This presentation shows the approach to risk management and security used by the Siena Municipality from a cross-sectional point of view. Following a risk analysis which identifies threats, assesses vulnerabilities and identifies safeguards, actions should be taken to improve security in the broadest sense of the word (both as a physical and as a logical entity), in addition to improving the security of the Administration itself.

Security means adopting technical-infrastructural, technological, organizational, procedural, educational and regulatory measures capable of:

• limiting any damage that the administration may sustain, both tangible and intangible, direct or indirect,
• guaranteeing information availability and access at any time and in any place.

On this basis, a number of modifications to infrastructures have been envisaged : security of the power supply of workstations that provide services to the public, visitor access control systems in the various administrative premises, air conditioning and intrusion-detection systems, and fire prevention and control in the server rooms. As for the solutions to be adopted in the field of information technology, the following actions have been envisaged :

• selective introduction of data encryption techniques in order to guarantee data integrity and privacy according to requirements, by determining the minimum security measures for privacy protection,
• improved access controls for information resources, in addition to auditing and preventive maintenance of those resources,
• improved security measures within the information system architecture in order to increase security levels throughout the system every time a change is introduced into the network,
• formal creation of an IT resource inventory and a knowledge base for the recording of events that have caused service interruption. From an organizational point of view, the following actions need to be taken :
• adopt the security life-cycle in full as a standard reference model for security,
• identify and appoint a security manager, a password and encryption keys manager, a system and network administrator, etc.
• increase the permanent staff in the technical department dedicated to information system management,
• introduce a system for the processing of personal data that makes it possible to monitor all related information, such as the relationship between server, databank name, type of processed data, purpose of the processing, owner, manager, group or employees, security measures adopted, etc.
• introduce a security management system that makes it possible to follow all aspects of these issues through standardized reference models,
• introduce an internal structure or use a third-party service for the management of computer-related incidents (IRT-Incident Response Team),
• use security cabinets to store back-up copies and internal documentation.

In terms of procedural aspects, it is advisable to classify the data, define security policies and prepare an emergency and contingency plan. In addition to the courses already attended by the employees and the CED and Service Centre staff, further training needs to be planned with a view to making the administration staff aware of information security and privacy issues, as well as specific courses on the Programmatic Document for Security and on security policies.

For regulatory aspects, the following actions can be suggested :

• review and, if necessary, change the legal ownership of data banks and the ownership of data processing tasks,
• review and adjust the minimum personal data protection measures to be enforced when processing data through both electronic and non-electronic systems (manual processing), as dictated by personal data protection regulations.

It is also necessary to comply with the rules of the information protocol on documentation and archives management and it is advisable to conform to the "provisional rules and regulations concerning the security of the Internet sites belonging to Central Administration and to public authorities".