SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011

Transcription

1 SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011 This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 18/06/07 between South Northamptonshire Council and Deloitte & Touche Public Sector Internal Audit Limited. The report is produced solely for the use of South Northamptonshire Council. Its contents should not be quoted or referred to in whole or in part without our prior written consent except as required by law. Deloitte & Touche Public Sector Internal Audit Limited will accept no responsibility to any third party, as the report has not been prepared, and is not intended for any other purpose.

2 CONTENTS Page Categorisation of Recommendations 4 Definition of Assurance Levels 4 Executive Summary 5 Detailed Report 9 Appendix 1: Terms of Reference 21 Appendix 2: Implementation Timetable and Response 22 Appendix 3: Statement of Responsibility 27

3 CATEGORISATION OF RECOMMENDATIONS The recommendations in this report have been categorised as follows: Priority Description This Report Priority 1 Major issues that we consider need to be brought to the attention of senior management 0 Priority 2 Important issues that should be addressed by management in their areas of responsibility 9 Priority 3 Detailed issues of a minor nature 1 DEFINITION OF ASSURANCE LEVELS Level Description This Report Full Assurance There is a sound system of control designed to achieve the system objectives with controls consistently being applied Satisfactory Assurance Limited Assurance No Assurance Whilst there is a basically sound system, there are weakness that put some of the system objectives at risk Weakness in the system of controls are such as to place the system objectives at risk Control is generally weak, leaving the system open to significant error or abuse 10/11 Remote Working Page 4 South Northants Council

4 EXECUTIVE SUMMARY An audit of the systems and controls in place within the Council in respect of Remote Working has been completed in accordance with the Terms of Reference, as agreed with management, which is set out in Appendix 1. In light of risk evaluation and compliance testing undertaken during this audit, a Limited Assurance Opinion is given in respect of the key controls operating over the arrangements for Remote Working. We have raised nine Priority 2 recommendations and one Priority 3 recommendation within this report where we believe internal controls can be improved. Strategy, Policies and Procedures Remote working was implemented at the Council out of the vision of a "better place to work" and initially was introduced as a pilot scheme to a selected number of users. However, as this developed a remote working strategy has not been developed to indicate the forward direction of home and remote working and how this supports the Council s service delivery. A policy on Working from Home has been documented and is posted on the Council s intranet, as well as being included in the employee handbook in May 2010 following approval from full Council. This Policy was found to cover the areas for the obtaining of approval for home working, ensuring health & safety risk assessments are performed and also include performance management measures. The Working from Home Policy contains links to other policies such as the and Internet usage Policy, Data Protection Policy and Information Security Policy. It also contains guidance on the storage of data and IT equipment when working from home and the need to keep Council data confidential. The Policy also provides details of IT support that is available when working from home. Although an Information Security Policy has been developed, it is still in draft format. Review of the Policy confirmed that it does contain guidance on mobile device security and on and internet policies. Neither the Information Security Policy nor the Working from Home Policy contains statements in relation to the following areas that would be applicable for remote workers: The return of IT equipment upon termination of employment; Leaving the laptop in an empty office or location; Storage of laptop at home; and Use of laptop in public spaces or when travelling. Additionally, users are not required to read and agree to any terms and conditions of use prior to being issued with laptops or smart phones such as ipaqs. Laptops are issued with Kensington locks as a standard issue to assist in securing the laptop; however, it was indicated that only Councillors are currently issued laptops and locks are not always used. 10/11 Remote Working Page 5 South Northants Council

5 Risk Assessment IT risks have been assessed and are included within the corporate Risk Register. However, a risk assessment has not been carried out specifically relating to remote working. It was indicated that as part of achieving compliance with GCSx Code of Connection (CoCo) requirements, the use of encryption and mobile devices is currently being reviewed. IT Support Arrangements The Working from Home Policy document provides guidance to remote workers on the technical support arrangements that are in place and the requirement to log any faults with the IT Helpdesk. It has been clearly stated that although Capita will support the Citrix environment, it will not support personal computer equipment or problems with the user's own broadband. The Policy also clearly states that support will not extend to home visits and users are required to bring the equipment to the Council offices for diagnosis and repair. Staff are also informed of the system support hours during induction which are between 8 am - 6 pm. Access Control for Remote Access to Network Users access the network from remote locations using two factor authentication, through a Secure Socket Layer (SSL) tunnel using the Citrix client. Remote users are supplied with RSA SecureID tokens to obtain access to the Council network. Remote access can also be obtained via Neoteris using RSA tokens; however, this may be decommissioned in the future and is used to provide only and intranet access to users, and does not provide access to Council applications. Remote workers are currently allowed to obtain access to the network using their own personal equipment. It was discussed that the Council is currently trying to achieve compliance to CoCo version 4.1 and are currently in discussion with GCSx on the risk and cost of supplying Council equipment for remote workers. The Council is required to comply with CoCo by the end of 2010 and discussions are in place with GCSx to ascertain if the requirement to issue Council equipment for remote workers can be resolved. A procedure is in place for setting up remote workers on Citrix. The line manager for the staff requesting home working is required to put forward a business case to the Head of Service to specify the reason and duration for remote access. If approved, the manager is then required to complete a remote worker checklist that helps to confirm that a Health & Safety Assessment has been completed, training has been received on Citrix use and performance monitoring targets have been specified. The Health and Safety forms and the Checklist are approved by the Health and Safety Advisor and then forwarded to HR to be stored within the worker's personnel file. A helpdesk call is subsequently logged with Capita to set up the user with remote access and issue the Citrix fob. Audit confirmed that out of a sample of 6 remote workers who have left the Council in the last 12 months, only two users have had their access disabled with some having left the organisation in This was also confirmed for two mobile phone users who had left in 2009 but are both still active on the mobile phone user and system. It could not be confirmed whether their mobile devices, namely ipaqs had been returned. Remote access connections are logged and can be queried for the login per user; however, the logs are not monitored for security violations. 10/11 Remote Working Page 6 South Northants Council

6 Intrusion Detection Software (IDS) is not in place, although this is being considered as part of achieving compliance with GCSX CoCo. Physical Security of Mobile Devices A Configuration Management Database (CMDB) has been implemented in April 2010 to record the asset details of all machines on the SNDC network. However, at the time of the audit, this was still being configured and it could not be verified whether the CMDB will be able to discover remotely logged in machines. Logical Security of Mobile Devices Users of mobile phone and data devices are required to set a PIN code to prevent casual access to the devices, PIN codes are not set as a default on mobile phones when configured and issued and currently users have the ability to override this setting. Data encryption is not currently in use on laptops or any mobile phone devices; however, this is being reviewed as part of achieving compliance with CoCo. Capita are responsible for ensuring that anti-virus software is in place on the Council network and is kept updated through the download of regular updates. The Information Security Policy also states that Council computers and systems will be protected by anti-virus systems. Since the Council has opted to allow remote users to use their own equipment, the users have been made responsible for ensuring that their anti-virus is up-to-date within the Working from Home Policy. A remote wipe solution is in place for ipaqs. The Goodlink Management console is used to remove the system on the phone, however, it does not remove any stored attachments or contact lists saved on the phone. It was confirmed that there are 35 users who currently have the mobile device. Audit testing confirmed that staff are not issued with USB's to store data. Additionally, the Information Security Policy also states the policy on restricting storage and transport of data on removable media. Health and Safety See section above on Access Control for Remote Access to Network for detail on Health and Safety Assessments (H&S). Audit testing also identified that, although all remote workers are required to carry out a Health & Safety assessment, an annual review of the Health and Safety assessments is not being carried out to ensure they are up to date. Monitoring The Working from Home Policy requires management to ensure performance monitoring has been discussed and confirmed with the remote worker. A review of the Remote Working checklist also confirmed that this is discussed by management prior to granting access. HR has not currently specified a requirement for the meetings between management and remote workers to be formally documented unless the manager has serious concerns about misuse of the remote working facility. Furthermore, HR does not require any performance of one-to-ones to be formally recorded on the personnel files of the remote worker. 10/11 Remote Working Page 7 South Northants Council

