Leeuwarden Municipality

Why an ISMS?

Leeuwarden has a partnership with several municipalities, all of which have to provide their ENSIA accountability. "Because we work with the LIAS ISMS and all with the same auditor we make it a lot easier on ourselves. All these municipalities work in the same ICT environment of the SSC. In this way, the member organizations only have to test once and we thus avoid having to provide information multiple times."

"You can't live without a GRC tool anymore," says Freddy. "I am of the school that information security and privacy is not a party of the CISO but a task of all of us. That's why you can't keep track of your controls in this area on an Excel sheet anymore, you have to have a tool that gives the stakeholders tasks and responsibilities. That's the only way to keep insight and overview."

Freddy further explains his approach. "We work on the 'Three Lines of Defense model (3LoD)' for security and privacy. That's why we also have an internal IT Auditor and an ENSIA coordinator. The ISMS is an integral part of this. We are starting small now and will later expand to include differentiated internal controls, more standards frameworks, ISAE3402 and VIC controls."

How does Inergy support you?

"Our auditor is Ronald Driehuis. Ronald is a pleasant man, obviously with 'blue' qualities such as being critical and thoughtful but also a thoughtful thinker. He brings diversity to our policies. He thinks along with us so that we can improve. Inergy really takes us further in terms of content. Sometimes it happens that we are in danger of not achieving a standard.

Ronald then draws on his experience, partly at other organizations, and then advises us on the solution. There is of course a professional distance between me and the auditor but still the contact is personal.

Even though the auditor stays on his toes and does not simply move with my wishes. It feels like a partnership. And I've experienced that differently before."

Vision for the organization of information security

"Position the CISO close to the board and management and let him advise and act strategically. Information security and privacy used to be a real IT thing. Of course, that hasn't been the case for a long time. We now look much more integrally at, for example, the physical component, the human component and agreements with suppliers."

Freddy supports the vision of the VNG and the IBD on the job profile of the CISO. "In practice, the CISO is still too often busy extinguishing fires and he has to give tactical interpretation to BIO. If you also have to make strategic policy. Then you're working on three layers and that's not doable."

"In my view, you should appoint a separate ENSIA coordinator. Who can coordinate the process of information retrieval. Because as CISO you also have to provide information, you shouldn't want to play that dual role.

In addition, an internal IT auditor is essential. She does all the preliminary work in Leeuwarden for the auditors' audits such as the IT controls and application controls of all financial packages in scope of the financial statements. There is a lot of overlap in tasks and responsibilities with the CISO such as logical access and IT security. We lean on each other's evidence and have an intensive collaboration."

Biggest challenges for the coming years

The municipality is no longer only concerned with information security within the walls of City Hall, but also of the citizens and SMEs in the municipality. It's about cybersecurity in the broader sense. "In Leeuwarden we have a cyber agenda that addresses cyber awareness among young people, SMEs and the agricultural sector.

As CISO, I work with the public policy and safety advisors to come up with an integrated approach and prevention for cyber security together."

Employee awareness in this area is and will remain important. They are the most susceptible to, for example, a configuration error, a phishing email or other human action. "I prefer to look at this positively and assume their strength. They are therefore the strongest link," says Freddy.

The third major challenge is preventing a cyber crisis. "It is not a question of if, but when you will have a cyber attack. That's why we are constantly building our cyber crisis organization to make us resilient to any attacks. And we use the IBD's work packages to practice in this area."

Freddy has one last dream. He would like to organize, just like 'Hâck The Hague', a 'Hack Fryslân'. When time permits, he will start working on it.