Agenda item

Report by the Chief Information Officer to provide further information on the Council’s arrangements to protect the Council from cyber-attack.

21.1     The Chief Operating Officer introduced the Head of IT & Digital Strategy & Engagement and the IT & Digital Information Governance & Continuity Manager who are the ESCC leads on cyber security and information governance. The Head of IT & Digital Strategy & Engagement explained that ESCC has an Information Strategy in place which deals with data breaches and a Security & Identity Management Strategy which deals with Cyber-security. The Council employs a number of information security qualified staff, who specialise in protecting the Council’s information systems.

21.2     The Committee received a presentation on the risks and measures being taken to protect the Council from cyber-attack and keep information secure. The key points of the presentation are summarised below.

·        Cyber security and information security are interchangeable and there are a range of risks from malware, compliance, and physical data losses.

·        Cyber security breaches arise from deliberate threats, accidental losses and lack of awareness.

·        The public sector, along with the manufacturing sector, has been targeted by ransom ware and cybercrime has been growing in the UK.

·        ESCC may be attacked for financial gain; politically motivated attacks; and attacks by script kiddies (a term used to describe toolsets used by low skilled attackers).

·        Globally cybercrime is going up so ESCC is having to spend more on this issue.

·        Attacks are targeting people as well as servers, and the use of ransom ware is increasing.

·        Emails are an important attack vector and there are risks from them such as phishing and clicking on links which then infect systems with malware.

What is being done to protect ESCC

21.3     ESCC has strategies in place to protect IT systems and information. The arrangements for Information Governance are audited regularly. The Council undertakes risk management assessments which are audited internally and externally. The design of the network is regularly reviewed, patched and penetration tested.

21.4     The Committee asked how the Council provides assurances to residents that their information is safe in the event of an attack, and that we will not ask them to re-provide their information (to protect them from Phishing attacks). The IT & Digital Information Governance & Continuity Manager responded that the Council uses social media to provide information to residents. The Council is using software to help people check an email is really sent from ESCC.

21.5     The Committee were assured that there are robust and tested backup, disaster recovery and business continuity plans in place to protect services and restore them should that become necessary. The IT & Digital Information Governance & Continuity Manager confirmed that the Council keeps all security arrangements under regular review, and examines the use of new technology to protect IT systems and to keep them secure.

21.6     The Committee RESOLVED to:

1) Note the strategies and controls in place to maintain the security and integrity of the corporate infrastructure, together with plans to adapt it to continuously meet future needs; and

2) Agree they were satisfied with the measures that are in place to protect the Council and that further assurance was not required on this strategic risk.