Agenda item

Information Governance Performance - Quarter 1 2017/18

 

The Executive Director Communities and Head of IT (Service Management) will submit a joint report advising the Committee of the position in relation to the number of information security breaches and cyber incidents which have been reported and investigated during Quarter 1 for the financial year 2017/18.

 

Minutes:

The Executive Director Communities and Head of IT (Service Management) submitted a joint report providing details of the Council’s position in relation to the number of information security breaches and cyber incidents that had been reported and investigated during Quarter 1 of the 2017/18 financial year.

 

The report which was the second submitted in accordance with the recently revised Audit Committee Terms of Reference and Work Programme was presented by Mr D Robinson (Service Director IT).

 

In summary:

 

·         in relation to Information Security Incidents

o   there had been 52 throughout the quarter of which 46 had required further investigation and 6 required third party involvement.  Following initial investigation 6 had been found to be unsubstantiated and 14 were undergoing further investigation

o   there had been a spike in the number of reported incidents during the last 2 years which could partly be attributed to increased awareness following the introduction of appropriate mandatory training and regular staff communication

o   details of the actual incidents and weaknesses subject to internal investigation were detailed by Directorate, Business Unit and type

o   the highest number of incidents fell within the ‘disclosed in error’ category and largely related to emails sent to the wrong recipient/contact group

o   two incidents had been reported and investigated by the Information Commissioner but no action was to be taken against the council.  The number of reported incidents to date had prompted an ICO consensual audit which would take place between the 17th – 19th October, 2017 which would focus on Records Management, Training and Awareness and Freedom of Information requests and any recommendations for action would be received in January 2018

·         in relation to Cyber incidents

o   information was provided for the first quarter with comparisons to quarters 2 – 4 of 2016/17

o   there had been an increase in the number of phishing emails received.  This had followed increased education across the Council and an increased threat globally

o   the service was actively involved in raising awareness of cyber incidents by means of a variety of initiatives.  The Security Team had recently used phishing campaigns intended for IT Services and Elected Members an initiative suggested during a National Cyber Security Conference aimed at increasing the learning across organisations

 

In response to questioning, the following matters were raised:

 

·         the recent phishing campaign had largely been successful and a number of Councillors had identified the suspicious email that had been sent out

·         it was suggested that nothing should be included within an email that the author wouldn’t want to divulge in the event of an FOI request

·         the Authority was investing heavily in measures to prevent phishing emails being received by staff and elected members.  It was noted that approximately 80% of all emails were currently blocked before reaching the intended recipient.  It was also noted that those sending out such emails were adopting more sophisticated methods of trying to access the council systems and that everyone had to be increasingly vigilant to the treat of attack

·         it was suggested that any recommendations for action should include measurable targets

·         it was noted that a recent report to Cabinet had approved mandatory training for all Elected Members.  Arising out of this it was noted that in response to poor attendance at training events, mandatory training was to be provided for managers

·         the Head of Internal Audit felt that given the increasing sophistication of cyber-attacks it was only a matter of time until there was some kind of Information Security breach, what was important, therefore, was to ensure a rapid, thorough and appropriate response to such incidents

·         in response to detailed questioning, the Service Director IT reported that the majority of the Council’s IT systems were connected to the Internet and that it was impossible to segregate the Email infrastructure from the rest of the IT system

·         in relation to paperless meetings in particular, it was noted that confidential papers would only be sent via encrypted email.  In addition, no-one could access confidential information via the Council’s systems without a device provided by the Authority.  It was important, however, to ensure that any systems in place did not  discourage people from using it

 

RESOLVED that the report be received and Mr D Robinson be thanked for attending the meeting and for answering Members questions.

 

 

Supporting documents:

 

A - Z Directory