Decision status: Recommendations Approved
Is Key decision?: No
Is subject to call in?: No
The Committee considered the Internal Audit Cyber Security, Malware and Ransomware Report by the DAP (circulated previously).
Internal Audit advised that the Team from One West had delivered the report in partnership with the DAP. He had not been surprised with the opinion of ‘Limited Assurance’ as the area was one of high risk.
The representative from One West (TR) advised that:
· The focus of the work had been Malware and Ransomware, and was based on the National Cyber Security Centre’s (NCSC) 10-Step guidance.
· The risks assessed were:
o Disruption of network operation or information systems.
o Information and data being intercepted and disclosed or stolen.
o Malware damage to backup copies of data preventing recovery.
· Credit should be given to the Business Information Systems Manager and Senior ICT and Project Support Officer for their continued hard work.
In response to a question from the Chair, Internal Auditor (TR) advised that although a Multi-factor authentication (MFA) was recommended it was not agreed upon as the Microsoft 365 included an MFA element and the Authority was not able to use AAD authentication for on-premise login.
In response to questions from the Committee, the Business Information Systems Manager advised that it was possible to forward emails, however, personal phones would be classed as unmanaged devices. Options had been considered, such as purchasing all Members an iPhone, but that there would be associated costs in the region of £7k. After consultation with Members iPads had been chosen for them for Council business. This included authentication, security measures and procedures. Council emails and agendas would continue to be accessed via the iPads. Councillor Bushell escalated this query to the Internal Auditors.
The Internal Auditor (DC) confirmed that the use of unmanaged devices on a network could be a risk to security.
In response to questions from the Committee, the Chief Executive advised that any future changes to the current system (using iPads) could have cost implications.
The Head of Resources advised the Committee that there was no requirement to provide an IT Trainer post at the Authority as this was more efficiently covered through the use of online training as and when required.
The Business Information Systems Manager advised that the new payroll / HR system would enable targeted training and education sessions to be delivered direct to the users.
RESOLVED that the Internal Audit Cyber-Security, Malware and Ransomware report be noted.
Publication date: 12/07/2021
Date of decision: 08/06/2021
Decided at meeting: 08/06/2021 - Governance Committee