The “unacceptable risk” associated with the Torrevieja City Council’s cybersecurity systems has been alerted by the Audit Office. In its annual report, the body has given the Council a dozen proposals to enhance a crucial area of services and the way the administration operates in the digital sphere. Even though the City Council has made investments recently “and notable progress has been made since our previous audit,” the Audit Office specifically notes in this report that these investments are insufficient. The general maturity index of the Basic Cybersecurity Controls is 52.0% (31.8% in 2021), which is still insufficient, represents an unacceptable level of risk, and is far from the ENS’s goal of 80.0%. As a result, “it must continue to adopt measures to redirect the observed situation.”
As a result, “Torrevieja City Council lacks an adequate internal control system and cybersecurity governance, as mandated by regulations.” Even though the company has taken steps to reroute the situation, they are insufficient, and the situation needs to be fixed right away. Support must also be strengthened by allocating financial and human resources to information security.
“Acquiring and deploying a specific solution to restrict access to the corporate network by unauthorised physical devices,” as well as establishing a device inventory and a hardware and software upgrade plan, were among the recommendations the agency made to the City Council. It also highlights the necessity of developing a comprehensive vulnerability identification and remediation process that is applied to all City Council systems.
The paper also highlights the necessity of formalising a single process for managing users with administrative rights that sets rules for all of the organization’s systems. Additionally, it specifies that a secure or hardened configuration process that takes security by default and the minimal functioning criterion into account must be approved and put into place for the systems. In order to achieve this, it is suggested that customised installation manuals for every system be created, based on suggestions from reference groups and manufacturers.
According to the report, the City Council should set up a process for processing audit logs of user activity that includes information about the systems impacted, the data kept, the duration of the retention period, backups, control over access rights to the record, and the implementation and documentation of a log review process. It is best to centralise log review in systems specifically designed for this purpose.
Establishing a process for handling data and system backups that outlines, at the very least, the systems and data impacted, the frequency of backups, the locations, the people in charge, restoration tests, and backup protection needs is another suggestion.
Despite the fact that many of these suggestions have been implemented, the report points out that more needs to be done to improve the City Council’s cybersecurity control and reliability index.
No Comment! Be the first one.