Cyber Security - presentation by Helen Standen and Ruth Luscombe
Ruth Luscombe, Assistant Director of Digital and Transformation at Stevenage Borough Council (SBC), gave a presentation updating Members on the current state of Cyber Security across the IT partnership between the Council and SBC.
The internal audit which had been carried out in the financial year of 2018/19 had identified a number of risks and associated management actions. Whilst progress had been made, there were still five outstanding areas to address, of which two were high risk areas:
· Unauthorised devices attempting to connect to IT network (high risk);
· Inappropriate firewall configuration and absence of defined firewall management procedures (high risk);
· Inadequate training on information and cyber security (medium risk);
· Absence of approved cyber security incident management procedures (low/ advisory risk);
· Inadequate monitoring of network activity and network performance (low/ advisory risk).
In relation to the first and final of the outstanding areas, the Council had made progress by implementing the Microsoft Intune based Mobile Device Management (MDM) and Mobile Application Management (MAM) solution. This allowed the remote management of devices connected to the network. All new devices were now registered through this software and full implementation was expected by the end of the third quarter of 2020. Another related outstanding action was the implementation of a network access control mechanism to identify, review and report on devices that had physically connected to the IT network. Procurement for this was ongoing and was expected to be completed by the end of the current financial year.
In relation to the second area, a specification for the replacement of firewalls was in preparation, with procurement planned to be completed by the end of October 2020. There was also work being carried out to document changes to the firewalls, which was anticipated to be completed by the third quarter of 2020.
In relation to the third area, and in particular staff training, the Council had implemented- and was currently testing- a meta-compliance product. This would give the Council the ability, amongst other things, to simulate phishing attacks and identify staff that may be particularly susceptible to these. Targeted training could then be arranged. The creation of an Information Governance Team, which would have responsibility for GDPR and cyber security training, was being sought. The scope and associated resourcing levels required approval from the Council and SBC. The target completion date was November 2020.
In the fourth area, the Council’s Cyber Security Incident Management Protocol was partially completed. After a period of preparation, the Council would engage an external vendor to complete the work. This process had been delayed due to the COVID-19 pandemic, but the Council hoped to complete this by the end of the third quarter of 2020.
The Chairman asked for further details regarding network access control and whether budget restrictions were still a constraint on the IT partnership between the Council and SBC.
The Assistant Director of Digital and Transformation said network access control also related to the in-tuning of devices, and that the Council planned to procure this work externally, ... view the full minutes text for item 103