AUDIT COMMITTEE 10 DECEMBER 2014

Transcription

1 AUDIT COMMITTEE 10 DECEMBER 2014 AGENDA ITEM 8 Subject Report by MANAGEMENT OF INFORMATION RISKS DIRECTOR OF CORPORATE SERVICES Enquiries contact: Tony Preston, Ext 6541, tony.preston@chelmsford.gov.uk Purpose This report provides an overview of the Council s approach to managing the risk of its information assets. Recommendation(s) 1. That the report be noted Corporate Implications Legal: Financial: Personnel: Risk Management: Equalities and Diversity: Health and Safety: IT: Other: Consultees ( Risk reported to Strategic Risk Board) (Report is on work of IT team) 1

2 Policies and Strategies The report takes into account the following policies and strategies of the Council: Governance Policy; Corporate Security Policy; Security Policies Remote Working, Removable Media, Software Asset Management, Payment Card Security, Incident Management, Conditions of Acceptable Use, 3 rd Party Remote Access Request. Corporate Plan Priorities The report relates to the following priorities in the Corporate Plan [tick the relevant box] Attracting investment and delivering infrastructure Facilitating suitable housing for local needs Providing high quality public spaces Promoting a more sustainable environment Promoting healthier and more active lives Enhancing participation in cultural activities 1. Introduction The Data and Team within ICT acts as the focal point for the Council s information assurance and legislative compliance activities, for example: - handling FOI requests, investigating data breaches, and managing PSN compliance. 2. The Governance Structure Underpinning the Council s approach to information risk is the umbrella document Governance Policy which highlights Chelmsford City Council s approach to Governance, focusing on policies, roles and responsibilities. This is published on a dedicated intranet section detailing the role of IAOs, IMG and Governance roles, plus relevant policies and helpful guidance documents. The key roles involved in the management of information include the Senior Risk Owner (SIRO - Louise Goodwin), Manager and the Asset Owners (IAOs) who have responsibility for managing information within services. All IAOs sign an annual declaration showing their commitment to fulfilling their responsibilities. These key roles form the backbone of the Management Group (IMG) which meets on a quarterly basis. The meeting is used to consult on policies, to discuss issues, develop solutions and set and drive the information strategy. Appendix A analyses our current activity and future actions against 8 recommended governance actions. 2

3 3. Development of an Register IAOs were pivotal in the formation of an Asset Register (IAR) which identifies all the key information assets within their service areas. An information asset is a collection of information managed, of value to the business and the IAR provides information about assets to help focus on protecting and potentially exploiting that information. The IMG has also developed a number of other key areas, and earlier this year identified and prioritised risks relevant to their services to enable the creation of an Risk Register (please see below). This has since been used to steer the direction of focus of the Group. The top risks identified were the security of data in transfer, poor data management, lack of training and awareness and human error (see Appendix A). The IMG has then focused upon what the Council can do to mitigate against these risks. Clearly the risks highlight that collectively the greatest information risk to the organisation is people and culture, and therefore, IAOs have identified that awareness and education is a high priority. 6 Very High 5 High 4 Significant 7 Likelihood 3 Low 2, 3, 6, 8, 9, 10 2 Very Low 1, Almost impossible 1 Negligible Impact 2 Marginal 11 3 Critical 4 Catastrophic 1 Identifying customers 7 Papers on desks 2 3rd party security 8 Lack of policy 3 User/ manual error 9 Retention 4 Member access 10 Security 5 Insider threat 11 Sending of data 6 File management The above IRR is summarised in the Strategic Risk Register with an evaluation of Low Likelihood and Marginal Impact and includes the controls in place (see Appendix B). 3

