Agenda item

S Marshall, Governance and Compliance Manager, provided Members with a cyber security update presentation regarding the cyber security strategy.

The key points referenced in the presentation were as follows:

·       The strategy was produced on the basis of NCSC guidance and the LGA Cyber 360 review.

·       The strategy was linked to Council’s visions, IT strategy and transformation programme, and followed best practice from multiple sources including NCSC, DHULC, ISO and NIST.

·       The draft version of the strategy was nearing completion and would be shared with the Committee at the next scheduled information governance/cyber security update.

·       Progress so far included supporting major migration to the Cloud and a focus on using existing tools to give an integrated view.

·       The strategy would refer to risk and asset management, with a particular focus on resilient networks and staff training.

In the ensuing discussion, particular reference was made to the following:

·       The benefits of using Cloud based systems included resilience and less need to invest in physical hardware. The Cloud based system had the advantage of storage at two separate data centres which meant that if any outages occurred there was a copy of the Council’s data stored at another location.

·       The Bring your own Device policy (BYOD) created an internalised compartment in the device which the Council could wipe at any time, with security controls such as encryption and the use of pin numbers.

·       The Council was currently reliant on one network supplier, which was a potential risk. Alternatives would be investigated when migration to the Cloud was complete.

·       The LGA suggested that IT undertake their own risk management processes which then become part of the Council’s overall corporate risk management.

·       Supply chain management was based on international standards, and the Information Management team would manage Cloud suppliers. The service had dedicated contract managers who would flag any issues with supply chains.

·       The service followed UK government and GCHQ advice regarding Huawei, the Council would not purchase Huawei equipment however it could not be guaranteed throughout the supply chain.

·       The team had completed Microsoft Azure training during lockdown and had recruited both graduates and apprenticeship into the team.

RESOLVED that the update be noted.