Local governments manage a great volume of sensitive information, which is a public resource of high value.

As a result of the expanded use of electronic information systems to collect, store and transfer information, and an increasing interconnectivity, information systems and networks are now exposed to a growing number and a wider variety of threats and vulnerabilities.

This raises new demands to local governments, which are not only to cope with numerous technical requirements, but also strengthen management practices regarding protection of the security of information.

Because of its vulnerabilities and importance, specific attention needs to be put on handling high-risk information, which includes various categories of sensitive information, personal or financial information, privileged, proprietary or business information; information which may cause harm, or impede competition and provide for an unfair advantage if lost, damaged or released without authorization.


An integrity risk assessment of the process of managing security of information may identify some or all of the following integrity risks/risk factors (the list is not limited):

  • Officials falsify electronic records to obtain financial benefits (i.e. bonuses; reimbursement). Officials create fraudulent electronic documentation to aid a third party (i.e. tax registration, property registration, certificates, licenses).

  • Officials get unauthorized access to classified or restricted information to aid a third party (i.e. access to procurement information). Officials alter or delete electronic data to aid a third party (i.e. altering a pricing offer in a bid to provide a competitive advantage to aid a particular bidder). Officials place malware (e.g. viruses, spyware) on a local government’s IT systems with an intention to damage them and destroy information and audit trails.

  • Officials provide log-in details to a third unauthorized party, to enable remote unauthorized access. Officials use another official’s computer to gain unauthorized access, or get unauthorized access to mobile computing/removable data storage devices (i.e. memory sticks).

  • Officials manipulate the IT system to build a ‘back door’ to enable an unauthorized access, or expose the system to further vulnerabilities.


Following the risk assessment, the local government may consider the following risk management strategies as development points:

  • Introduce and maintain rigorous policy and procedures on information security management. Align with the applicable regulatory framework, as well as with the available good practices (i.e. (OECD Guidelines for the Security of Information and Networks), and the respective management standard ISO/IEC 27001:2013). Communicate them effectively to all staff (i.e. through trainings, workshops, awareness events, intranet, internal meetings, etc).

  • Build and strengthen capacities in managing information security (i.e. participatory and online trainings, mentoring, etc.). Sensitize staff on the importance of managing security of information. Ensure all staff is well aware of their accountabilities.

  • Adopt clear operational guidelines/ procedure to ensure classification of information and regulate its use, storage, transmission and disposal per category, aligned with the applicable regulations and internal policies, as well as with its value, sensitivity and criticality. Ensure all relevant staff is well aware and trained.

  • Strictly apply information labelling and handling according to classification. Observe a ‘clear desk policy’ for classified information.

  • Further to the applicable regulatory requirement and internal policies, set up a clear procedure on retention and disposal of confidential information. Apply special controls for emailing of confidential documents (i.e. appropriate encryption). Store confidential information securely.

  • Adopt and implement formal procedures to protect the exchange of information through the use of all types of communication facilities. Produce audit logs to record user activities keeping them for an agreed period to enable access control monitoring.

  • Install and regularly test firewalls and other security systems to prevent unauthorised external access.

  • Protect adequately areas that contain information and information processing facilities. Use appropriate entry controls to ensure authorized access only (i.e. physical security, periodic checks in after-business hours). Protect equipment to reduce the related risks. Implement appropriate security controls over off-site equipment (i.e. laptops, mobile devices, etc). Prevent taking equipment, information or software off-site without authorization.

  • Set strict controls to regulate access (i.e. user registration and de-registration, security practices in the selection and use of passwords, security protection of unattended equipment).

  • Apply rigorous policies for using internet and handling mail, including confidential mail. Restrict access to internet resources and use of personal e-mail addresses, as appropriate.

  • Ensure reliable backup of information resources. Implement appropriate archiving, aligned with legal requirements and the technological characteristics of the information system. Include emergency response procedures and information recovery in the emergency preparedness plan.

  • Monitor operation of important IT resources to verify compliance with recommended functioning norms. Check regularly history log files to detect possible cyber-attacks and security violations. Provide for immediate reporting and treatment of irregularities observed.

  • Require officials, contractors and third party users agree and sign a confidentiality agreement, restating their responsibilities for information security, as appropriate.

  • Require all staff, contractors and third party users to return all local government’s assets in their possession upon termination of their contracts. Immediately remove access rights upon termination of contracts, or adjust them upon change.

  • Apply straightforward disciplinary and sanctioning processes to staff who have committed a security breach.