4 4. Training and Awareness To help to drive culture change and raise awareness, a massive focus has been on training and development. For example, in 2012, all staff completed an elearning module in key information legislations. At the end of 2013, a successful training day was held in the Council Chamber with expertise from the Cabinet Office and The National Archives to focus IAOs and nominated officers within services to expand their understanding and awareness of information governance. In September, the National Archives also provided the services of an information specialist to come in and engage the organisation on the key principles of information assurance in Management Team Assurance breakfast session with what was the extended Management Team consisting of Directors and senior managers. But more significantly, following on from a recommendation from the IMG, in September 2014 the Council held its first Awareness Week. This event was designed to raise awareness of information risks and security for all staff, and to show how the Council can get more value out of information by managing it appropriately. The week was designed to be as engaging and dynamic to ensure not just attendance, but also, to change the behaviours of staff. The week contained interactive themes to teach staff the fundamentals of information assurance, and in a way that would last long in their minds. To help embed this, each activity looked at the learning from a personal and a professional angle, showing that skills are transferrable and do not stop when you walk out the office at the end of the day, and also, that we can learn from how we protect information in our personal lives. The week had a real impact with around 150 individuals attending events, and a 98% satisfaction rate of the week as a whole. Underpinning this, all staff members are placed into categories referred to as gold, silver or bronze based on their role with data as part of the framework for staff training in Assurance. These categories define the level of training required by staff and allow them to structure their learning and ensure that it is relevant to the level of information responsibility that they have and links into the Council s Awareness Programme. Already, over 500 staff have achieved their status by undertaking the required level of training. The evaluation for risk 7 above was affirmed following a review of the clear desks at the end of the Awareness Week 4

5 5. Breaches As the risks allude to, human error can happen, and human error has been the cause for the vast majority of breached information. To ensure that any incidents are managed effectively, the Council has an Breach Procedure which has been developed over time from feedback from IAOs and learning from breaches, and is based on the Commissioner s own breach reporting procedure. The level of information breaches has increased over time, however this is not a negative sign. With an increase in staff awareness and drive for the organisation to be more open, staff are more willing to report incidents when they happen. This is a good situation to be in as increased awareness can identify and address issues such as training; policies and procedures - prior to this issues may have gone unnoticed resulting in systemic issues not being addressed. The Council emphasises the importance of investigating why these are happening and each individual breach is investigated thoroughly and improvement recommendations set and managed within Covalent. Incidents are scored from Low through to Critical against the Incident scoring matrix, which is engrained in the Risk Management process for information and ICT risks. Any issues with High or Critical breaches are then reported to the Strategic Risk Board. Statistics on information breaches There have been 36 breaches from 1 st October 2012 to the present day. The majority of these breaches have been as a result of accidental human error. Just over 80% of these breaches involved less than 5 records being breached, and 50% involved just one record. During this period the Council has reported three breaches to the Commissioner, who regulates information legislations. On each occasion, the Council was told the breach was not deemed serious enough and no further action was taken the Council has have used this learning to build into the Incident scoring matrix. 5

6 6. Technology The Council has again passed the standards to become Public Services Network (PSN) and Payment Card Industry (PCI) compliant. It is important that the Council meets these standards as without them the Council would not be able to administer services to vulnerable citizens such as Benefits (PSN) nor process card payments (PCI). In the last two years we have seen some significant changes in the way that Spam and malware are sent to Council staff, this has made the task of filtering very difficult. In 2013 ICT introduced a new filter, icritical this had the advantage of a global awareness functionality with the ability to react to threats and spam quickly; however, during 2014 it became clear that a key component of the functionality which was to learn about anticipated threats from users acceptance or rejection of s, would not work and the supplier was unlikely to make it work within the foreseeable future and hence the risk of IT security breaches was increasing; so in September 2014 the Mimecast filtering service was introduced so far this has worked as specified, testing and analysing some incoming s per day. Network monitoring has shown that our network does experience high levels of external attacks (being both in the UK and as part of Government), with 3 times the level during elections from overseas (1700 firewall attacks). Chelmsford was one of the first Councils to notice this and passed on this valuable information to other authorities. The usage of software to detect third party devices to the network has also prevented internal threats to the network as staff still attempt to attach non authorised devices such as memory sticks to the PCs. This helps to then target training needs. The use of Good technology was introduced to enable Councillors and staff to access s and the Intranet from Council or their own smart phones or tablets. The technology is now being tested to also allow staff access to documents on personal and shared files on the network. 7. Conclusion Considerable progress has been made in reducing Risk but effort is still required to maintain vigilance and improve individual behaviour with respect to policy compliance. List of Appendices Appendix A Analysis of 8 Steps for Governance Appendix B Strategic Risk Background Papers Nil 6

