Report by the Chief Operating Officer.
Minutes:
9.1 The Chief Operating Officer introduced the report. He explained that the Strategic Risk Monitoring is included in the Council monitoring report which is presented to Cabinet on quarterly basis. The 2017/18 quarter 4 report was presented to Cabinet on 26 June 2018 and included any items that have been changed or escalated from departmental risk registers. The Chief Operating Officer added that a report will be presented at the September Audit Committee meeting to explain the risk assessment process and a how departments assess and escalate risks.
9.2 The Committee reviewed the items on the strategic risk register in appendix 1 of the report, and discussed the following risks in more detail.
School Places and Changes to the Funding Formula
9.3 Councillor Fox raised the risk to school place delivery posed by the increase in the number of schools that were now Academies, and therefore outside of local authority control. He asked whether it might be worth adding this to the monitoring of risk by the Committee and whether it is in the departmental risk register.
9.4 Councillor Barnes outlined that he was still worried about strategic risk 13 Dedicated Schools Grant (DSG). He asked how many schools would be below the block grant threshold (e.g. a threshold of around 120 pupils) and whether this will lead to school closures. Councillor Barnes added that he would have expected that the budget pressures and risk from the block funding formula (DSG) would have been modelled. He outlined that a number for small rural schools could be under threat of closure, and that East Sussex was not alone in this respect.
9.5 The Chief Operating Officer responded that Risk 13 is departmental risk and would be within remit of People Scrutiny Committee to examine. He added that the Council does a huge amount of modelling for school place provision and the need for capital funding. There is a level of oversight of these issues and they are included in the Reconciling Policy, Performance and Resources (RPPR) financial planning process. This includes the potential changes to the DSG and any further investment that may be required as part of the integrated planning process for school places.
Cyber Attack
9.6 The Committee sought further assurance about the robustness of the arrangements for protecting the Council’s data from the risk of Cyber Attack (Risk 12). Khy Perryman, Information Security and Governance Manager, joined meeting and gave a presentation on the measures ESCC is taking on Cyber Security. The presentation covered the following topics:
· Definition of Cyber Security issues, including the threat from organised crime which is something the Council takes seriously as local government is one of the top targets for organised crime due to the amount of personal information that is held.
· A description of targets which includes individuals in managerial and professional occupations due to their likely access to systems and data.
· Third party security, including data breaches (e.g. where other organisations are hacked in order to obtain people’s personal information). There is increased activity in this area and the introduction of GDPR has had an impact on increases in security. The Council is currently getting around one notification per week of a third party breach of data security.
· Computer network security and resilience. ESCC has good controls in place for its internal network and equipment. It has also built resilience into the network and internet access. Current activity in this area includes Bit Coin miners trying to install malware to get other computing resources to mine Bit Coin and is a risk arising from the use of personal applications.
· Supply chain security – ensuring the Council’s suppliers have appropriate Cyber Security in place.
· Accidental disclosures – investigate all incidents and provide training.
· Email and web site security – ESCC is working to ensure as many emails as possible are sent/received securely as these pose a major risk. Web sites accessed via search engines are secure and flag when a site does not use encryption.
· Threat Sharing – ESCC works with partner organisations to share information on threats.
· ESCC Employs dedicated and trained information security staff, as well as providing Cyber Security awareness training to all staff.
· The Essential Components of the Cyber Security programme are:
o Governance, compliance and organisation arrangements
o Data protection
o Security risk management
o Identity and access management
o Incident resolution
o 3rd party vendor management
o Host and endpoint protection
o Application, database and mobile protection
o Network, cloud and data centre
o Security awareness training
o Technology enabled support.
9.7 The Lead Member for Resources asked how often ESCC’s systems were subject to Cyber Attack per day. The Information Security and Governance Manager responded that if port scanning probes are included, then ESCC’s Cyber Security systems are tested every minute.
9.8 The Information Security and Governance Manager summarised by outlining that security is ongoing process as attacks and threats are constantly evolving. The Council cannot eliminate all risk, but is actively working to make sure the Council’s information and IT systems are as secure as possible. The Council takes an intelligence driven, risk based approach to Cyber Security. The Council is providing training for to all staff, especially around opening unrecognised emails, as everyone is responsible for Cyber Security.
9.9 The Committee RESOLVED to note the current strategic risks and the risk controls / responses being proposed and implemented by Chief Officers.
Supporting documents: