The Court of Accounts has urged the Zamora City Council to implement various technological and regulatory actions to strengthen its computer security, an area in which it sees "much room for improvement" and in which it had previously alerted other local entities.
These conclusions are included in the report on computer security in Zamora, approved this Tuesday by the Plenary of the Court of Accounts, which makes ten recommendations to the City Council. Among them, to promote the necessary actions to correct the regulatory non-compliance and technical deficiencies detected when reviewing controls, following the line of observations made to other city councils of provincial capitals already audited.
The auditing body emphasizes that, to advance in this adaptation, organizations such as the National Cryptologic Center, the FEMP, or the Spanish Data Protection Agency have detailed guides with complete models aimed at city councils with similar characteristics, which can be used as a reference to facilitate the process.
Likewise, it considers that the municipal Plenary must assume and promote a "firm commitment" to compliance with regulations and design a long-term strategy that defines adequate governance of information technologies.
The Court of Accounts adds that it is necessary to regularize and strengthen the coverage of key positions in the staff linked to information technologies; provide sufficient resources to the Information and Communication Technology Unit, and complete the process through audits or self-assessments of ENS compliance, considering their joint performance with those related to personal data protection.
In relation to the municipal technological environment, the report suggests that the Mayor's Office should promote "the necessary actions" to adequately fill the positions provided for in the job description, so as to guarantee a structure that complies with the principle of security as a differentiated function and that can assume the tasks related to the management of information systems.
It also advises formalizing the appointment of the security officer and ensuring their correct integration into the security policy, in addition to guaranteeing sufficient and permanently updated documentation of the information technology environment.
Regarding the inventory and control of assets and the use of administrative privileges, the Court of Auditors estimates that a comprehensive and updated inventory of assets should be promoted, covering all relevant typologies and ensuring the quality and integrity of the information.
It also proposes establishing procedures and tools that allow for the automated or systematic updating of these inventories, with the aim of increasing their reliability and ensuring effective control over municipal assets, as well as promoting medium and long-term planning for technological renewal needs, supported by adequate budgetary allocation.
Regarding the continuous process of identifying and correcting vulnerabilities, the security officer must coordinate with the system officer on decisions regarding the use of automated tools. Furthermore, the inclusion of clauses in IT service contracts should be promoted, allowing for control over how these services are provided and how administration privileges are managed and supervised, in accordance with the ENS.
Finally, in the area of regulatory compliance, the Court of Auditors indicates that the municipal plenary must lead the pending actions to provide the entity with the measures required by the regulations as key elements, in accordance with the ENS and Organic Law 3/2018 on Personal Data Protection and the guarantee of digital rights. Likewise, it considers it necessary to approve regulations that ensure user activity logging is carried out in accordance with the ENS and regulations on personal data protection, public service, or labor regulations, in order to have truly efficient cybersecurity controls.