7 Appendix A - Analysis of 8 Steps for Governance 8 Steps recommended by CEB s Legal, Risk and Compliance Practice 1. Review the quality of the work done by your organisation s information security team. The second line of defence has a key role to play critically assess how well they fulfil that role and drive improvement Current Activity Risk is now seen as of strategic importance and is reported as one of eight risks to the Strategic Risk Board See also Appendix B Future Actions Ongoing assessment of risk and reporting to SRB. 2. Ensure that business-led IT initiatives are appropriately secured and deliver creative IT solutions quickly to innovative business managers around the organisation 3. Review all key aspects of information security every year to ensure that no gaps or disconnects exist. This is likely to require tough resourcing and planning decisions for CAEs Privacy Impact Assessments are completed for all new systems acquisition/development activity led by the Manager. Third party service providers are assessed for levels of Risk See 1 above. IT and IM security are assessed each year as part of PSN and PCI compliance. Penetration tests reveal potential weaknesses and are corrected as part of compliance work. Maintenance of software patches now seen as a priority ahead of new business projects. IT audit work recommendations are acted upon (IT audit not done in majority of Essex Councils) During 2015 Service Managers will take on the initial assessment activity with the Manager providing a consulting and assessment role. Penetration tests and recent work around Awareness Week has shown that the storage and security around manual records (eg on desks, management of passwords and unlocked filing cabinets) needs to be improved in many parts of the Council and will be a priority for the work programme of the Manager in

8 4. Ensure your audit committee can provide effective oversight of information security. This means they should have the right skills and knowledge and can challenge management frequently enough on information security risks facing the organisation and the controls management has implemented Awareness session provided in September Committee members have attended external training sessions. Strategic Risk Management with the SRB. Annual reporting in line with SRB reporting. 5. Strengthen your security barriers by changing employees behaviour. Secure behaviour by employees (and contractors and others working for you) provides agile protection against a rapidly changing threat environment even in the absence of a written policy IAOs recognise there has been a change in the last 18 months however see 3 above. IT security tends to focus on stopping events happening, but not the underlying behaviour of people attempting to be noncompliant eg using nonsecure USB devices See 3 above Propose that future audit programme may need to focus more on actions needed to achieve behaviour change. 6. Use a nuanced approach to train all employees effectively in corporatesensitive roles, including all senior management, the assistants of those senior managers, and everyone in sensitive roles such as purchasing or systems administration As part of PSN compliance work appropriate training has to be maintained for all staff. SIRO has to attend annual training sessions. IAOs have attended training session and attend quarterly meeting. Role based training (gold, silver, bronze) is provided electronically. Future specific training sessions being prepared for remote sites and potential 2015 Awareness week will again focus on achieving behaviour change. 8

9 7. Run scenario exercises to ensure senior management truly understands the information assets relied upon by the organisation, the main vulnerabilities and the real impact of their behaviours and decisions awareness week touched on this. Business Continuity exercises across Council test how service react to systems (hence information) loss We are investigating this are; eg the creation of false viruses to see how staff react (however, external research suggest that results and behaviour tend to be poor) 8. Scan the horizon routinely to understand critical emerging risks and ensure your control framework is adapted in time. Partially covered through the annual changes in PSN compliance requirements eg this year there has been a move way from pure technology compliance to principles and hence more emphasis on how information is then used and shared. Responsibilities shared between Manager and Technical Team Leader; who also attend appropriate external briefings; maintain Essex wide networks of staff in similar role. Security Systems suppliers provide regular updates. Internal security systems analysis has shown when we need to be more vigilant (eg during elections) Continue as now. 9

