Agenda item

To present the report of the Head of Profession (HR) and Transformation.

The Cyber Security Annual Report for 2019 was presented for the Committee’s consideration. The report summarised the cyber threats facing the Council and provided an overview of some of the mitigations the Council has in place to counter these threats.

The IT Service and Performance Management Manager reported that as with other organisations which hold large volumes of information including sensitive, personal and financial information, cyber security is a significant risk to the Council. Reports of cyber-attacks have become common place in the news with high profile attacks on a weekly or even daily basis. Cyber-attacks vary in their approach and complexity but are consistent in their intent to disrupt, damage or steal. The risk of cyber-attack is recognised by the Council and is recorded as such within the Corporate Risk Register which is monitored by the Senior Leadership Team.

The Officer referred to the various types of cyber attackers and their motivations and the various forms which cyber-attacks can take and outlined in general terms the mitigations the Council has in place to reduce and manage the risk including the following –

•           Malware – malicious programmes or codes that seek to damage or disable computers, servers, networks and other computing devices. All Council computers and servers operate anti-malware software which scans for signatures of known malicious codes and block access if found.

•           Software vulnerabilities – bugs or loopholes in software code which if exploited by an attacker can cause the software to behave in an unexpected and undesirable manner. Where software is current and still supported by the supplier, corrected code packages known as updates or patches are made available to address software bugs and close the potential security loophole. The Council was an early Windows 10 adopter following which it also moved away from installing application software on each and every computer (which was a significant burden in terms of managing security updates) to application virtualisation meaning that for each application there is a master copy which runs on a central server and is accessed by all computers or laptops – there is therefore only one copy to keep up to date and manage. The Council further arranges for third party ethical hackers to carry out vulnerability assessments on the Council’s networks.

•           Insider threats – accidental staff actions, malicious staff actions or the actions of contractors. The Council has played a leading role in the procurement of a bilingual, all-Wales E-Learning package on cyber awareness; it operates Baseline Personnel Security Standard (BPSS) process requiring all staff who have access to official sensitive data which is derived from the cabinet office to produce proof of identity, nationality and undergo a DBS check. All contractors who either host IT systems or have remote access to Council IT systems are required to sign a Data Processing Agreement; the Council also has various policies in place for the safe use of IT which all IT connected staff are required to review and accept.

•           Phishing – act of sending an email purporting to be from a legitimate source or organisation in an attempt to obtain financial or other confidential information. The Council has sophisticated filtering technology in place to block such e-mails and requires that all of its IT connected staff undertake Cyber Security Awareness training.

•           Other checks – The Public Sector Network (PSN) is a high speed Government network used by the public sector to exchange data in a secure manner. As the PSN effectively allows connection to Cabinet Officer and DWP systems, the Council must undergo a rigorous independent assessment on an annual basis. The Council has successfully passed the annual PSN assessment every year since it become a requirement. Through a programme funded by Welsh Government and managed by the WLGA, local authorities have been testing the cyber security and information governance arrangements against the best practice. After a rigorous audit process, the Council is one of only seven authorities in Wales to have achieved Cyber Essentials Plus and full IASME accreditation. Additionally, the Council’s Internal Audit Service has reviewed the Council’s cyber security controls and concluded that that these are effective in terms of managing the risk and preventing and reducing the impact to services, systems and information of such attacks.

The Committee welcomed the report as instructive and in discussing the information, sought further assurance with regard to the following matters –

•           That with partnership and collaborative working with other councils and organisations increasing in scope, whether the Council’s internal controls extend to mitigating the cyber security risks potentially arising from partnerships? The IT Service and Performance Management Manager advised that all local authorities have to achieve the Cabinet Office PSN Accreditation – failure to achieve the required Cyber Security standard results in disconnection and effectively excludes a council from collaborative working. Accreditation signals that an organisation is trustworthy and is working to the same standards and policies.

•           Whether the Council has an IT induction programme for new employees and how long does it take a new employee to achieve a satisfactory level of IT security awareness? The IT Service and Performance Management Manager confirmed that through the Managers’ Induction Process, managers are required to make all new starters aware of all the policies held by the Policy Portal - the Council’s policy management system, including the Acceptable Usage and IT Security Policy and they will sign off that this has been done. Policy review and acceptance is supplemented by the mandatory e-learning programme on cyber awareness. However, there is always a risk that an employee new to the organisation may be captured by a scam on the first day of employment; ongoing support and checks in the form of follow-ups to ensure that employees have read and understood the ICT security policies as well as regular reminders provide mitigation.

•           The degree to which the Council is vulnerable to financial theft and whether there are controls in place to ensure public money is not lost through fraudulent activity or scams? The Committee was advised that that there are controls in each service with regard to the segregation of duties i.e. assigning different people responsibilities for authorising transactions etc. The Council is also aware of and alert to a number of scams that seek to give the perpetrator(s) access to the Council’s financial systems and obtain money be deception e.g. a scammer posing as a Council contractor attempting to change bank account details. Internal Audit routinely shares intelligence on actual or potential frauds thereby improving staff awareness and enabling services to review and strengthen their controls accordingly.

Having considered the information presented along with the additional clarifications provided by the Officers, the Committee resolved to accept and to note the assurance provided by the 2019 Cyber Security Annual Report.

THERE WERE NO PROPOSALS FOR ADDITIONAL ACTION