Helmond municipality's personnel list includes a team of DSPOs: decentralized security and privacy officers, a role no other municipality has. The DSPO team has a crucial role in encrypting information security and privacy into the DNA of the municipal organization.
Author: Quita Hendrison
Dorinie Edelaar started fifteen years ago as an internal auditor at the Municipality of Helmond. Over the years, her interest in and knowledge of ICT and information security grew and after a foray into consultancy, she has been CISO (chief information security officer) of the municipality for some time now. "In 2018, we determined that we could give information security and privacy a clearer place in the business processes. Information security was mainly the party of the CISO and privacy that of the FG (data protection officer). And little connection was made between those two domains, while there are obvious interfaces and mutual influence. In addition, the connection with the 53 GEMMA business processes (Municipal Model Architecture) was missing. And thus also the awareness among the process owners, where in fact it all starts."
It did not stop there: a plan was written to reverse the existing situation. That plan was presented to the board of directors in 2018 with the support of the city clerk and responsible alderman. The most important idea in this: take up information security and privacy integrally. Edelaar: "Support from the board and management is incredibly important to turn plans into practice. We want to grow structurally in those two themes of information security and privacy. And if we want to grow, it is absolutely essential that the process owners in the organization really feel ownership of those topics in their own business process. So the implementation of the plan began with awareness sessions for the owners of the 53 processes. What exactly is their role in information security and privacy, what is the role of the official principal, the CISO, the IT auditor, the director, and so on. Through those sessions, we organized awareness."
The final part of the awareness sessions may have been surprising to managers. "They were asked to designate an employee in their department who we will train as a DSPO, the new role of decentralized security and privacy officer. The DSPO supports the process owner in getting information security and privacy into the municipality's DNA. It also has an advisory role; for example, on data breaches, risks and new measures around the BIO. The DSPOs coordinate the business process assigned to them. In short: they will really deal with the work processes."
Not easy such a new role, so not every employee qualifies for it. "That's why we helped the process owners with the profile and asked them to select their own colleagues who can fill this role" agrees Edelaar. "They obviously have to meet a certain profile, such as having an affinity for IT and security. And they come from the policy side and not from the work process; that mixing is undesirable, because as DSPO you have to have an independent position. You must also have the courage to be critical and stand firm, because it can happen that your process owner (and therefore manager) wants to prioritize business operations at a certain moment while you advise something else. That's when you need to be able to identify well-reasoned risks. Important to note: the DSPO is not ultimately responsible; that remains the process owner."
To make the place of the new role clear to the entire organization, a special communication process for introducing the DSPOs was rigged. They introduced themselves in departmental meetings and they have their own group - on the intranet or internal messaging - where employees can ask questions.
Currently, there are 19 DSPOs who have all completed a training program. In fact, this is an ongoing course in which topics such as privacy, ENSIA, the BIO, risk management and access security are addressed. Edelaar: "Partly we do that with external experts, partly internally. For example, it is important to explain risk management on the basis of real practical situations: take a look at what certain risks could be for your department and what measures you can take to counter them. And when we discuss such a case, we also involve other colleagues: in access security, for example, functional administrators have an important role. Where we can, we take an integrated approach as much as possible."
For Edelaar, setting up the DSPO organization is a task in addition to her CISO duties. "That also applies to our FG. This is really a Helmond 'invention' and we experience it as an important step to get to the desired level. To eventually make information security and privacy part of the business processes, because that is the goal. And we have already made great strides. For example, based on the 2019 ENSIA accountability process, we have drawn up further development plans for each process owner. Where are there risks, where should we prioritize? That is the basis for steering. We are also further developing the processor register for the AVG into a tool in which we can record everything. Furthermore - in the context of awareness - we have made a communication plan in which we include all target groups. And of course we are going to evaluate, so that we can keep taking the DSPO organization a step further. We do notice that it remains hard work. Digitization and its effects on information and related privacy and security issues are quickly assessed as technical or bureaucratic. The obvious fact that this is part of the integral management task, just like finance and personnel, is not always there yet. It is up to us to keep calling attention to this constantly, without taking over responsibility.
Source: VNG Realization
