Report of the Director of Corporate Services
The Information Governance Manager (IGM) introduced the report, explaining that it was designed to give Members reassurance that the Council is complying with the relevant legislation and provide assurance for the annual governance statement. The Council is currently reviewing the Information Governance Framework and policies. The policies were cross referenced against ISO standards for information security.
The IGM described how Freedom of Information and Data Protection performance were monitored, the standards and Council’s achievement against those standards. The County Council was currently achieving 86 per cent of FOI requests answered within 20 days, but many FOIs were responded to within 5 days and this would raise the percentage to approximately 95 per cent. The benchmark set by the Information Commissioner for an acceptable service is 85%. The IGM stated that the volume of requests gave no indication of the amount of time spent answering each request. Some requests are complex and remained a challenge to manage in some areas with staff reductions and volumes increasing and becoming more complex.
With reference to Data Protection, these were mostly dealt with through the Information Governance Unit (IGU) except for Families First, who deal with their own requests, as detailed knowledge of individual cases was required. Compliance with the statutory timescale was low in the children’s area and a post to address this had recently been advertised. The IG team also provide advice to external organisations which brought income in to the Authority.
The IGM explained that work was underway to review the current Information Asset Register (IAR) to provide a more devolved, user friendly and dynamic approach. This will put more ownership back to the service areas. Training material will be reviewed and refreshed ready for the launch in late 2019.
Information Security and Cyber continued to prove a challenge to the Council. IGU were working proactively to protect County Council data details of which were given in the report. There had been a spike in number of messages blocked by Distributed Denial of Service (DDoS) attacks in January 2019. Members asked if they could have further details of the geography and type of attack. In this instance, the spike occurred before the accreditation was achieved.
There had been an increase in malware and it was hoped that staff training, and awareness would make staff more cautious when they receive emails that may have malicious links. Staff were being trained across service areas to manage malware. The increase in the number of reported security incidents could be linked to staff becoming more aware. Work was taking place with Staffordshire Police who were asking for volunteers to be cyber champions. Staff were being trained across the service areas to act as Cyber Champions.
A graph in the report showed that there had been an increase in inbound phishing reports and the number and types of security incidents reported. Ways of using Office 365 to reduce the number of incorrect enclosures were being explored.
Participation in a recent multi-agency Cyber Security Incident had been very successful and a recent exercise in ICT had resulted in breaches being picked up in one hour. It was hoped that Cyber Champions would be confident enough to spread awareness training within the organisation.
The Council had recently been granted Public Services Network accreditation. In 2019 the Council had achieved Tier 1 Cyber Essentials. It was the first time the County Council had been accredited to this level.
It had been recognised through work with Audit that ‘spot check’ audits by IGU were beneficial regarding areas such as contract information security compliance.
All new starters were expected to complete the mandatory e-learning modules as part of the induction process. The Information Governance Team have been collaborating with other local authorities and a company called CC2i to develop short videos on cyber awareness and data protection. Training was being rolled out and four modules (videos) were being developed specifically for Councillors.
With reference to e-learning, Members asked if the Council was collaborating with local borough/district councils adding that there was a great deal of information for elected Members, and, in particular, newly elected Members, to absorb and there was a danger of ‘digital overload’. They added that not all Members were computer literate. The IGM responded that the short videos mentioned would be engaging and suitable for all Members and would be supported by the offer of 1-1 training by the IGU and the provision of equipment if necessary. IGU were always looking at new ways of delivering this training.
Members asked where the messages blocked by DDOS were originating from and asked if there was any planned stress testing assistance. The IGM responded that an external penetration test is undertaken by an external company every year (usually in the summer when the Council was under less pressure) and the results could be shared with Members. Members stated that they would like to see a more frequent stress test and a stress test when the Council was under pressure and when it was not under pressure, to reflect the fact that cyber technology is constantly changing.
Members asked if there was any correlation between the Council achieving Tier 1 Cyber Essentials and the increase in DDOS attacks in January i.e. that attackers were more inclined to target organisations with tighter security. The IGM stated that regarding cyber-attacks, there was some kudos, rather than financial gain, amongst hackers for attacking Councils with tighter security.
RESOLVED: a) That the IGM provide further detail on the reason(s) for the spike in inbound phishing reports in January 2019 b) The results of the stress test would be shared with Members.