria 131 Santander
Cantabria Cantabria 132 Torrelavega
Cantabria Cantabria 133 Valdeolea
Castilla y León Ávila 134 Ávila
Castilla y León Ávila 135 Cebreros
Castilla y León Ávila 136 Mijares
Castilla y León Burgos 137 Aranda de Duero

Instituto Nacional
de Tecnologías
de la Comunicación

Castilla y León Burgos 138 Briviesca
Castilla y León Burgos 139 Gumiel de Izán
Castilla y León Burgos 140 Miranda de Ebro
Castilla y León Burgos 141 Oña
Castilla y León Burgos 142 Palacios de la Sierra
Castilla y León Burgos 143 Regumiel de la Sierra
Castilla y León Burgos 144 Rubena
Castilla y León Burgos 145 Villariezo
Castilla y León León 146 Astorga
Castilla y León León 147 Valderrey
Castilla y León León 148 Villaquejida
Castilla y León León 149 Villaquilambre
Castilla y León Palencia 150 Astudillo
Castilla y León Palencia 151 Brañosera
Castilla y León Palencia 152 Cervera de Pisuerga
Castilla y León Palencia 153 Palencia
Castilla y León Palencia 154 Reinoso de Cerrato
Castilla y León Palencia 155 Venta de Baños
Castilla y León Palencia 156 Villaviudas
Castilla y León Palencia 157 Villerías de Campos
Castilla y León Salamanca 158 Alaraz
Castilla y León Salamanca 159 Alconada
Castilla y León Salamanca 160 Béjar
Castilla y León Salamanca 161 Castellanos de Moriscos
Castilla y León Salamanca 162 Ciudad Rodrigo
Castilla y León Salamanca 163 Cordovilla
Castilla y León Salamanca 164 Hinojosa de Duero
Castilla y León Salamanca 165 Mieza
Castilla y León Salamanca 166 Moríñigo
Castilla y León Salamanca 167 Parada de Rubiales
Castilla y León Salamanca 168 Salamanca
Castilla y León Salamanca 169 San Felices de los Gallegos
Castilla y León Salamanca 170 San Martín del Castañar
Castilla y León Salamanca 171 Sancti-Spíritus
Castilla y León Salamanca 172 Terradillos
Castilla y León Salamanca 173 Trabanca
Castilla y León Salamanca 174 Vitigudino
Castilla y León Segovia 175 Carbonero el Mayor
Castilla y León Segovia 176 Cuéllar
Castilla y León Segovia 177 Losa (La)
Castilla y León Segovia 178 Mozoncillo
Castilla y León Segovia 179 Samboal
Castilla y León Segovia 180 San Pedro de Gaíllos
Castilla y León Segovia 181 Segovia
Castilla y León Segovia 182 Villacastín
Castilla y León Soria 183 Almazán
Castilla y León Soria 184 Arcos de Jalón
Castilla y León Soria 185 Berlanga de Duero
Castilla y León Soria 186 Covaleda
Castilla y León Soria 187 Langa de Duero
Castilla y León Soria 188 Ólvega
Castilla y León Soria 189 San Leonardo de Yagüe
Castilla y León Soria 190 Vinuesa
Castilla y León Valladolid 191 Aldeamayor de San Martín
Castilla y León Valladolid 192 Arroyo de la Encomienda
Castilla y León Valladolid 193 Castrejón de Trabancos
Castilla y León Valladolid 194 Laguna de Duero
Castilla y León Valladolid 195 Medina de Rioseco
Castilla y León Valladolid 196 Medina del Campo
Castilla y León Valladolid 197 Mucientes
Castilla y León Valladolid 198 Olmedo
Castilla y León Valladolid 199 Peñafiel
Castilla y León Valladolid 200 Tordehumos
Castilla y León Valladolid 201 Torrecilla de la Orden
Castilla y León Valladolid 202 Villanueva de Duero
Castilla y León Valladolid 203 Zaratán
Castilla y León Zamora 204 Benavente
Castilla y León Zamora 205 Fuentesaúco
Castilla y León Zamora 206 Puebla de Sanabria
Castilla y León Zamora 207 Requejo

Instituto Nacional
de Tecnologías
de la Comunicación

Castilla y León Zamora 208 Zamora
Castilla-La Mancha Albacete 209 Hellín
Castilla-La Mancha Albacete 210 Tobarra
Castilla-La Mancha Ciudad Real 211 Alcázar de San Juan
Castilla-La Mancha Ciudad Real 212 Carrión de Calatrava
Castilla-La Mancha Ciudad Real 213 Castellar de Santiago
Castilla-La Mancha Ciudad Real 214 Ciudad Real
Castilla-La Mancha Ciudad Real 215 Torrenueva
Castilla-La Mancha Cuenca 216 Cañete
Castilla-La Mancha Cuenca 217 Cuenca
Castilla-La Mancha Cuenca 218 Olmeda del Rey
Castilla-La Mancha Cuenca 219 Sisante
Castilla-La Mancha Guadalajara 220 Alcolea del Pinar
Castilla-La Mancha Guadalajara 221 Alovera
Castilla-La Mancha Guadalajara 222 Fontanar
Castilla-La Mancha Guadalajara 223 Guadalajara
Castilla-La Mancha Guadalajara 224 Hijes
Castilla-La Mancha Toledo 225 Almendral de la Cañada
Castilla-La Mancha Toledo 226 Burguillos de Toledo
Castilla-La Mancha Toledo 227 Cedillo del Condado
Castilla-La Mancha Toledo 228 Iglesuela (La)
Castilla-La Mancha Toledo 229 Talavera de la Reina
Castilla-La Mancha Toledo 230 Toledo
Castilla-La Mancha Toledo 231 Villatobas
Castilla-La Mancha Toledo 232 Yuncler
Cataluña Barcelona 233 Badalona
Cataluña Barcelona 234 Calella
Cataluña Barcelona 235 Canovelles
Cataluña Barcelona 236 Cardedeu
Cataluña Barcelona 237 Castelldefels
Cataluña Barcelona 238 Cornellà de Llobregat
Cataluña Barcelona 239 Esplugues de Llobregat
Cataluña Barcelona 240 Fonollosa
Cataluña Barcelona 241 Gavà
Cataluña Barcelona 242 Granollers
Cataluña Barcelona 243 Hospitalet de Llobregat (L')
Cataluña Barcelona 244 Manresa
Cataluña Barcelona 245 Masquefa
Cataluña Barcelona 246 Mataró
Cataluña Barcelona 247 Mollet del Vallès
Cataluña Barcelona 248 Monistrol de Calders
Cataluña Barcelona 249 Polinyà
Cataluña Barcelona 250 Pont de Vilomara i Rocafort (El)
Cataluña Barcelona 251 Prat de Llobregat (El)
Cataluña Barcelona 252 Sabadell
Cataluña Barcelona 253 Sant Adrià de Besòs
Cataluña Barcelona 254 Sant Boi de Llobregat
Cataluña Barcelona 255 Sant Cugat del Vallès
Cataluña Barcelona 256 Sant Fruitós de Bages
Cataluña Barcelona 257 Sant Martí Sesgueioles
Cataluña Barcelona 258 Sant Pere de Riudebitlles
Cataluña Barcelona 259 Santa Coloma de Gramenet
Cataluña Barcelona 260 Santa Maria de Miralles
Cataluña Barcelona 261 Santa Susanna
Cataluña Barcelona 262 Santpedor
Cataluña Barcelona 263 Sora
Cataluña Barcelona 264 Viladecans
Cataluña Barcelona 265 Vilanova i la Geltrú
Cataluña Barcelona 266 Vilassar de Mar
Cataluña Girona 267 Begur
Cataluña Girona 268 Brunyola
Cataluña Girona 269 Girona
Cataluña Girona 270 Olot
Cataluña Girona 271 Sant Feliu de Guíxols
Cataluña Girona 272 Santa Pau
Cataluña Girona 273 Vall de Bianya (La)
Cataluña Girona 274 Vilablareix
Cataluña Lleida 275 Alcoletge
Cataluña Lleida 276 Isona i Conca Dellà
Cataluña Lleida 277 Juncosa

