Agenda item

Tony Oladejo, Audit and Compliance Manager / Data Protection Officer – Business Support Services

Tony Oladejo, the Audit and Compliance Manager / Data Protection Officer, introduced the cyber security update as circulated with the agenda.  The Executive Director of People & Change was also in attendance, as the Client Manager for Publica and explained that unfortunately nobody from IT had been able to attend. 

Tony explained that the team provided a service across 29 sites within the four partner councils, including Ubico, CBH and The Cheltenham Trust, serving more than 1500 users.  The strategy remained the same as last year, ‘Prevent, Detect & Recover’, focussing resilience on prevention and detection and mitigating risks associated with cyber security incidents.  The report summarised progress on specific cyber security activities from the last 12 months, as well as detailing those planned for 2020, however, for security reasons, included no specifics, though more details would be available to members on request.  A key risk in 2020 would be shadow ICT through the use of unauthorised cloud based software and whilst this was actually an Information Security risk rather than a Cyber Security risk, it would be viewed as a cyber incident/breach.  The next 12 to 24 months would see a continuation of the ‘Zero Trust’ approach to the security architecture and this would be achieved by building trust into the user’s identity, their devices and the services they access, rather than the networks they connect to.  He reported that the service had successfully achieved the Cyber Essentials Plus Accreditation, which had in turn helped with the PSN assessment and subsequent certificate and that all staff had completed the Cyber & Data Protection Awareness training.  Work in 2020 would include a review of the ICT Policies Framework, mitigation in terms of the ten remaining Windows 2008 servers and a disaster recovery desktop exercise.  A successful bid to the LGA Cyber Security Fund would co-finance ‘phishing simulation’ exercises across the partner councils and a new learning management system would be used to roll-out Cyber Awareness training to all staff and monitor compliance. 

The Audit and Compliance Manager / Data Protection Officer and Executive Director of People & Change gave the following responses to member questions:

·         All but ten servers had migrated from Windows 8, leaving only the committee management system, and an extended support contract would mitigate the issues, which represented spend of approximately £600 plus VAT.  Similarly, Windows 7 effected devices and with extended support, would be upgraded when the move to a new package was made. 

·         There were no reported instances of systems reverting to the year 19xx on the rollover from 2019 to 2020.  There was potential for the Y2038 bug to happen in 2038, but at present there were no contracts which extended beyond 5 years and therefore this would be looked at in greater detail, nearer the time.  It was likely that suppliers would be asked about their mitigations. 

·         Cyber security was taken very seriously and awareness training was mandatory for all staff, as well as members and this would form part of the induction for any new members in May 2020.  A meeting of the Members’ ICT Working Group had been convened which would look at member provision as well as training issues.  A private security briefing for members had been held last year and it would be possible to repeat this in 2020.     

·         Only 14 members had transferred to Blackberry Work, but some members had been prevented from making the transfer because their iPads were of an age that they were no able to support it.  As mentioned, the Members’ ICT Working Group were scheduled to meet to consider member’s ICT provision going forward.

·         The network was a whole, but it was possible to segment it between the four partner councils should the need arise. 

·         If the Members’ ICT Working Group were to recommend the roll-out of laptops to all members, there would undoubtedly be complex security issues that would need to be explored further.

·         Egress provided a secure means by which to share sensitive information/data, which only very few people used at CBC as alternative encryption tools were used instead.  The message to members was that they should always seek advice from IT should they receive anything by email which they are unsure of. 

·         Officers acknowledged that there were Citrix could be unreliable, but stressed that this was an outdated resource which was no longer used by any officers and would be phased out upon roll-out of the new members’ ICT solution.  If like Officers, members were given laptops, they could be assured of more reliable, almost uninterrupted, access. 

·         In view of flexible working, out of hours support would be reviewed, but there were no plans to make this 24/7 support, nor did members expect this.

The Executive Director of People & Change reiterated that John Chorlton would have attended if he could have and committed to having him provide more information to members on the issues that had been raised; the plans in terms of Windows 7, confirmation that segregation of the server, to safeguard the other partners if one was affected by an issue and provide more information on when the use of Airwatch would cease.  The Executive Director of People & Change invited members to email any further cyber security or IT related queries to him or the Audit and Compliance Manager / Data Protection Officer, directly. 

Members were confident that all officers would comply and undertake mandatory cyber security training but were not wholly confident that members across the four partner councils would and acknowledged the risk that this posed.

It was unanimously

RESOLVED that the report be noted.

The Chairman thanked the Executive Director of People & Change and the Audit and Compliance Manager / Data Protection Officer for their attendance.