Agenda item

To present the minutes of the previous meeting of the Audit and Governance Committee held on 21 September, 2017.

Arising thereon –

ICT Business Transformation Manager to report on the approach to dealing with the threat of malicious hacking activities.

The minutes of the previous meeting of the Audit and Governance Committee held on 21 September, 2017 were presented and were confirmed as correct.

Arising thereon –

•           The Committee sought clarification of progress or otherwise with deciding to renew the Orchard Housing Information Management System

The Committee was informed that a decision had been made to extend the existing Orchard system and to work with the supplier to make better use of the Business module.

•           The Committee sought clarification of whether the Corporate Scrutiny Committee had considered the Internal Audit review report of School Transport to whose attention the Audit Committee had referred the matter.

The Committee was informed that the matter is scheduled to be considered by the Corporate Scrutiny Committee at its meeting to be held on 31 January, 2018.

•           In accordance with the Committee’s request at its meeting held on 21 September, 2017 the ICT Business Transformation Manager reported on the Council’s approach to dealing with the threat from malicious hacking activities and other forms of cyber-crime.

The ICT Business Transformation Manager reported that cyber threats are increasing as testified to by a number of press reports. This year’s cyber-attacks have reached unprecedented levels and are likely to be exceeded again next year. Attacks can be perpetrated by state actors or by individuals; they can be low level where the likelihood of success against an organisation such as a local authority is very low, or sophisticated. The Council has to ensure that IT is sufficiently protected against the whole spectrum of attacks. An emerging threat is that posed by Ransomware which is typically delivered by e-mail and associated links. In light of such a threat, user awareness training is critical for all individuals who use the technologies within the Council to ensure they remain vigilant about e-mails, attachments and what they contain or ask for. Phishing attacks for example seek to induce individuals to disclose sensitive information whilst a whaling attack is one that is targeted at senior officers. The Council subscribes to national bodies and organisations to receive alerts and updates in relation to cyber security and is a member and attendee of Cymru Warp, a national community of IT security officers who share and exchange information and experiences. Additionally, all staff are to be provided with training on cyber security and data protection via the e-learning portal. The ICT service is also looking to strengthen capacity to take a proactive approach to ICT security monitoring. Hopefully, the picture presented will help the Committee gain a better appreciation and understanding of the risks the Council faces whilst also being assured that it has in place an array of measures to obstruct potential attacks.

The IT Service and Performance Manager reported on the technologies deployed by the Council to deal with the various levels of threats faced by it, the nature of the attacks it has experienced and how it has successfully defended against these attacks to minimise and/or avert ensuing loss and/or disruption.

The Committee noted and took assurance from the information provided. The Committee referred back to the previous meeting where the Senior Information Risk Owner had reported that a data breach risk had been identified in connection with the autocomplete function on the Council’s e-mail system. The Committee sought clarification of whether the autocomplete function should, or is to be disabled.

The ICT Business Transformation Manager said that autocomplete has its advantages and disadvantages. In mitigation of the function, it can be useful in business terms and whilst it should be left on it requires staff on the e-mail system to regularly update their details in order to validate their credentials.

The Chief Executive confirmed that work is being done to enable the Council’s staff to upload their photo card, or alternatively if they do not wish to provide a photo, their business card onto the e-mail system. All the Council’s staff will be required in due course to provide one or the other form of credentials.

It was resolved to accept the information and to note that the Committee takes assurance from the Officers’ account of the arrangements in place to protect the Council from the cyber/technological threats it faces.

NO FURTHER ACTION WAS PROPOSED