Instituto Nacional
de Tecnologías
de la Comunicación

Cataluña Lleida 278 Llobera
Cataluña Lleida 279 Palau d'Anglesola (El)
Cataluña Lleida 280 Poal (El)
Cataluña Lleida 281 Rosselló
Cataluña Lleida 282 Torre de Cabdella (La)
Cataluña Lleida 283 Vilagrassa
Cataluña Tarragona 284 Borges del Camp (Les)
Cataluña Tarragona 285 Deltebre
Cataluña Tarragona 286 Flix
Cataluña Tarragona 287 Santa Bàrbara
Cataluña Tarragona 288 Tarragona
Cataluña Tarragona 289 Tortosa
Cataluña Tarragona 290 Vendrell (El)
Comunidad Valenciana Alicante 291 Alcoy/Alcoi
Comunidad Valenciana Alicante 292 Algueña
Comunidad Valenciana Alicante 293 Beneixama
Comunidad Valenciana Alicante 294 Benferri
Comunidad Valenciana Alicante 295 Beniarbeig
Comunidad Valenciana Alicante 296 Busot
Comunidad Valenciana Alicante 297 Callosa d'En Sarrià
Comunidad Valenciana Alicante 298 Dolores
Comunidad Valenciana Alicante 299 Elche/Elx
Comunidad Valenciana Alicante 300 Finestrat
Comunidad Valenciana Alicante 301 Gaianes
Comunidad Valenciana Alicante 302 Hondón de los Frailes
Comunidad Valenciana Alicante 303 Jávea/Xàbia
Comunidad Valenciana Alicante 304 Montesinos (Los)
Comunidad Valenciana Alicante 305 Novelda
Comunidad Valenciana Alicante 306 Orihuela
Comunidad Valenciana Alicante 307 Petrer
Comunidad Valenciana Alicante 308 San Miguel de Salinas
Comunidad Valenciana Alicante 309 Torrevieja
Comunidad Valenciana Castellón 310 Betxí
Comunidad Valenciana Castellón 311 Castellón de la Plana/Castelló
Comunidad Valenciana Castellón 312 Forcall
Comunidad Valenciana Castellón 313 Jérica
Comunidad Valenciana Castellón 314 Matet
Comunidad Valenciana Castellón 315 Moncofa
Comunidad Valenciana Castellón 316 Pobla de Benifassà (la)
Comunidad Valenciana Castellón 317 Todolella
Comunidad Valenciana Castellón 318 Vall d'Uixó (la)
Comunidad Valenciana Castellón 319 Vilafamés
Comunidad Valenciana Castellón 320 Villarreal/Vila-real
Comunidad Valenciana Valencia 321 Albaida
Comunidad Valenciana Valencia 322 Alboraya
Comunidad Valenciana Valencia 323 Alfarp
Comunidad Valenciana Valencia 324 Algemesí
Comunidad Valenciana Valencia 325 Almussafes
Comunidad Valenciana Valencia 326 Alzira
Comunidad Valenciana Valencia 327 Bocairent
Comunidad Valenciana Valencia 328 Bonrepòs i Mirambell
Comunidad Valenciana Valencia 329 Catarroja
Comunidad Valenciana Valencia 330 Cerdà
Comunidad Valenciana Valencia 331 Cheste
Comunidad Valenciana Valencia 332 Emperador
Comunidad Valenciana Valencia 333 Fuenterrobles
Comunidad Valenciana Valencia 334 Jarafuel
Comunidad Valenciana Valencia 335 Llíria
Comunidad Valenciana Valencia 336 Mislata
Comunidad Valenciana Valencia 337 Ontinyent
Comunidad Valenciana Valencia 338 Paterna
Comunidad Valenciana Valencia 339 Picanya
Comunidad Valenciana Valencia 340 Rafelbuñol/Rafelbunyol
Comunidad Valenciana Valencia 341 Sagunto/Sagunt
Comunidad Valenciana Valencia 342 Sedaví
Comunidad Valenciana Valencia 343 Silla
Comunidad Valenciana Valencia 344 Valencia
Comunidad Valenciana Valencia 345 Xàtiva
Extremadura Badajoz 346 Campanario
Extremadura Badajoz 347 Mérida

