Issue - meetings

Risk Management Deep Dive - Critical Incidents - Information Security

Meeting: 29/09/2021 - Audit and Governance Committee (Item 5)

5 Risk Management Deep Dive - Corporate Risks Update - Critical incidents - Information security pdf icon PDF 475 KB

Decision:

RESOLVED: The committee noted the actions that have been taken to mitigate both risks

Minutes:

At the Chairman’s invitation Councillor Mike Hallam presented the report, copies of which had been previously circulated. Councillor Hallam was also joined by the Executive Director Corporate Services and Chief Information Officer.

 

The committee was advised that should there be any questions which require a more in depth discussion then the committee may have to move into private session. The recent server fire was discussed, and the committee was informed that lessons had been learnt from this incident. It was noted that the council had been looking at cloud- based services for some time. There had been no proposed change to the risk rating and it was hoped that in 6 months-time there could be a move to a more positive rating.

 

The Executive Director Corporate Services advised that it was prudent to ensure that emergency planning was in place.

Committee members raised the following question and comments:

  • Had there been any impact to customers, when staff from other areas were called to deal with emergencies?
  • It was noted that some members of the IT team had worked a 36-hour shift, was this not a concern?
  • When staff are called away to help in emergencies would there be a residual cost to other services?
  • It was queried if any data had been lost during the fire in August.
  • Can member and staff behaviours be monitored in order to improve cyber security?
  • Was the disaster recovery used by the council with regards to the fire, in-house or external.?
  • Could clarification be given as to whether there was only one back up system in place and if it was stored onsite or offsite?

 

Councillor Hallam, Executive Director Corporate Services and Chief Information Officer made the following comments in response to the questions asked by the committee.

  • It was agreed that there should be better systems in place.
  • Staff were fully trained and the work load was shared between systems and teams.
  • There was an emergency planning arrangement in place
  • There had been customer feedback, this had been forwarded to communications.
  • The committee was advised that once the system had been re-started there had been checks carried out to ensure that all of the information was accounted for.
  • The committee was informed that 17% of data breaches had been in the public sector and the biggest risk continued to be human error.
  • There were bids being considered with regards to cyber-security options, it was however, impossible to be completely secure.
  • Councillor Hallam advised that he had been pushing for member learning on this subject.
  • The idea to migrate to the Cloud had been discussed but would take time to move all of the relevant data.
  • All of the data had been backed up off site.

 

The Chair requested that the committee be presented with another report on this in six months’ time and noted that more education should be given to councillors regarding human risks.  Councillor Brown left the meeting at this point.