The Three-Year Plan for ICT in the Public Administration and this site were translated by Artificial Intelligence. Help us improving them on GitHub

Network navigation menu

Security

Security is of fundamental importance, as it guarantees the availability, integrity and confidentiality of information in the Public Administration’s Information System. It is also directly connected to the principles of privacy determined by law. The role of CERT-PA is therefore being strengthened to structure the security plans of the Public Administrations and to ensure the implementation of the plans by means of periodic monitoring and checks.

The Plan, taking into account the National Strategic Framework for Cyberspace Security (QNS), emphasises the rationalisation of the ICT resources as the primary method to increase the security level by reducing the "surface" exposed to computer attacks.

Further reading
Share your view

Actions

55 CERT-PA

Due dates:
in progress
Players:
AgID
Description:

CERT-PA, which has been operational since 2013, will gradually increase its operational capability by completing the ICT infrastructure for providing basic services and delivering the first embryonic cybernetic information system including through the implementation of solutions: Infosharing CERT-PA and the National Vulnerability Database.

Results:
---

56 Publication and adaptation to the Technical Rules for the ICT Security of the Public Administrations

Due dates:
by september 2017
Players:
AgID - The Department of Public Services - PA
Description:

AgID compiles the Technical Rules for ICT Security of Public Administrations that will provide the PAs with guidance on the measures to be adopted.

The Department of Public Services is to issue the Technical Rules prepared by AgID.

The Public Administrations then comply with the Technical Rules for the ICT Security of the Public Administrations, through the preparation and execution of the adaptation plans for the technical rules issued by AgID.

Pending the issuance of aforementioned Technical Rules, all Public Administrations are able to adapt to the “ICT Minimum ICT Security Measures for Public Administrations” already published by AgID.

Results:

57 Security architecture for critical services

Due dates:
by september 2017
Players:
AgID - PA
Description:

Defining the principles and guidelines of the architectural model of critical service management and the contextualisation with respect to the data clusters managed.

The PAs that are the owners of critical services are to draw up an Adaptation Plan and adapt or implement critical services in accordance with the guidelines.

Results:

58 Continuous monitoring

Due dates:
in progress
Players:
PA
Description:

In order to ensure continuous monitoring, as recommended by the best safety practices (such as ISO 27001, the NIST documentation), the Public Administrations will be responsible for updating the status of the software used in each single Administration, with respect to known vulnerabilities published by one or more subjects of reference (such as the national CERTs or vulnerability databases).

In order to actuate this action, software will be scanned using automatic tools and the subsequent analysis of the results (and the possible impact of an incorrectly determined vulnerability) being transferred to a competent subject. AgID reserves the right to perform Penetration test on a random basis.

Results:

59 Reporting IT incidents to CERT-PA

Due dates:
in progress
Players:
PA
Description:

All public administrations are required to monitor and promptly report to CERT-PA IT any incidents and potential situations of risk using the communication channels outlined in the dedicated section of the AgID site.

For all accredited subjects on Infosharing, CERT PA has a special signalling feature.

Results:
---

60 Reorganisation of the "gov.it" domain

Due dates:
in progress
Players:
AgID - PA
Description:

AgID issues rules for the reorganisation of the “gov.it” domain, in order to ensure its restructuring using a segmentation that meets international criteria and allows for the grouping of central administration sites.

Conversely, the PAs completes the activities within 12 months.

Results:

56 Publication and adaptation to the Technical Rules for the ICT Security of the Public Administrations

due dates:
by september 2017
players:
AgID - The Department of Public Services - PA
description:

AgID compiles the Technical Rules for ICT Security of Public Administrations that will provide the PAs with guidance on the measures to be adopted.

The Department of Public Services is to issue the Technical Rules prepared by AgID.

The Public Administrations then comply with the Technical Rules for the ICT Security of the Public Administrations, through the preparation and execution of the adaptation plans for the technical rules issued by AgID.

Pending the issuance of aforementioned Technical Rules, all Public Administrations are able to adapt to the “ICT Minimum ICT Security Measures for Public Administrations” already published by AgID.

57 Security architecture for critical services

due dates:
by september 2017
players:
AgID - PA
description:

Defining the principles and guidelines of the architectural model of critical service management and the contextualisation with respect to the data clusters managed.

The PAs that are the owners of critical services are to draw up an Adaptation Plan and adapt or implement critical services in accordance with the guidelines.

58 Continuous monitoring

due dates:
in progress
players:
PA
description:

In order to ensure continuous monitoring, as recommended by the best safety practices (such as ISO 27001, the NIST documentation), the Public Administrations will be responsible for updating the status of the software used in each single Administration, with respect to known vulnerabilities published by one or more subjects of reference (such as the national CERTs or vulnerability databases).

In order to actuate this action, software will be scanned using automatic tools and the subsequent analysis of the results (and the possible impact of an incorrectly determined vulnerability) being transferred to a competent subject. AgID reserves the right to perform Penetration test on a random basis.

59 Reporting IT incidents to CERT-PA

due dates:
in progress
players:
PA
description:

All public administrations are required to monitor and promptly report to CERT-PA IT any incidents and potential situations of risk using the communication channels outlined in the dedicated section of the AgID site.

For all accredited subjects on Infosharing, CERT PA has a special signalling feature.

---

60 Reorganisation of the "gov.it" domain

due dates:
in progress
players:
AgID - PA
description:

AgID issues rules for the reorganisation of the “gov.it” domain, in order to ensure its restructuring using a segmentation that meets international criteria and allows for the grouping of central administration sites.

Conversely, the PAs completes the activities within 12 months.

go back to the beginning of the contents