Instituto Nacional
de Tecnologías
de la Comunicación

Extremadura Badajoz 348 Peñalsordo
Extremadura Badajoz 349 Valverde de Burguillos
Extremadura Badajoz 350 Valverde de Leganés
Extremadura Badajoz 351 Villagonzalo
Extremadura Badajoz 352 Zafra
Extremadura Badajoz 353 Zalamea de la Serena
Extremadura Cáceres 354 Cáceres
Extremadura Cáceres 355 Cañaveral
Extremadura Cáceres 356 Gordo (El)
Extremadura Cáceres 357 Holguera
Extremadura Cáceres 358 Majadas
Extremadura Cáceres 359 Miajadas
Extremadura Cáceres 360 Plasencia
Extremadura Cáceres 361 Puerto de Santa Cruz
Extremadura Cáceres 362 Rebollar
Extremadura Cáceres 363 Torre de Santa María
Extremadura Cáceres 364 Torrequemada
Galicia A Coruña 365 Arteixo
Galicia A Coruña 366 Carballo
Galicia A Coruña 367 Cerceda
Galicia A Coruña 368 Coruña (A)
Galicia A Coruña 369 Ferrol
Galicia A Coruña 370 Miño
Galicia A Coruña 371 Moeche
Galicia A Coruña 372 Narón
Galicia A Coruña 373 Oleiros
Galicia A Coruña 374 Pino (O)
Galicia A Coruña 375 Santiago de Compostela
Galicia Lugo 376 Baralla
Galicia Lugo 377 Bóveda
Galicia Lugo 378 Lugo
Galicia Lugo 379 Monforte de Lemos
Galicia Lugo 380 Sarria
Galicia Ourense 381 Amoeiro
Galicia Ourense 382 Avión
Galicia Ourense 383 Chandrexa de Queixa
Galicia Ourense 384 Manzaneda
Galicia Ourense 385 Mezquita (A)
Galicia Ourense 386 Ourense
Galicia Ourense 387 Quintela de Leirado
Galicia Ourense 388 Rairiz de Veiga
Galicia Ourense 389 Taboadela
Galicia Ourense 390 Vilar de Barrio
Galicia Pontevedra 391 Catoira
Galicia Pontevedra 392 Forcarei
Galicia Pontevedra 393 Gondomar
Galicia Pontevedra 394 Guarda (A)
Galicia Pontevedra 395 Illa de Arousa (A)
Galicia Pontevedra 396 Mondariz
Galicia Pontevedra 397 Mondariz-Balneario
Galicia Pontevedra 398 Pontevedra
Galicia Pontevedra 399 Salceda de Caselas
Galicia Pontevedra 400 Vigo
Galicia Pontevedra 401 Vilanova de Arousa
Madrid Madrid 402 Alcobendas
Madrid Madrid 403 Aranjuez
Madrid Madrid 404 Berrueco (El)
Madrid Madrid 405 Boalo (El)
Madrid Madrid 406 Brunete
Madrid Madrid 407 Buitrago del Lozoya
Madrid Madrid 408 Cenicientos
Madrid Madrid 409 Colmenar Viejo
Madrid Madrid 410 Colmenarejo
Madrid Madrid 411 Corpa
Madrid Madrid 412 Coslada
Madrid Madrid 413 Chapinería
Madrid Madrid 414 Fuenlabrada
Madrid Madrid 415 Majadahonda
Madrid Madrid 416 Navacerrada
Madrid Madrid 417 Navalcarnero

Instituto Nacional
de Tecnologías
de la Comunicación

Madrid Madrid 418 Pinto
Madrid Madrid 419 Pozuelo de Alarcón
Madrid Madrid 420 Puebla de la Sierra
Madrid Madrid 421 Rivas-Vaciamadrid
Madrid Madrid 422 San Fernando de Henares
Madrid Madrid 423 San Martín de la Vega
Madrid Madrid 424 San Sebastián de los Reyes
Madrid Madrid 425 Serranillos del Valle
Madrid Madrid 426 Valdemoro
Madrid Madrid 427 Villalbilla
Madrid Madrid 428 Villamanta
Madrid Madrid 429 Villanueva de la Cañada
Murcia Murcia 430 Abarán
Murcia Murcia 431 Cartagena
Murcia Murcia 432 Fortuna
Murcia Murcia 433 Molina de Segura
Murcia Murcia 434 Pliego
Navarra Navarra 435 Aguilar de Codés
Navarra Navarra 436 Ayegui
Navarra Navarra 437 Burlada/Burlata
Navarra Navarra 438 Cabanillas
Navarra Navarra 439 Corella
Navarra Navarra 440 Esteribar
Navarra Navarra 441 Genevilla
Navarra Navarra 442 Marañón
Navarra Navarra 443 Tudela
Navarra Navarra 444 Uterga
País Vasco Álava 445 Kuartango
País Vasco Álava 446 Lapuebla de Labarca
País Vasco Álava 447 Laudio/Llodio
País Vasco Álava 448 San Millán/Donemiliaga
País Vasco Álava 449 Vitoria-Gasteiz
País Vasco Guipúzcoa 450 Arrasate/Mondragón
País Vasco Guipúzcoa 451 Eibar
País Vasco Guipúzcoa 452 Errenteria
País Vasco Guipúzcoa 453 Hondarribia
País Vasco Guipúzcoa 454 Irun
País Vasco Guipúzcoa 455 Ordizia
País Vasco Guipúzcoa 456 Zestoa
País Vasco Vizcaya 457 Barakaldo
País Vasco Vizcaya 458 Basauri
País Vasco Vizcaya 459 Bermeo
País Vasco Vizcaya 460 Galdakao
País Vasco Vizcaya 461 Getxo
País Vasco Vizcaya 462 Ondarroa
País Vasco Vizcaya 463 Portugalete
País Vasco Vizcaya 464 Santurtzi
País Vasco Vizcaya 465 Sopelana
La Rioja La Rioja 466 Arnedo
La Rioja La Rioja 467 Calahorra
La Rioja La Rioja 468 Lardero
La Rioja La Rioja 469 Logroño
La Rioja La Rioja 470 Nájera
La Rioja La Rioja 471 Navarrete

Instituto Nacional
de Tecnologías
de la Comunicación
8.2.2 List of participating Provincial Councils, Consells (Regional Authorities of the

Balearic Islands) and Regional Authorities of the Canary Islands
No. ENTITY
1 Cabildo Insular de El Hierro
2 Cabildo Insular de Fuerteventura
3 Cabildo Insular de Gran Canarias
4 Cabildo Insular de la Gomera
5 Cabildo Insular de La Palma
6 Cabildo Insular de Lanzarote
7 Cabildo Insular de Tenerife
8 Ciudad Autónoma de Ceuta
9 Comunidad de Madrid
10 Consell de Mallorca
11 Consell Insular de Ibiza y Formentera
12 Consell Insular Menorca
13 Diputación de Alava
14 Diputación de Albacete
15 Diputación de Alicante
16 Diputación de Almería
17 Diputación de Ávila
18 Diputación de Badajoz
19 Diputación de Burgos
20 Diputación de Cáceres
21 Diputación de Castellón
22 Diputación de Ciudad Real
23 Diputación de Córdoba
24 Diputación de Cuenca
25 Diputación de Gerona
26 Diputación de Guadalajara
27 Diputación de Guipuzcoa
28 Diputación de Huelva
29 Diputación de Huesca
30 Diputación de Jaén
31 Diputación de León
32 Diputación de Lugo
33 Diputación de Lleida
34 Diputación de Málaga
35 Diputación de Orense
36 Diputación de Palencia
37 Diputación de Pontevedra
38 Diputación de Salamanca
39 Diputación de Segovia
40 Diputación de Sevilla
41 Diputación de Soria
42 Diputación de Tarragona
43 Diputación de Teruel
44 Diputación de Valencia
45 Diputación de Valladolid
46 Diputación de Vizcaya
47 Diputación de Zamora
48 Diputación de Zaragoza
49 Gobierno P. de Asturias

Instituto Nacional
de Tecnologías
de la Comunicación
LIST OF TABLES
Table 1: Stratification by town size ......................................................................................10
Table 2: No. of municipalities: pre-sample, sample and coverage by Autonomous

Community...........................................................................................................................11
Table 3: No. of municipalities by stratum: pre-sample, sample and coverage by stratum (%)
.............................................................................................................................................12
Table 4: Comparison between most commonly adopted protective measures in Local

Administration Offices and Spanish homes .........................................................................16
Table 5: Information Security Devices by Strata in Local Organisations (%) ......................17
Table 6: Protection of technological equipment and facilities to reduce the risk associated
with accidents and natural disasters in local organisations. (%)..........................................20
Table 7: Protection of private areas with appropriate access controls to ensure entry for
authorised local organisation personnel only (%) ................................................................21
Table 8: Existence of confidentiality agreements with Local Organisation employees (%) .21
Table 9: Training for employees and external collaborators in security policies and
procedures in Local Organisations (%)................................................................................22
Table 10: Existence of prevention and detection controls for protection against malicious
software (malware) in Local Organisations (%) ...................................................................24
Table 11: Existence of backup copies of data and/or essential software in Local
Organisations (%) ................................................................................................................25
Table 12: Existence of technical measures for guaranteeing the security of communication
networks in Local Organisations (%) ...................................................................................26
Table 13: Existence of documented rules for registering and unregistering users and/or
assigning passwords in Local Organisations (%) ................................................................28
Table 14: Availability of a continuity plan for after any factor causing activity disruption in
the local organisations (%) ..................................................................................................31
Table 15: Strengths and Opportunities for Improvement identified by the experts..............33
Table 16: Ranking of best security and e-Trust practices (%) .............................................37

Instituto Nacional
de Tecnologías
de la Comunicación
Table 17: Degree of implementation of best practices in Town Councils in large

municipalities, Provincial Governments and Island Departments (%) .................................39
Table 18: Degree of implementation of best security practice in medium-sized Town

Councils (%) ........................................................................................................................41
Table 19: Degree of implementation of best security practice in small Town Councils (%) 42

Instituto Nacional
de Tecnologías
de la Comunicación
LIST OF GRAPHS
Graph 1: Type of connection/access to Internet used by Town Councils in large

municipalities and Provincial Governments and Island Departments (%) ...........................14
Graph 2: Type of Internet connection/access in Town Councils of small and medium-sized

municipalities (%).................................................................................................................15
Graph 3: Information Security Equipment in Spanish Local Administration Offices ............16
Graph 4: Organisational and Management Practices in large Town Councils, Provincial

Governments and Island Departments (%) .........................................................................18
Graph 5: Existence of computing security procedures in small and medium-sized

municipalities (%).................................................................................................................19
Graph 6: Security practices in Town Councils in large municipalities, Provincial

Graph 7: Other human resources security practices in large Town Councils, Provincial
Graph 8: Existence of password management procedures for accessing systems and

applications in small and medium-sized Town Councils (%) ...............................................23
Graph 9: Appropriate security measures set up with contractors and included in contracts in
Town Councils, Provincial Governments and island Departments (%) ...............................24
Graph 10: Other security practices in large municipalities, Provincial Governments and
Island Departments (%) .......................................................................................................26
Graph 11: Other security practices in small and medium-sized municipalities (%) .............27
Graph 12: Other access and data security practices in Town Councils in large
municipalities, Provincial Governments and Island Departments (%) .................................29
Graph 13: Other access and data security practices in small and medium-sized
municipalities (%).................................................................................................................29
Graph 14: Security of system development and maintenance practices in Town Councils in
large municipalities, Provincial Governments and Island Departments (%) ........................30
Graph 15: Compliance with regulations in Town Councils in large municipalities, Provincial

Instituto Nacional
de Tecnologías
de la Comunicación
Graph 16: Availability of an updated security document in small and medium-sized Town
Councils (%) ........................................................................................................................32
Graph 17: Practices relating to SECURITY ORGANISATION AND MANAGEMENT (%) ..34
Graph 18: Practices relating to ASSET SECURITY (%)......................................................34
Graph 19: Practices relating to HR SECURITY. (%) ...........................................................35
Graph 20: Practices related to NETWORK AND OPERATIONS SECURITY (%)...............35
Graph 21: Practices relating to DATA SECURITY (%)........................................................36
Graph 22: Practices relating to APPLICATION SECURITY (%)..........................................36
Graph 23: Practices relating to BUSINESS CONTINUITY AND COMPLIANCE WITH

REGULATIONS (%) ............................................................................................................37
Graph 24: Comparison of indicators by security area and group size (%) ..........................43

Instituto Nacional
de Tecnologías
de la Comunicación
In collaboration with:

Study On Security and E-Trust in Local Organisations

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Study On Security and E-Trust in Local Organisations

Enviado por

Direitos autorais:

Formatos disponíveis

Instituto Nacional

Study on Security and e-Trust in Local

OBSERVATORIO DE LA SEGURIDAD DE LA INFORMACIÓN

Study on Security and eTrust in Local Organisations Page 2 of 68

Table of contents .................................................................................................................3

1.3 Participating Organisations .............................................................................................. 7

2 Methodological Design ..............................................................................................10

2.2 Technical Specification ................................................................................................... 10

3 Information Security Equipment in Spanish Local Administration Offices ..........14

4 Analysis of good practice for managing information security in Spanish Local

4.2 Asset Security................................................................................................................... 19

4.3 Security in Human Resources ........................................................................................ 21

4.4 Network and Operations Security................................................................................... 23

4.5 Access and Data Security ............................................................................................... 28

4.6 System Development and Maintenance Security: Application Security .................... 30

4.7 Operational Continuity or Business Continuity ............................................................ 31

Study on Security and eTrust in Local Organisations Page 3 of 68

4.8 Compliance with Regulations ......................................................................................... 31

5 Experts' Opinion .........................................................................................................33

5.2 Best security practices in local organisations .............................................................. 34

6 Comparative analysis of best practices by indicators and strata .........................39

6.2 Comparative Analysis by indicators and strata ............................................................ 42

7 Conclusions and Recommendations .......................................................................45

7.2 Recommendations ........................................................................................................... 46

8.2 Participating entities ........................................................................................................ 56

List of graphs .....................................................................................................................66

List of graphs .....................................................................................................................66

Study on Security and eTrust in Local Organisations Page 4 of 68

The Subdirección General de Coordinación de Recursos Tecnológicos de la

1.2 Study on Information Security and e-Trust within Local Organisations

1.2.1 Overall Objectives

Study on Security and eTrust in Local Organisations Page 5 of 68

• To draw up a comprehensive plan for updating and modernising security

• To drive appropriate training for information security professionals and

1.2.2 Framework of Reference

• Security Organisation and Management, including the existence of a

• Asset Security Management, including drawing up an inventory of information

• Organisational and Human Resources Security Management, including the

• Communications and Operations Security Management, documenting

• Access and Data Security Management, aimed at protecting access to

• Program Security Management, including all actions aimed at ensuring secure

Study on Security and eTrust in Local Organisations Page 6 of 68

updates of operating systems and programs, encrypting confidential information

• Operational Continuity or Business Continuity, determined by all the measures

• Regulatory Compliance, consists of preventing the organisation from failing to

1.3 Participating Organisations

1.3.1 Instituto Nacional de Tecnologías de la Comunicación

INTECO's corporate purpose is the management, assessment, promotion and

Observatorio de la Seguridad de la Información

Study on Security and eTrust in Local Organisations Page 7 of 68

1.3.2 Federación Española de Municipios y Provincias

1.3.3 Collaborating Companies

For more information: http://www.mcafee.com/es

SYMANTEC, Corp., is a company based in California (U.S.A.) and founded in 1982. It is

For more information, http://www.symantec.com/es/es

Study on Security and eTrust in Local Organisations Page 8 of 68

TREND MICRO, Inc, is a pioneering multinational company in the development of content

For more information: http://www.trendmicro-europe.com

Study on Security and eTrust in Local Organisations Page 9 of 68

2.1 Statistical Reference Framework

2.2 Technical Specification

• 17 Autonomous Communities and 2 Autonomous Cities.

• 8,112 Town Councils and 63 Provincial Governments and Island Departments.