- Open administration
- Interoperability
Extension of the ATEX5 service until January 30, 2025
Cyber security is key in the digital transformation of local administrations. To evaluate it, the Digital Maturity Index (IMD) uses the indicators calculated annually by the Cybersecurity Agency of Catalonia (ACC). This year, the ACC has changed its evaluation methodology and we have new indicators for a more complete assessment of the security of local entities.
Improvement of the Cybersecurity indicator
Until last year, the IMD measured cyber security vulnerability based on the level of exposure to vulnerabilities calculated by the ACC. This indicator was obtained by periodically scanning the Internet-accessible services of local entities using a series of automated vulnerability detection tests without performing any intrusion.
This year the ACC has provided us with a new indicator: the security rating. In addition, we have used the certification information in the National Security Scheme (ENS) published by the National Cryptographic Center.
New Cybersecurity performance indicator
The first new indicator is the Bitsight Marketplace Solution Cybersecurity Rating, which measures the cybersecurity performance of organizations using data from different sources and generates a score that classifies entities into three categories:
- Advanced: High security performance and lower cyber risk.
- intermediate: Acceptable safety performance and moderate risk.
- Basic: Low security performance and lower cyber risk.
Bitsight conducts an objective and continuous assessment of IT security evaluating aspects such as the presence of vulnerabilities, but also the implementation of security practices or the response to security incidents, others. This assessment improves local authorities' understanding of cyber security compared to the previous indicator.
According to this tool, in 2023, 64% of the 751 local entities evaluated they got a high cyber security rating, 33% intermediate and only 3% low.
Certification of the National Security Scheme (ENS)
The second new indicator assesses whether the local entity has a certificate of compliance with the ENS. The ENS establishes the requirements to guarantee the security of the public administration, i having this certificate demonstrates commitment to safety standards legal
The year 2023 only 9 local entities in Catalonia had a certificate of compliance from the ENS for their management services, beyond the use of certified technological solutions.
- The town councils of Ametlla del Vallès, Manlleu, Vilanova and Geltrú and the Regional Council of Baix Llobregat had the ENS compliance certificate for medium category systems.
- The town councils of Almoster, Capafonts, Masllorenç, Bot and Villalba and els Arcs had the ENS compliance certificate by basic category according to Specific Compliance Profile of Essential Security Requirements using the µCeENS methodology.
The Essential Security Requirements Compliance Profile and the µCeENS methodology allow organizations with difficulties to adapt to the ENS to obtain certification. In this sense, it is necessary to highlight the initiative of the Consell Comarcal del Baix Penedès, in collaboration with the Diputació de Tarragona, to implement this reduced and adapted version of the ENS in municipalities with less than 20.000 inhabitants of the region.
How we calculate and score the Cybersecurity indicator
The IMD Cyber Security Indicator is the weighted sum of the two ACC indicators, with a weighting factor of 0,5 for each. The Cyber Security Rating indicator is worth 1 for Advanced, 0,75 for Intermediate, and 0,25 for Basic. The ENS Certificate indicator is worth 1 if the entity has the certificate and 0 otherwise.
By 2023, we only have the Bitsight security rating for 100% of local entities in the range of more than 50.000 inhabitants. For this reason, in the rest of the population bands, only the ENS compliance certificate has been taken into account, with a weighting factor equal to 1.