Agenda item

Cyber Security

 

Ms S Hydon (Head of ICT Service Management) will make a presentation updating the Committee on Cyber Security issues.

 

Minutes:

Ms S Hydon (Head of ICT Service Management) and Mr S Marshall (ICT Technical Security Lead) made a presentation updating the Committee on Cyber Security with specific reference to the recent success of the service in achieving Cyber Essentials Plus Certification.

 

The presentation gave details of the following:

 

·         The Cyber Essentials Background – it was a cyber security standard operated by the national Cyber Security Centre (NCSC) which had been launched in 2014 and developed in collaboration with industry partners being a key requirement for suppliers to Central Government

·         Cyber Essentials addressed the following via five mandatory controls:

o   Secure configuration – but choosing the best defences available

o   Boundary Firewalls  and internet gateways

o   Access control and administrative privilege management

o   Patch management – keeping devices and software up to date

o   Malware Controls – to protect against virus and malicious software

·         Cyber Essentials Certification had two levels – Cyber essentials and Cyber Essentials Plus.  Plus provided a more thorough test of the Council’s systems and work stations.  This had been undertaken during February, 2019 and a copy of the Certificate dated February 7th 2019 which demonstrated that the Authority had been successfully assessed against the Cyber Essentials Scheme Test Specification was provided.  This indicated that the level of certification was ‘Essentials Plus’ and that the recommended re-assessment date was February 6th 2020

·         The key benefits of Essential Plus were:

o   It supported the NHS DSP toolkit submission – this was an online security protection toolkit that allowed organisations to measure performance against national security standards and all organisations with access to NHS data had to use this to provide assurance in relation to data security and handling

o   It provided assurance to customers and partners

o   It offered an opportunity to audit the Authority’s internal security – whilst no one could guarantee to prevent a cyber-attack being successful, such audits showed the mitigations in place to minimise potential attacks that exploited potential weaknesses in current software and devices

o   It reduced cyber insurance premiums

 

In the ensuing discussion, the following matters were highlighted:

 

·         There was a discussion of the DDoS attack of the Authority’s systems on Monday 15th April, 2019.  It was noted that there had been no impact on the IT infrastructure but the website had been ‘taken down’ as a precaution.  Following appropriate action, the website had been reinstated within three hours

·         Arising out of the above, there was a discussion of the difficulties of preventing DDoS attacks and of ways in which they could be mitigated against.  It was noted that whilst appropriate controls were being introduced, this should not affect end users

·         The Head of Internal Audit and Corporate Anti-Fraud in his capacity as Data Protection Officer commented that the certification contributed towards his assurance that the Council’s had sufficient and robust systems and  procedures in place to protect its IT systems and infrastructure

·         There was a discussion of the robustness of the certification process and of how, and by whom, the whole process was accredited.  Arising out of this, Ms Hydon indicated that the process was overseen by the NTA Monitor the Council’s testing partner and independent company used for cyber testing/auditing and by CREST an international accreditation and certification body and she briefly touched upon organisations with whom they worked

·         The certification process would be undertaken again next year but would be ‘updated’ to address new and emerging threats

·         In response to detailed questioning and within the context of the need to protect residents personal information, the Committee was informed of those bodies and agencies who could request to view data held by the Authority.  It was noted that such data releases would not normally be allowed unless it was in the public interest or in the interests of national security.  An assurance was given, however, that all requests would be dealt with in accordance with the previously approved procedures and protocols and decisions about the release of data would not be taken lightly.

 

RESOLVED that Ms Hydon and Mr Marshall be thanked for a most informative presentation.

Supporting documents: