Cybersecurity protects the privacy and security of data against cyber threats and is essential to guarantee the public's trust in the Digital Administration. From the year 2021, the Digital Maturity Index (IMD) includes cyber security in the assessment of the level of digital transformation of local administrations, thanks to the collaboration of the Catalan Cyber Security Agency.
Why do we assess cyber security?
Cybersecurity aims to protect computer systems, networks and data against cyber threats such as viruses, malware or denial of service attacks. As councils advance in their digitization process, their exposure to these threats also increases. According to the Catalan Agency for Cybersecurity (ACC), published cyberattacks that have affected the Catalan public sector increased by more than 60% between 2020 and 2021.
A cyberattack can have serious consequences, both for the city council itself and for citizens, such as the theft and publication of sensitive data, la suspension of municipal services and the normal activity of the town hall o suffer significant economic losses. In addition, if citizens perceive that their data is not protected, they may lose confidence in the institution.
On the other hand, much of the data managed by a city council is personal data of citizens and is subject to data protection regulations. Cyber security can be considered a preventive measure to avoid the loss, alteration or disclosure of personal data
So, lthe digital maturity of a municipality depends not only on its ability to offer digital services, but also on its ability to guarantee security and privacy of the data against malicious attacks.
Cybersecurity vulnerability of local bodies
The IMD assesses the vulnerability to cyber attacks using the cyber security vulnerability indicator, which is obtained from the level of exposure to vulnerabilities calculated by the Agencia de Cyberseguretat de Catalunya within the cyber security model it has deployed for local councils and bodies.
The level of exposure to vulnerabilities is obtained by periodically scanning the Internet-accessible services of local entities. The analysis consists of a series of automated vulnerability detection tests based on versions or active tests (non-intrusions, checks) on all services. Depending on the vulnerabilities detected, the exposure level value varies between 0 points, when the severity is zero, and 10 points, when the severity is critical.
the indicator cybersecurity vulnerability of the IMD is obtained by normalizing the value of the level of exposure to vulnerabilities and awarding more points when the degree of severity detected is lower. In 2022 74% of local authorities had a low or medium cyber security vulnerability.
Compliance with the National Security Scheme
The National Security Scheme (ENS) is a set of measures and procedures that must be adopted by public administrations to guarantee the security of electronic services and the information they manage. One of the objectives of the latest revision, published on May 22, 2022, is precisely update the basic principles, minimum requirements and security measures of the ENS to strengthen the cyber security of the public sector.
For this reason, the IMD includes compliance with the ENS as one of the indicators in the field of cyber security. The indicator evaluates whether the city council has published a certificate of conformity from the ENS on its website or if the supplier of the electronic administration system used by the city council appears in list of certified entities of the National Cryptologic Center.
The year 2022 79% of local entities use electronic administration platforms that have an ENS certificate of conformity.
Appointment of data protection delegate
The General Data Protection Regulation (RGPD) and the Organic Law on the Protection of Personal Data (LOPDGDD) establish the legal obligations that organizations must fulfill to protect personal data. In today's context, cyber security is becoming a fundamental part of personal data protection management and, therefore, compliance with personal data protection regulations.
The Data Protection Officer (DPD) is the guarantor of compliance with data protection regulations in an organization. All local bodies are obliged to appoint a DPD and communicate their appointment to the APDCAT, as established by the RGPD and LOPDGDD.
The IMD assesses whether local entities have appointed a DPD consulting the Data Protection Delegates communicated to the APDCAT. In the year 2022, 72% of local entities had communicated the DPD to the Catalan Data Protection Authority.
You can consult all the digital maturity indicators in the report Detailed view of the body of theDigital Maturity Index 2022.
