A total of 110 public bodies, (of which 97 municipalities and 13 regions) responded to a 54 questions-survey. The responses are consolidated and analyzed in a Scandinavian perspective. The survey focused on four areas: 1. Managing IT Risks, 2. Information Security Management, 3. Policy Enforcement, 4. Awareness Management- securing employee compliance and attention to policies, roles and responsibilities. Overall, the survey shows that the bodies have focused on: 1. Risks, 2. Goals for information security (policy), 3. Creating a framework for information security management. 4. With regard to the staff awareness, the survey confirms that:
- Rights, obligations and sanctions are typically described by the bodies
- Staff is to some extent given access to security rules
- Little is done to provide knowledge through further training
- Knowledge of rules is rarely followed-up
- Undesired behaviour is rarely followed-up
The Executive Director of ENISA, Mr. Andrea Pirotti observed: "This report underlines the fact that staff must first be aware of a) what data has to be protected and b) why, it if they are to comply with security rules. The situation is good, but not good enough: more still has to be done."
The report is the result of the kind support by the ENISA Awareness Raising (AR) Community.
For further information: http://www.enisa.europa.eu/