Agenda item

Cyber security report

Tony Oladejo, ICT Audit and Compliance Manager (see recommendation)

Minutes:

Tony Oladejo, the ICT Audit and Compliance Manager referred members to the report, as circulated with the agenda.  It was no longer safe to assume that firewalls and security systems would protect against cyber-attacks all of the time and as such the key objectives were: prevention, detection and recovery.  Preventative measures included ICT Policies Framework, next generation Firewalls, Micro segmentation and user awareness training.  The detection methods being deployed included improved infrastructure and monitoring and scan and isolation capabilities would be implemented in early 2017.  As it was accepted that at some point the council would be compromised, recovery measures were vital and meant having a Disaster Recovery Plan in place and recent testing had been successful.  There were also Business Continuity procedures in place, with plans having bene recently improved and training given to relevant officers.  The committee were advised that Public Services Network (PSN) compliance for all four partner councils had recently been achieved, though this was an annual assessment and would be repeated in January 2018.  New Data Protection requirements would come into force in May 2018 and whilst many of the requirements would remain the same, the fines were likely to be more significant. 

 

The ICT Audit and Compliance Manager and Corporate Governance, Risk and Compliance Officer, gave the following responses to member questions:

 

·         The collective (4 councils) approach to PSN was undertaken for the first time this year, with the aim of making the process more efficient.  Whilst this proved challenging, an action plan was now in place and PSN was an ongoing process in any case . All 4 Councils have now received its annual PSN compliance certificates which were awarded by Cabinet Office to January 2018.

 

·         A backing-up myriad was undertaken on a daily basis and involved taking a snapshot of all data sensors and back-up to a secure location.  Staff awareness and training in relation to dealing with suspect emails was ongoing and guidance notes detailing what to look out for were being developed at the moment.  Information was available on the intranet, which members were able to access via Citrix and/or the iPad and members were advised that they should not be forwarding emails received to their Councillor email account to their personal email addresses. 

 

·         Verified back-up procedures were undertaken on a daily basis by designated officers and senior officers undertook reconciliation of that data.  Full restoration had ban carried out as part of a recent training exercise.

 

·         Whilst obliged to respond to Freedom of Information requests the council needed to proceed with caution in relation to any pertaining to IT so as not to compromise security.  Exemptions could be applied but the council would need to evidence the security risks.

 

·         The council did comply with all cyber essentials.

 

·         Network switches were tested daily and any anomalies were tested.

 

·         PSN had previously insisted that the council use gcsx accounts but at the time this requirement was not deemed necessary for councillors.  PSN has since announced that the Internet was sufficiently secure and this, along with the changes to email classifications, meant that work was in progress to reduce the number of gcsx accounts.  Tewkesbury Borough Council and therefore OneLegal had always been outside of this councils PSN system. 

 

·         Changes to the classification of emails would soon be implemented and these changes and future requirements would be communicated to all council users (officers and elected members).

 

·         Cheltenham had a number of policies relating to paper records.  Retention registers were reviewed on an annual basis and in the last 6 years the council had disposed of 8000 cases from its storage facility, meaning there were now ¾ less than before.  It was important that members understood that some documents had to kept for a certain period of time, up to 16 years in some cases. 

 

·         Discussions were ongoing with Gloucestershire County Council about the opportunity to provide dual purpose (County and Borough) technology. 

 

·         Members had to take responsibility for managing personal information and should not therefore be forwarding such information from their councillor inbox to a private email account. 

 

·         Members were able to access the intranet on their iPads and the iPad was never meant to be used for word processing. 

 

·         All training would be extended to members.

 

Members suggested that there should be risks in reference to possible fines for any beaches and the loss of the PSN accreditation. 

 

Upon a vote it was unanimously

 

RESOLVED that the report be noted.

Supporting documents: