Agenda item

ICT network issue

Report of the Cabinet Member Corporate Services

Minutes:

Councillor Garnham had brought this as an urgent item to Council because of the urgent nature of the content of the letter from the Cabinet Office dated 19 September 2013 in which it was made clear that Cheltenham Borough Council’s access to the PSN network could be switched off within 24 hours of the date of the Council meeting.

 

The Mayor confirmed to Members that she was of the opinion that the ICT network issue relating to the council’s PSN submission was sufficiently significant to the authority’s operations so as to justify its consideration as an urgent item of business at the meeting. It was agreed that Members could speak more than once in the debate.

 

The Cabinet Member Corporate Services introduced the report and updated Members on the current position regarding PSN compliance. He explained that an extensive note had been separately issued which alerted public sector organisations to resourcing issues in the Cabinet Office. This note referred to 300+ organisations which needed extensive support to achieve compliance and that there was no immediate risk to suspension of PSN where there was genuine appetite and realistic plans to achieve compliance.

 

The Cabinet Member then highlighted the following:

 

  • Access to the PSN allowed emails to be received and transmitted via the Government Connect Secure Extranet (GCSX). It was a requirement of the government that access should only be allowed if users completed an annual compliance assessment 
  • The PSN rules required users to be compliant with a range of standards and criteria, when they are, they can use the GCSX to send and receive emails within an encrypted framework.
  • The authority had been using GCSX as a method to transfer restricted data electronically since April 2009 and completed two previous assessments without issue.
  • ICT Shared Service had been working on the current compliance submission and associated infrastructure work since April of this year with the compliance team for the Cabinet Office. Despite this, the Cabinet Office still issued formal warning letters to remind councils of deadlines.
  • The management of the PSN compliance process and evidential requirements have changed substantially since last year which meant that the council had to provide significantly more evidence that the same ICT infrastructure, which had previously complied, still complied.
  • The goalposts were moving on a continual basis with new guidance being provided on unmanaged end point devices as late as August 2013 which ICT responded to by amending its processes and guidance to remote workers connecting in to the council.
  • He explained that this had therefore been a challenging process and had highlighted some key concerns for both officers and members and that there was a need to ensure that there was earlier engagement with the compliance team to address issues well ahead of the deadlines. He was confident that the new ICT shared service would ensure this happened.
  • The Cabinet Member noted that that this had been a particularly challenging year for the ICT team and the more complex and stringent process had been adhered to despite dealing with a significant number of other pressures including the creation of the ICT shared service, a virus, the failure of some key infrastructure and systems due to age and lack of investment. In addition the team had created reciprocal disaster recovery arrangements in the Forest of Dean and had supported some major projects including significant ICT input into the newly opened Art Gallery and Museum as well as commencing the infrastructure upgrade which would deliver a stable citrix environment, wifi for councillors and support for the ipad trials. This had been achieved despite losing some key personnel within the team.
  • The Cabinet Member acknowledged that the authority had not kept up to speed in its investment in ICT infrastructure and the service over very many years but reminded members that in February 2013 Council allocated £1.3 million to improve this.

 

The Cabinet Member referred Members to the recommendations in the report and proposed a further recommendation:

 

“That Council notes the significant effort made by the ICT team in dealing with the compliance process and refers to the Scrutiny ICT members working group a request to follow up this issue and make any future recommendations to Cabinet in relation to the future compliance process”.

 

The Mayor invited Members to ask questions on the issue and the following points were raised :

 