10 Appendix B Strategic Risk Managed By Louise GOODWIN Review Date 31-Oct-2014 Risk Number Current Risk Score * Target Risk Score * Description Potential loss or misuse of SR-008 Marginal x Low Marginal x Low data and information due to targeted or accidental external or internal actions Actions / Controls Already in Place Adequacy of action/control to address risk Required Management Action / Control Critical Success Factors Next Review Date Compliance assures Central Government that the Council meets the security standards PSN CoCo required to control our ICT Compliance based data and information assets; this is at the same level as international standards and is reassessed each year. PCI Compliance Internal Audit Regime As a level 3 merchant, compliance is monitored through self assessment (see also penetration tests) The Internal Audit plan related to ICT is based on an assessment of risk, and includes an annual assessment with respect to controls of financial systems. SIRO supported by IAOs and Manager to review key controls in place highlighting any weaknesses. Assurance that ICT services will not be brought off line to deal with network or systems breaches. No successful external attacks aimed at April 2015 ICT and Policies Senior Risk Owner (SIRO) and Asset Owners Policies are updated annually (these follow a standard format agreed by all Essex Local Authorities through the Essex On Line Partnership). The SIRO (Louise Goodwin) meets with the IAOs quarterly to review Assurance programmes of work. Marking is likely to be mandated during 2015 for PSN compliance. Further action, systems and training will be required. obtaining sensitive data. The threat of staff misuse of data is minimised. No data breaches will require action by the ICO against the Council (IAO)s Annual declaration by IAOs that 10

11 Asset Owner (IAO) Declarations ICT Security Systems Mobile Device Management ICT Penetration Tests Security Incident Management breach management they are managing the data and information risks in their business areas in accord with policies; local risks and action plans recorded in Covalent. Non Disclosure Agreements also used to manage risk with third parties. To achieve PSN CoCo compliance a range of ICT systems are maintained to latest levels; eg data and systems back up, Systems Access Control, 3 rd party access control, Identity Management, Anti Virus, Firewalls, Web and E:mail filtering, end point device management. Secure destruction carried out on obsolete data storage. As part of PSN compliance a mobile device management(good) is deployed to mobiles and tablets to ensure no corporate data resides on that device and can only be accessed securely. Carried out annually as part of PSN compliance testing. Also covers ability to access non ICT based data. Quarterly external penetration tests test for PCI compliance. Security systems management information is used to identify further information assurance activities and identify potential non compliance with policy, as well as carry out risk assessments when threat risk is heightened (eg during Elections) and at times of security alerts. The investigation of information breaches is carried out by the Manager. Remedial actions are recorded in Covalent. 11

12 Training Programmes Privacy Impact Assessments (PIAs) Sharing Agreements Staff roles are assessed as to the level of Assurance training required (Bronze, Silver or Gold). Understanding is tested and recorded using Meta Compliance system. SIRO attends annual Government briefing sessions. ICT staff attend appropriate training courses to manage and operate ICT security technologies The owners of all new ICT projects involving use of data complete a PIA to ensure any information risk is properly evaluated and managed. Technical assessments/due diligence carried out as part of PIA process. The WEISF (Whole Essex Sharing Forum) has agreed a framework for the sharing for data between public sector bodies. Sharing protocols provide assurance that only permissible data is shared and is done so with the appropriate level of security. Note: * Evaluating a single score is difficult. There is a low likelihood of regular marginal impact events; eg information breaches or random external attacks; conversely there is a very low likelihood of external targeted attacks succeeding but these could possibly have a critical level of impact. 12