Protecting Public Services

A comprehensive operational framework to strengthen the security of local authorities’ information systems, integrating governance, priority measures, business continuity, and effective crisis management.

Main Risks for Local Authorities

Threats

    • Ransomware: data encryption, service interruption (civil registry, school meals, payment office).

    • Phishing: credential theft, wire fraud.

    • Exposure of public-facing tools: misconfigured RDP/VPN, unpatched CMS.

    • Data leaks: sharing errors, lost devices, uncontrolled cloud services.

    • OT / Connected urban systems: cameras, access control, signage, smart buildings.

Summary

    • Multi-factor authentication (MFA) for email, VPN, and line-of-business systems

    • 3-2-1 backups, tested and offline

    • Updates and patches within 14/30 days depending on severity

    • Network segmentation (users / servers / OT / guest Wi-Fi)

    • Email filtering + anti-phishing training

    • Centralized logging + monitoring (SIEM/EDR/antivirus)

Objectives

    • Protect the confidentiality of administrative data

    • Ensure confidentiality for both staff and citizens

    • Strengthen access and action traceability

    • Prevent unauthorized alteration or manipulation of data

    • Ensure traceability and compliance (GDPR, audit logs)

12 Priority Actions

    1. Generalized MFA, including email, VPN, admin access, and business apps
    2. 3-2-1 backup strategy: three copies, two media types, one offline or immutable + quarterly restoration tests
    3. Structured patch management, based on updated inventory, CVSS prioritization, and phased rollout
    4. Hardening of workstations and servers, disabling macros, enabling local firewall, and application control
    5. Network segmentation, VLANs per usage, inter-zone filtering, isolated guest Wi-Fi
    6. Supervised EDR/antivirus, with detection, analysis, and quarantine
    7. Mail & web filtering, sandboxing, DMARC/DKIM/SPF, blocking recent/suspect domains
    8. Identity management with least privilege, named accounts, and automatic revocation
    9. Centralized logging (syslog/SIEM), NTP timestamping, retention ≥ 6 months
    10. Business continuity, with BCP/DRP, critical service prioritization (civil registry, payroll, school meals…), and regular tests
    11. Ongoing awareness training, micro-learning and phishing simulations
    12. Supplier management, including monitoring, controls, and security obligations

Modes & Policies

Information Security Policy (ISSP/PSSI)

Provides a clear framework covering governance (elected official, IT dept, CISO), data classification, access rules, backup practices, incident management, and requirements applied to service providers.

Charters & Procedures

    • User / administrator charter

    • Access rights procedure & periodic review

    • Password / MFA policy

    • Backup & restoration procedure

    • Incident Response Plan (IRP)

Incident Response

      • Detect: EDR/antivirus alerts, SIEM, user reports
      • Qualify: type (malware, leak, fraud), scope, criticality (impact on services/citizens)
      • Contain: isolate devices/servers, disable compromised accounts, block IOCs
      • Eradicate: remove root cause (malware, accounts), fix vulnerabilities
      • Recover: restore from clean backups, test, phased return to service
      • Communicate: crisis unit (official, CEO, IT, comms), inform citizens if required
      • Notify: regulatory reporting (e.g., CNIL for personal data)
      • Post-incident review: lessons learned, action plan

Compliance

      • Data protection: processing register, minimization, legal basis, DPIA if needed, citizen information
      • Log management: proportionality, purposes, appropriate retention periods
      • Public procurement: security requirements in contracts (SLA, incident reporting, encryption, reversibility)
      • Administrator access: traceability, named accounts, strong access control
      • Archiving: integrity, long-term preservation, document lifecycle