The Committee received the report of the Assistant Director Legal and Governance – copy attached to the signed Minutes – which outlined the Council’s current position and progress made in responding to the Audits for Information Security Management and the IT Acceptable Usage Policy.

The Assistant Director Legal and Governance drew attention to the Table at Appendix A which provided an update on management responses to the two audits.  He explained that the service was in a transitional stage whilst a Head of Governance was sought (who would have overall responsibility for information governance including information security), however he felt that the interim arrangements were working reasonably effectively.  He informed the Committee that a review was currently being undertaken of all the policies that relate to data protection and which would sit under an Information Governance Framework.

Concern was raised at the number of actions overdue and queried whether sufficient progress was being made.  In response to a query around recommendation 8 of the Information Security Management Action Plan set out in Appendix A of the report, the Head of Automation and Technology confirmed that Incident Management was taking place and incidents were being recorded so this action was about ensuring the recoding of incidents was as smooth as possible and that there was a centralized area for recording any such incidents.  Referring to recommendations 5 and 6, reassurance was requested that these matters were being speedily dealt with.  In response, the Interim Data Protection Officer explained that a big part of the delay had been due to a change of officer and gap in post of two months when the previous Data Protection Officer left so a bit of time had been lost however she was now picking up with ICT security colleagues how the data loss prevention software that was available could be used to identify incidents, react to them quickly and to spot patterns of behaviour that might lead to them so they could actually stop them happening.

In relation to recommendation 5 of the IT Acceptable Use Policy Action Plan, concern was raised that this had been marked as significant and members queried whether this was something they should be concerned about.  In response the Head of Automation and Technology confirmed that a system for identifying and recording security events had been identified (Security Information and Event Management – SIEM) so this was now being managed effectively however the risk lay in whether they would continue with that service following the trial coming to an end so some investment would be required.  The Executive Director of Resources (Section 151 Officer) reminded the Committee that they had seen a few papers earlier in the year when there had been security breaches and the Committee expressed concern around incidents happening at the weekend not being picked up until the Monday so as a result there was now a trial in place for 24/7 monitoring however a business case for a long term solution was awaited hence why this recommendation was still outstanding.

A brief discussion ensued around the number of people who had not yet completed their cyber security training and whether there should be any sanction for not doing so.  The Executive Director of Resources (Section 151 Officer) confirmed that the numbers were very low especially amongst staff Members but was higher for elected members.  He explained that there was a requirement for the Council to be at 90%+ so that was the target but that the figure was in excess of that and actually above 95% however he was not sure how many employees this equated to.

RESOLVED:

Members of the committee accepted the progress made on the implementation of the recommendations from the two Audit Committee reports on Information Security Management and the Acceptable Usage Policy, having noted a number of concerns.