Agenda item
Information Security Policy
Report of the Cabinet Member Corporate Services – an opportunity for O&S to comment on the report before it goes to Cabinet on 17 March 2015.
Minutes:
Councillor Walklett, the Cabinet Member Corporate Services, explained that it was a requirement of the council’s connection to the Public Services Network, that there be an Information Security Policy in place. Since the formation of the shared service with Forest of Dean District Council work had been ongoing to develop a Joint Information Security Policy and this had recently been adopted by the FoDDC. The policy would be tabled for adoption at Cabinet on the 17 March and this was an opportunity for O&S to make comments as necessary. The risk of not adopting the policy was that this would represent a failure to comply with the Data Protection legislation, which would in turn, put the PSN at risk.
The Cabinet Member Corporate Services, along with Bryan Parsons, the Corporate Governance, Risk and Compliance Officer and Rachel McKinnon, the Business Relationships Manager, gave the following responses to member questions;
• The impact of the risks outlined in the risk register of the report, were assessed against the scorecard, which took account of a number of factors and whilst this was subjective, he reassured members that 3 was an appropriate score. A detailed risk assessment was undertaken as part of the PSN process, which resulted in 200 plus pages and a large amount of mitigation had resulted in a lower score. He was happy to meet with members, as he had when this was originally discussed with the ICT Working Group some two years ago to explain the rational.
• ICT were not involved with physical security of the CBC buildings beyond the issue and management of the swipe access control cards. Staff were regularly reminded that they should prevent tailgating and challenge anyone not displaying their ID/access card.
• Staff that were not based here and/or worked for other organisations (Ubico, Trust, etc) but who were here on a regular basis (1-2 times a week at least) would be issued with an access card. Those that accessed the building less than this would be issued with a visitor access card or escorted around the building by a member of staff.
• The Police had raised their risk level to severe and there were ongoing security discussions about what could be done to help protect them. At the moment 22 police officers had been issued with access cards and these were cancelled and reissued as necessary.
• The ICT Shared Services is the lead organisation responsible for the production of and compliance with the policy which applies to all ICT users on the network. Any employee non-compliance would be reported to the Joint Security Working Group and HR or the Standards Committee if this resulted in a breach by Members’.
• Each partner organisation was responsible for ensuring compliance with the policy and in particular the appendix that related to their own local arrangements, PSN access would be withdrawn if they were not compliant. The use of ICT partners had actually reduced the risk to this council because additional skills and resources were available.
One member felt that there was a risk that the implementation of onerous security measures could result in people finding ways of working around them and as such, any security measures should not be too arduous.
The chairman thanked the Cabinet Member and Officers for their attendance.
Upon a vote it was unanimously
RESOLVED that the Information Security Policy be recommended to Cabinet for approval and adoption by all CBC ICT users.
Supporting documents:
- 2015_03_02_O&S_Information_Security_Policy_Report, item 10. PDF 80 KB
- 2015_03_02_O&S_Information_Security_Policy_Appendix, item 10. PDF 220 KB