  • Comments were made on the amount of technical jargon contained in the report.
  • In response to a question as to what contingency was in place should GCSX be disconnected and what effect this would have on those receiving benefits, the Cabinet Member Corporate Services stated that from the outset a contingency plan had been put in place and this was confirmed by the Director Resources as being with Forest of Dean Council. Following the submission at the end of August a conversation had taken place at senior management level on how the ICT Team would work with the Cabinet Office’s technical compliance team.
  • When asked whether a conversation had taken place with the Leader or the Chief Executive of the Forest of Dean to run CBC systems which were non compliant, the Director Resources stated that discussions had taken place about using the FoD infrastructure.
  • The Cabinet Member Corporate Services believed that he had a sufficient understanding of the technical detail in the report. Members questioned why the matter was being dealt with in exempt session. The Chief Executive responded that it was not appropriate to discuss any live issues of IT security in open session. It was confirmed by the Cabinet Member Corporate Services that once formal confirmation had been received there was no reason why the debate could not be made public. The Head of Legal Services informed Members that Council could pass a resolution to go into open session but in his view there appeared to be a reasonable basis to continue to debate the issue in closed session at this stage. Having heard this, the Mayor decided to continue in exempt session.
  • A technical explanation was also requested on how routing through the FoD infrastructure could solve the issue and this was addressed by the ICT Manager. When asked whether FoD had gone through the same process with the Cabinet Office the Cabinet Member confirmed that the  timing of their submission was ahead of CBC. In response to a question on why CBC had not shared information and understanding with the FoD about this process for common input, the Cabinet Member explained that the FoD submission had been different to CBCs and since then the goalposts had changed in terms of the detailed information required.
  • A member made reference to the recommendation that the ICT scrutiny working group had made when examining the virus issue regarding the need for a second firewall and the Head of ICT Shared Services addressed this point.
  • A member asked why there was no up to date risk assessment with the report and in response the Corporate Governance Officer explained that 3 risks had been identified and how these had been managed.
  • When asked at what point members would have been made aware of the issue had Cllr Garnham not requested it to come to Council as an urgent item, the Cabinet Member Corporate Services explained that immediately on receipt of the Cabinet Office letter the Chief Executive had arranged for a report to be prepared for Audit Committee.
  • In response to a question as to what mechanism would be in place should standards change again to avoid the recurrence of this situation the Head of ICT Shared Services explained that there was a code of connections and the strategy was to start to prepare six months in advance and with the engagement of external consultants.
  • A member queried why, in the context of the risk assessment, the impact was only scored as a 3 since the risk to the reputation of the council could be severe. In her view the actions proposed did nothing to mitigate against the damage to the councils reputation. The Corporate Governance Officer confirmed that a risk assessment had been made on the Thursday prior to this meeting and as the final submission had met the standards the risk was assessed as lower. Some members believed that the risk should be reassessed as the very fact that the council could have to transfer operations to the FoD would be a high impact in terms of reputation, customers and benefits payments. The Cabinet Member confirmed that the risk factor accurately reflected the most up to date situation.
  • When asked whether those in receipt of benefits would be unaffected the next day, the Cabinet Member Corporate Services explained that benefits would be paid as normal.
  • A member asked when exactly matters had been brought to the attention of the Cabinet and when they had been discussed. In response the Cabinet Member Corporate Services confirmed that Cabinet had been informed on 19 September at an informal meeting but in advance of which the Leader had been informed via the Chair of Audit Committee.

 

There being no further questions the Mayor moved to the debate.

 

In response to some of the questions that had been raised by members, the Leader of the Council stated that he felt that it was appropriate for the report to be an exempt item and that the debate should not be held in public.  Although he was confident that the systems were now compliant, formal clarification had yet to be received from the Cabinet Office. He was confident that the ICT shared service was doing all that it could to resolve the matter.

 

A member stated their concern that it appeared that no one was taking responsibility for the matter and that others were being blamed for the situation.  They wanted to know how the council had arrived at a situation where services were threatened and wanted to understand what solutions were being proposed. 

 

There was a brief discussion as to whether during debates on exempt items, mobile phones and mobile devices should be switched off, but it was recognised that some members may require them to be switched on for emergency contact or to access their council papers. 

 

Members expressed their concerns that if access to the network had been compromised then it would have been the most vulnerable people in society who would have felt the impacts.  There was a suggestion that the Cabinet Office should be questioned as to whether they had fully thought through the consequences of disconnection.  It was noted that the Cabinet had raised the issue of the impacts on vulnerable people when the matter had been brought to the meeting of the informal cabinet. The Chief Executive indicated that he would be writing to the Cabinet Office and would raise members concerns. 

 

Members also raised concern that this was yet another ICT issue and that the service was not robust.  They noted that other councils do not seem to have similar issues with their ICT. 

