Awareness Raising Local Government Final

Awareness Raising for Local Government
Maylis Karlsson, Anja Hartmann,

Gigi Tagliapietra, December 2005
ENISA ad hoc Working Group on Awareness Raising

Executive Summary
Local government is broadly varied in structure and represents a

very important target group. It constitutes the frontline to citizens for
the supply of government content and services. Local government
manages critical infrastructure and therefore requires a high level of
security awareness, yet often lacks the necessary expertise.
2
Target Audience Description
• The target includes very different forms of local authorities given the
different administrative structures of member states.
• According to EU classifications, there exist 112,119 local
government structures that can be broken down into 5 levels, from
regional to communes. For further information see
http://europa.eu.int/comm/eurostat/ramon/nuts/introannex_regions_en.html
• A typical local infrastructure

– comprises a mixture of discrete networks
– includes perimeter security and antivirus measures in its basic functions, without
having the required technical sophistication to deal with them
• Local government provides frontline services and content to citizens
3
Why Local Government is a priority
• Local governments require special attention in security awareness

because they
– are critical infrastructures
– manage critical infrastructures that depend on information systems
(transportation, water supply, local tax etc.)
– constitute a front line to citizen
– must guarantee transparency and accountability
– don’t usually have the specific skills required to manage info security
– can act as awareness agents to citizens and school
• Local governments need to strengthen their own awareness and
then transfer knowledge to their citizens
4
Communications Objectives
• Local government requires an extra high level of security awareness

• Because of broadly varying levels of local government autonomy,
national governments should build and/or recommend customised
strategies to address key issues. More specifically, they need to:
– define and implement an IT security concept adapted to their own
organizational needs
– implement IT baseline protection (BSI-Standard 100 - 1, BS7799, ISO
27001)
– protect critical infrastructures that play an important role in citizens’ lives
– sensitize employees in order to foster an “information-security culture”
• A flexible approach should be used to cater to the broad differences

in the target. It is not an ”advertising campaign” but rather a long
term initiative that is required.
5
Messages
• It is necessary to underline the importance of systems local

government manages
• Local government should be made aware that “a small door can
leave the path open to big risks”
• Nobody is too small to matter – in information security, everyone
counts
• Local Government manages a lot of personal information and
sensitive data that need to be protected
• Introduce 10 golden rules (see example of Denmark)
• A preliminary action should be to foster information sharing (the so
called ISAC - Information Sharing and Analysis Center) in order to
encourage the exchange of expertise and build confidence in mutual
support strategies
6
Communication Objectives
Awareness Package LG
Local government:
• manages critical infrastructures
• constitutes a front line to citizens
Why? • lacks required skills
• manages important content
• Risk analysis
What? • Leverage on key role
• Implementation of IT baseline
protection (e.g. ISO 27001)
• Long term initiative

How?
• Promote “10 golden rules“
• Encourage ISAC for LG
7
Communication Objectives EXAMPLES
Why?
Why? What?
What? How?
How?
Help
Help LG
LG to
to fully
fully understand
understand
LG
LG manages
manages their role
their role Customise
Customise awareness
awareness initiatives
initiatives
critical infrastructures
critical infrastructures in
in national infrastructure
national infrastructure
Constitutes Conduct
Conduct on-line
on-line assessment
Constitutes front
front line
line to
to citizens
citizens Identify
Identify critical
critical systems
systems assessment
Lacks Implement
Implement baseline
baseline protection
protection
Lacks required
required skills
skills (ISO
Encourage
Encourage ISAC
ISAC for
for LG
LG
(ISO 27001)
27001)
Manages
Manages important
important content,
content, Conduct
Conduct risk
risk analysis
analysis Promote
Promote “10
“10 golden
golden rules”
rules”
must
must guarantee transparency
guarantee transparency
8
Channels
• In most countries local government structures are organised in

associations that are an excellent vehicle for security awareness
campaigns
• For smaller organisations, existing levels of coordination can serve
as a channel and an operating arm to support practical actions
• Specific trade-shows and events for local government
• Civil society (pressure-groups)
9
Barriers / Advantages
Barriers
• There is not a ”one size fits all” approach because of
– Difference in size / resources
– Difference in culture
– Different levels of implementation
– Different levels of awareness in work-force in local government
• Difficulty in building the level of skills and implementation that is required for
the task
Advantages
• Protection of peripheral systems is a key to protecting national critical
infrastructures
– The reach of networks and increases in speed make every point a threat to an
entire system
• Local government can act as an awareness promotion agent to society
10
Benchmarks and Measurements
• Measurement should take into account both the number of initiatives

and the number of citizens potentially reached indirectly by
initiatives
• Average resources spent on awareness raising actions
• % of local government staff reached through awareness actions
• Page views on local government security pages
• Investment in ICT security by local government
11
Examples
• “10 golden rules” (Denmark)

• “Elektroniska intryck och avtryck” – a Swedish document distributed
to community managers of IT security
• “Surfa lugnt” – a Swedish DVD (English spoken) – including basic
advice for all Swedish citizens
• Several best practice cases have emerged as more attention is
focused on the role of local government due to the increased
number of threats to information security, e.g.
– City of Lugano Police - http://www.lugano.ch/bambini/welcome.cfm
• Information on ISAC services supported by the US Government is
available at http://www.isaccouncil.org/about/
12
Bibliography
• IT baseline protection manual from Germany at

www.bsi.bund.de/english/gshb/manual/index.htm
• E-Government manual from Germany at
www.bsi.bund.de/english/themes/egov/3_en.htm
• Best Practices at https://www.it-isac.org/bestpractices.php
13

Awareness Raising Local Government Final

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Awareness Raising Local Government Final

Uploaded by

Copyright:

Available Formats

Awareness Raising for Local Government

Maylis Karlsson, Anja Hartmann,

ENISA ad hoc Working Group on Awareness Raising

Local government is broadly varied in structure and represents a

• A typical local infrastructure

• Local government provides frontline services and content to citizens

• Local governments require special attention in security awareness

• Local government requires an extra high level of security awareness

• A flexible approach should be used to cater to the broad differences

• It is necessary to underline the importance of systems local

• Long term initiative

• In most countries local government structures are organised in

• Measurement should take into account both the number of initiatives

• “10 golden rules” (Denmark)

• IT baseline protection manual from Germany at

You might also like