Agenda item

Report by the Director of Finance and Support Services.

The Committee is asked to review the information detailed in the report and provide comment as necessary.

38.1     The Committee considered a report by the Director of Finance and Support Services (copy appended to the signed minutes).

38.2     The Committee welcomed Mr Laird, Chief Information Officer & Head of IT, who was in attendance to give an update on cyber security.

38.3     Mr Laird began by highlighting that cyber security was rated at 25 on the risk register to reflect risks in the cyber environment.  The County Council used various technologies to undertake its duties which were subject to various risks such as financial implications, data theft, ransom ware attacks, inadvertent access of personal data, etc.  There were also software vulnerabilities, physical thefts and phishing scams.  The County Council response to these risks required constant vigilance and liaison with Internal Audit to explain necessary mitigations.  It was also necessary to ensure that technology was appropriately invested in, and that policies were in place to ensure compliance.

38.4     The Committee made comments including those that follow.

·           Queried the consideration to the risk of intentional attacks from staff within the County Council.  – Mr Laird explained that the risk was recognised and that mitigations included separation of duties and the monitoring of access to systems.  Systems were audited to look for trails and behaviours, and this was also assisted by monitoring technology.

·           Sought clarity on the backup arrangements to ensure services to vulnerable residents could continue if an incident to the network occurred.  – Mr Laird explained that the move to cloud based systems added more security to this area.  Mitigations were in place to safeguard the County Council website in the chance of an attack.

·           Questioned the impact on supply chains in the event of an attack.  – Mr Laird explained that the criteria for new contracts gave consideration to supply chains during cyber attacks.  Ms Eberhart, Director of Finance and Support Services, confirmed there were appropriate business continuity arrangements in place.

·           Asked what consideration was given to backdoor attacks on software.  – Mr Laird confirmed that there was a specialist IT team trained in this area to look for vulnerabilities.  The County Council also engaged in penetration testing to look into additional vulnerabilities.

·           Noted the recent attack on Chichester District Council’s planning portal and queried if the County Council IT team was aware.  – Mr Laird confirmed that he was aware of the attack, but gave reassurance that the County Council’s systems were set up differently and not subject to the same vulnerability.

·           Queried if the change to home working during the Covid-19 response had led to any challenges for security and if any lessons had been learned.  – Mr Laird confirmed that the platform had been considered carefully ahead of lockdown and was found to be secure.  There had been no significant security challenge during the period.  It was noted that the lack of working in public areas such as trains and cafes would have reduced risks.

38.5     The Committee thanked Mr Laird for his attendance and the thorough explanation into how the risk was recognised.

38.6     Mr Pake, Corporate Risk and Business Planning Manager, introduced the report and explained that there had been no significant changes from the previous meeting.  A new risk for Climate Change was being drafted and would be available for the next committee meeting.

38.7     The Committee made comments including those that follow.

·           Raised concern for CR58, for which the Chairman of the Health and Adult Social Care Scrutiny Committee confirmed that it was high on their scrutiny agenda.  – Ms Eberhart confirmed that the risk was considered carefully as part of the budget and also the Medium Term Financial Strategy (MTFS).  Cost provisions needed to be considered for the future despite the unknown factors.

·           Queried the consideration given to the risk of bus service deregistration and the requirement that the County Council may need to pick up routes that were not viable for private companies.  – Mr Pake confirmed that the risk was being considered within the directorate.

38.8     Resolved – That the Committee notes the information detailed in the report and the current Corporate Risk Register.