 

Councillor Garnham, leader of the conservative group, stated that having read the report and listened to the answers to members’ questions, he believed that his request to ask for the urgent item had been the right one.   This was a serious matter and he wanted reassurances from the Cabinet as to what they were doing to address the matter.  Given that the council had been advised earlier in the year as to the potential risk of disconnection he wanted to know what the Cabinet had done about the issue and how they had worked with officers to resolve the matter.  He questioned whether members would ever have been told about the matter had he not requested the item be brought to council.  It was the first time in all of his service as a councillor that he had ever requested an urgent agenda item.  He recognised that there had been a lack of investment in the ICT service and infrastructure but in his opinion the blame lay with the administration.

 

In response a member reminded the council, that the administration had earmarked £1.3m ICT investment at the last budget, and that the disinvestment in ICT had started in a conservative administration.  He did acknowledge that there were problems with the ICT system particularly citrix.  He also acknowledged that it was important that the council was prepared to deal with the PSN submission in future years so that a similar situation did not arise.  It was inevitable with the growth of cyber crime that the security restrictions would increase and the council needed to be fully prepared.  However he felt that the process was restrictive and that the Cabinet Office needed to provide a proportionate response so that the council is not classed as dealing with the same type of secure information which is held by national security agencies.

 

A couple of members indicated that they felt that the debate had been useful but felt that the comments made by the leader of the opposition were unhelpful in securing an appropriate debate and response to this serious matter.

 

The way in which the risk assessment accompanying the report had been scored, was a concern for several members who felt that the impact score was insufficient given the reputation risks and the risks that any service interruption would impact on vulnerable individuals.  It was also pointed out that ICT currently provides services for other partner organisations and therefore there could also have been an impact on their operations and this was not mentioned in the report.  There was a general consensus amongst those members who spoke on the issue of the risk assessment that there may be a requirement to revisit the risk process and ensure that council officers are reminded about the scoring mechanism and have a good understanding about the differences between impact and a likelihood score.  It was recognised that the risk register was an important tool for both the executive and overview and scrutiny committee and members need confidence in the risk management process.

 

Members also commented that the overview and scrutiny committee had set up a task group looking at ICT and they had made a number of recommendations relating to security following the virus earlier in the year.  They would be disappointed if these recommendations had not been taken on board and actioned.  It was also noted that there had been an internal audit report setting out security risks and one member questioned whether the Cabinet Member Corporate Services had been proactive in ensuring that the matter was dealt with appropriately, and whether the cabinet had made sufficient effort to prioritise this work.  They went on to say that it was inappropriate to cast blame at the Cabinet Office.

 

Concern was raised again about the item being taken as an exempt item particularly as the Echo was aware of the matter.  There was a call for when the matter will be made public, given that there was nothing within the debate which warranted such an exemption. The Chief Executive advised members that the Echo had contacted him and therefore he had to respond. 

 

In summing up the Cabinet Member Corporate Services said that he had listened to the debate with interest.  He acknowledged that this was a serious matter, which warranted debate.  He advised members that as soon as the letter from the Cabinet Office was received that a report was prepared for the Audit Committee, and that ICT had worked hard to prepare a resubmission which could demonstrate that the council was compliant.  He reminded members that he had offered in the past to brief council on a regular basis about ICT if they so wish, and restated that he was happy to do this to future meetings if so wished by members.  He reminded members of the proposed addition to the recommendations:

 

  • That Council notes the significant effort made by the ICT team in dealing with the compliance process and refers to the ICT Scrutiny task group a request to follow up this issue and make any future recommendations to Cabinet in relation to the future compliance process

 

Councillor Garnham proposed an additional amendment

 

  • That all Councillors be sent a copy of the final confirmation email with regards to compliance along with advice as to when the matter can be made public.

 

This additional recommendation was approved by members.

 

On moving to the vote it was

 

RESOLVED THAT

 

  1. the communication from the Cabinet Office regarding PSN compliance authorisation, the Chief Executive’s response, the actions taken by the authority and the up to date position be noted            
  2. the significant effort made by the ICT team be noted and that the matter is referred to the ICT Scrutiny task group for further consideration and for them to make any recommendations to cabinet on compliance issues.

 

  1. Councillors be sent a copy of the final confirmation email with regards to compliance along with advice as to when the matter can be made public.

 

Voting : For : 27, Against : 1; Abstentions:1