Agenda item
To consider the outcome of the enquiry undertaken by the Members who formed the Task and Finish Group into this matter.
Report to follow.
Minutes:
The Committee heard that the Cyber Security T&FG (Task and Finish Group) were tasked to:
1) To challenge/ better understand the cybersecurity risks, defences, and mitigations the Council has in place.
Following Full Council 22nd November 2022, the T&FG mandate was extended too additionally:
2) Review different proposals of Members’ access to emails and the current practice of auto-forwarding to personal email accounts, in line with the Council’s Risk Management Framework, and make recommendations to Cabinet and Council along with relevant costings.
During its first meeting the Cyber Security T&FG agreed to use the Department of Levelling Up Housing and Communities (DLUHC) Cyber Assessment Framework (CAF) document template as a self-assessment, auditing, and reporting framework template to review council cyber-security as referenced above.
It was reported to Members that the DLUHC CAF proved relevant to the review of Members’ access to emails, auto-forwarding of council official business emails to personal devices and council data stored on personal devices as it included a number of National Cyber Security Centre (NCSC) compliance statements covering: data security and understanding, data protection in transit across the UK network, data storage security, mobile device data security, media equipment sanitisation and disposal, secure device configuration.
CAF Explanatory Notes
The DLUHC Cyber Assessment Framework (CAF) provided the pragmatic basis to ‘self-assess’ the Council’s own cyber security performance across the following activities:
1) Managing Cyber Security (organisational structures, policies, processes, understanding).
2) Protecting Against Cyber Attack - security measures to protect networks and systems.?
3) Detecting Cyber Security Events ensuring effective security defences/ event detection.
4) Minimising The Impact of cyber security Incidents and their adverse impact.
The Committee was informed that the self-assessment CAF was a National Cyber Security Centre (NCSC) assessment document that was a mandatory cyber-security ‘readiness state audit’ document for critical UK national infrastructure providers since 2021. During 2022 the CAF had become mandatory for every central government department and whilst CAF completion was currently voluntary for local government DLUHC have repeatedly advised that it would become mandatory during 2023/24.
In this sense the CAF would replace the now defunct Public Services Network (PSN) IT Health Check annual audit/ certification process reporting local government cyber-security capabilities and fitness to remain securely connected and sharing data with central government Department of Works & Pensions (DWP). The reader should note that several council statutory service functions were completely reliant upon this connectivity, for example: Council Tax, Housing Benefit administration. Loss/ exclusion from central government connectivity would quickly stop those services from functioning.
With regards to the outcome, outlined recommendations were made by T&FG Members with due regard and consideration to:
§ The Full Council background information report.
§ AllMember’s subject-matter comments received considered 23rd Jan’23.
§ A newly published Information Commissioner’s Office Freedom of Information (FOI) guidance note considered 23rd Jan’23.
§ The four costed options provided and their respective financial, cyber-security and Member-user working practicality satisfaction and non-satisfaction implications considered 23rd Jan’23.
§ A full copy of the council’s Cyber Assessment Framework (CAF). For simplicity, CAF compliance was reviewed utilising ‘traffic light’ red, amber and green representing non-compliance, improvements required and full compliance respectively.
Members heard that following CAF cyber-security compliance self-assessment, the T&FG identified that the council generally had robust cyber-security arrangements and working practices in place to manage, protect and safeguard the data that it held to deliver both statutory and non-statutory services. Its cyber-security event(s) detective arrangements utilising business industry-standard multi-vendor best-of-breed products were similarly robust and well managed.
However, the cyber-security self-analysis review also identified some areas of CAF cyber-security non-compliance, some areas where improvements could be made to further strengthen the Council’s cyber-security.
The T&FG recommendations reflect improvements necessary to resolve CAF self-assessment key areas of non-compliance. Key areas considered by the T&FG were:
· Recruitment and resourcing key IT vacancies.
· Risks unresolved for prolonged periods.
· Information retention with data (including personal and sensitive data) stored for long periods of time with no clear business need.
· Generic account used or shared or default name accounts.
· Training and understanding individuals’ contribution to essential cyber security.
· Formal Adoption of the new Cyber Incident Response Plan (CIRP).
· Members’ email auto-forwarding to personal/ mobile devices, including; identification and data management, data security in transit, physical and/or technical security protection against unauthorised access, lack of knowledge around which mobile devices hold data, allowing data to be stored on devices not managed by your organisation or to at least equivalent standard, lack of security on mobile devices, device disposal without data sanitisation, security builds that conform to your baseline or the latest known good configuration version.
After a short discussion the Committee RECOMMENDED to CABINET that:
a) As soon as is possible the Human Resources and Council Tax Committee with appropriate officers look at the salary(s) being offered for the advertised and unfilled senior IT posts and including cyber security senior technical positions.
b) By 31/03/23 a Portfolio Holder Cyber Security Working Group be established to periodically review the Council’s cyber security performance against the Cyber Assessment Framework (CAF) and/or emerging mandatory security improvements and requirements.
c) By 31/07/23 the Council’s Information Retention Policy be reviewed/ revised with due regard to UK Data Protection Act 2018 data ‘minimisation’ ‘accuracy’ and ‘storage limitation’ and applied throughout the organisation.
d) By 31/05/23 individual (non-generic) account access technologies be costed for accessing TDC terminals in locations such as leisure centres where numerous users sharing a terminal due to a retail environment operational need.
e) Commencing no later than May 2023 following the election of the New Administration Cyber Security and Information Governance training for all members after every election and for staff in their inductions with periodic refresher training for both be made mandatory.
f) As soon as possible in consultation with the Council’s Monitoring Officer, to review existing Member guidance and explore Member training opportunities as to what constitutes party political activities in the context of using a TDC email account.
g) As soon as possible the new Cyber Incident Response Plan (CIRP) included as Appendix F to this report be adopted.
In reviewing the different options of Members’ access to emails, reflecting the Council’s Risk Management Framework, the recommendations to Full Council that the T&FG are submitting to the Resources and Services Overview and Scrutiny Committee and onwards to Cabinet are;
h) That post-May 2023 local elections under the New Administration, that the Member practice of auto-forwarding of emails be ceased; and
i) that subject to the associated funding of £8,000 being identified that the preferred Option 2 (Appendix D refers) - provision of a standard council-managed mobile Smartphone in addition to a council-managed laptop - be provided to those Members that want one to access emails and be contactable when mobile; or
j) as an alternative to ‘i above’, that should it not prove possible to fund the Smartphone costs centrally, then each Member requesting a standard council-managed mobile Smartphone will be asked to fund the cost from allowances (circa two hundred pounds per annum).
Supporting documents:
-
Cyber-Security T&FG Report_1Feb'23, item 9.
PDF 285 KB -
Cyber-Security TF Group Report Appendices AB_1Feb'23, item 9.
PDF 354 KB
-
Appendix C_ICO Guidance official information held in private email accounts, item 9.
PDF 177 KB
-
APPENDIX D, item 9.
PDF 224 KB
-
Appendix E word edit, item 9.
PDF 184 KB
-
Appendix F - Cyber Incident Response Plan_Feb'22, item 9.
PDF 457 KB