Agenda item

The Committee will receive an Information Security and Governance Progress update presentation from the Executive Director Core Services and the Data Protection Officer.

The Committee received an Information Security and Governance Progress update presentation.

Simon Marshall (ICT Technical Security Lead) commenced the presentation by outlining the current position with regard to the work of the Information Governance and Information Security Teams.  He made particular reference to the following:

·         The publication of the first ever Cyber Security Strategy

o   The rationale for its introduction

o   The Strategic view ahead, detailing the polices and procedures of the Team and how this could inform the Council’s Cyber Security posture for the Council going forward

o   The links to the Council’s Vision, IT Strategy and Digital First Programme

o   The approval of the Strategy by the Information Governance Board and Cabinet in March 2020

o   The Strategy’s alignment to international best practice and advice from the National Cyber Security Centre

o   It was a document that progress could be measured against.  Information was also provided about progress to date and on how the Strategy was monitored by the Team

o   Its inclusion as part of a longer-term strategy with annual updates

o   The preparations being made towards the 2021 Strategy which would incorporate both Information Governance and Information Security into a single strategy as the two teams aligned

·         The current position and plans being prepared with regard to Brexit

o   Formal advice was awaited from the Government.  In the absence of any advice currently the Authority was planning for the ‘worst case’ scenario

o   All IT Supplier contracts were being reviewed

o   An analysis of exactly where data was stored was being undertaken – this would enable to Council to know exactly where to target resources

o   An analysis was being undertaken into Data Flows in order to examine where interactions might be affected

·         The changes that had been introduced as a result of the Covic-19 pandemic and particularly in relation to remote working by most staff within the Council

o   Guidance and training had been rolled out to all staff specifically centring on remote working and on the changes that Covid-19 had brought about

o   User behaviours were being audited, monitored and checked and additional training had been provided to cover areas that had simply not been required prior to the pandemic

o   It was obvious that things wouldn’t return to exactly as they had before and, therefore, changes to the strategy were being examined and the service was looking at new ways to secure the Council hence, turning a potential weakness into an opportunity.  This would also include and examination of where resources on the Council could be reduced whilst at the same time improving customer experience

o   Members were informed that the IT department had been shortlisted for two security awards.  One for keeping the Council working during the pandemic for the speed at which they were able to roll out changes and additional solutions and the second for strength of the IT policies and the fact that there had not been the need for wholesale changes in order for people to carry on working (this was because the Council had been working to support this for a number of years).  The Service would find out if it had been successful on the 11^th December, 2020

·         The changes being introduced to secure email and the Council’s secure email tool, Egress

o   The Council had already secured its emails within public sector domains in accordance with Government guidance but had also adopted Egress as the tool of choice for non-public sector email addresses

o   Blocks to known phishing scams and known fraudsters had been implemented.  The way in which this worked was outlined

o   Unusual email activity was automatically questioned

o   Emails were automatically encrypted based on content

Rob Winter, in his role as Data Protection Officer, then gave a presentation on Data Protection activity and assurances.  Particular reference was made to the following:

·         DPO Assurance reviews included:

o   Cyber Security – there was a positive assurance and a number of actions as referred to previously.  The next review would cover, in more detail, the application of the Strategy

o   Incident Management – there was a positive assurance but scope to improve the timeliness of responses from Business Units

o   Awareness Survey – this had been issued to approximately 2,000 employees.  Positive messages had come out of that but there were a few areas for further action which were being followed up

o   Contracts – further work led by Strategic Procurement was required to ensure that all BMBC contracts had the appropriate Data Protection and GDP clauses.  It was reported that all new contracts contained the necessary requirements

·         Other DPO Activity and Assurances included:

o   Brexit – including input to the EU Transition Group

o   Data Protection Impact Assessment Reviews and sign off

o   Liaison with the Information Commissioner’s Office where appropriate

o   Provision of support and advice to the Customer Feedback Information Team and Services regarding complex complaints and information requests

o   The Customer Feedback Information Team review for which he provided challenge and support

o   Regular liaison with Information Governance and Security Team and the Senior Information Risk Officer

·         Data Protection Officer Assurance was ensured via

o   Specific Assurance Reviews

o   Awareness of good Data Protection practice which was clear across the Authority

o   The strong support from the Information Governance and Security Teams – albeit these were small teams and there could be a risk in the event of long-term staff absences

o   Clear strategies, policies and guidance in place all of which were regularly reviewed

o   The developing training offer and regular communications to raise Data Protection awareness amongst staff

o   Robust Information Governance Board arrangements

o   The Data Protection Officer and Senior Information Risk Officer liaison

In conclusion he stated that there was positive assurance and a good direction of travel in terms of actions and responses.

In response to a written question the following response was provided. 

The Cyber Security Strategy had been published for the first time earlier this year and, as such, much of the content related to developing policies to progress and improve the Cyber Security function of the Council.  As a result, no specific Key Performance Indicators had been defined at this stage, but the Strategy did include a number of success factors, against which progress could be measured.

RESOLVED that the Information Security and Governance Progress update be noted.