Agenda item

This item will include a presentation on the risks associated with information security and data breaches.

The Committee considered a report of the Director of Corporate Resources, the purpose of which was to provide an overview of key risk areas and the measures being taken to address them. A copy of the report, marked ‘Agenda Item 10’, is filed with these minutes.

 

The Committee also received a presentation on the risks associated with information security and data breaches as per risks 3.1 and 3.2 on the Corporate Risk Register. The presentation was in addition to a visit by Members to the Data Centre at County Hall which had taken place before the meeting. A copy of the slides forming the presentation is filed with these minutes.

 

Presentation

 

Arising from the presentation the following points were noted:

 

(i)            The County Council’s IT system could experience an outage due to events such as fire or flood, a technical failure or a cyber attack. The level of risk for this was calculated by multiplying the score given for the likelihood of the event happening by the score given for the severity of the impact. This calculation gave this particular risk a score of 15 which brought it within the remit of the Corporate Risk Register.

 

(ii)          A disaster recovery procedure was in place and tests had been conducted of this procedure. The system could be restored to a particular date and time before any corruption had taken place. Under the Council’s insurance policy support would be provided on how to deal with the effects of a breach including how to manage the media.

 

(iii)         Officers were prepared for all types of cyber-attacks on the County Council including Phishing, Denial of Service, long term hacking, and ransomware. The Centre for Cyber Security had just opened and its role was to provide information and advice. Officers at the County Council were subscribed to an email distribution list where updates on cyber security matters were sent out.

 

(iv)         During the visit to the Data Centre officers had confirmed that there were no arrangements in place for vetting Data Centre staff to make sure that they were not vulnerable to coercion from outside persons. Members asked for this issue to be addressed.

 

(v)          A neighbouring Council had been subjected to a Ransomware attack which led to a breach of cyber security. The problem had been exacerbated by a delay in the officer concerned reporting the incident and it was highlighted that these incidents needed to be reported as soon as possible. 

 

(vi)         Were there to be a breach of Information Security the Council could be fined by the Information Commissioner’s Office (ICO). The Council was due to be audited by the ICO in the autumn of 2017.

 

(vii)        To prevent a breach of Information Security measures were in place comprising of both technical features such as software which analysed traffic and spotted irregularities, and behavioural guidance. Council staff were required to complete an e-learning course on Information Security.

 

Risk Register

 

(viii)      In response to a question from a Member the County Council’s auditors confirmed that they were aware of the Fairer Funding booklet and had worked closely with the Director of Corporate Resources on it.

 

RESOLVED:

 

a)        That the current status of the strategic risks facing the County Council and the updated Corporate Risk Register be approved;

 

b)        That the updates on the following areas be noted:

 

(i)        content of the revised Risk Management Policy and Strategy;

(ii)       results of the 2016/17 Fraud Risk Assessment;

(iii)      organised crime;

(iv)      counter fraud policy updates.

 

c)         That officers be requested to provide a presentation on the risks associated with the costs of Special Educational Needs placements at the next meeting.