7 Appendix 2 contains a summary of recommendations in priority order and an implementation timetable that has been agreed with management. 10/11 Remote Working Page 8 South Northants Council

8 DETAILED REPORT Recommendation 1 Remote Working Strategy A Remote Working Strategy should be developed to define the objectives, scope, anticipated benefits of remote working and an action plan to achieve these benefits. This can also be used to identify changes in the Council s accommodation strategy that may be delivered as a result of users working remotely. Priority Priority 2 Rationale The purpose of a Remote Working Strategy is to provide an overview of the goals, objectives and delivery targets for remote working. The strategy would help to ensure that actions and expected outcomes relating to implementation and the further development of remote working are assessed. Audit testing confirmed that remote working was born out of the vision of a "better place to work" within the Council and initially being introduced as a pilot scheme. However, a Remote Working Strategy had not been developed. If a Remote Working Strategy is not developed there is a risk that the strategic objectives for remote working are not achieved and potential benefits are not realised. Management Response The Council is undergoing a medium to long term strategic review of accommodation needs as part of the Moat Lane regeneration programme with hot-desking and remote working practices a defined outcomes. In light of this major change programme it is felt that the current approach of line managers assessing their officer s ability / suitability for remote working best suits the Council s current needs and is fully supported by policies and procedures that are already in place. Implementation Responsibility and Timetable IT & Customer Services Manager 10/11 Remote Working Page 9 South Northants Council

9 Recommendation 2 Information Security Policy and Terms & Conditions of Use The Information Security Policy should be finalised and enhanced to incorporate the following areas of laptop usage: The return of IT equipment upon termination of employment; Not leaving laptops in an empty office; Processes for the storage of laptop at home; Guidance on the use of laptop in public spaces or when travelling; and The use of Kensington locks to secure laptops. Additionally, staff should be issued with Terms and Conditions of Use for laptops and mobile phone devices and should be required to confirm that they have read, understood and agree to comply with them. Priority Priority 2 Rationale Terms and conditions of use that have been read and agreed by users would help to ensure that users are fully aware of their responsibilities as well as the risks associated with using portable equipment. The Information Security Policy is still in draft format. Additionally, users are not required to read and agree to any terms and conditions of laptop or mobile phone use and it was determined that although Kensington locks are issued to all staff, in some cases they are not always routinely used. There is a risk that users may not be fully aware of the responsibilities associated with using portable equipment such as laptops and mobile devices such as ipaqs. As a result these remote users may be more likely to expose the Council to greater data security risks which may lead to a breach in data confidentiality and possible reputational damage to the Council. Management Response To be confirmed Implementation Responsibility and Timetable Graham Thorpe (Information Systems Officer) to be confirmed. 10/11 Remote Working Page 10 South Northants Council

10 Recommendation 3 Remote Working Risk Assessment and Risk Register Management should ensure that the risks associated with home and offsite working are assessed and addressed within the ICT Risk Registers. This should include in particular the potential increased risk of breaches in data security and confidentiality when Council information is accessed using laptops, USB s or smart phones away from the office. This can also assist in demonstrating the controls that the Council has put in place to mitigate these risks. Priority Priority 2 Rationale The identification and mitigation of key risks associated with remote access to the network would help to ensure that risks that have been identified in the remote working area are assessed to help ensure that data availability and confidentiality is maintained. IT risks are included within the Corporate Risk Register; however, a risk assessment has not been performed specifically for remote working, issuing laptops and the use of non-council equipment for remote working. Where key risks relating to the security of data and assets taken offsite are not identified and appropriately managed, there is a risk that the Council may not be able to manage its risk to an acceptable level. This may impact on its ability to protect data and information assets against loss or damage. Management Response As stated previously individual line managers are best placed to assess their officers - this is supported by Council procedures including risk assessments. Implementation Responsibility and Timetable IT & Customer Services Manager 10/11 Remote Working Page 11 South Northants Council

11 Recommendation 4 Leavers and Dormant Accounts A procedure to review leavers as well as dormant remote access accounts should be developed to help ensure that remote access is promptly removed for users on the termination of their employment and all IT equipment or mobile devices are returned. Priority Priority 2 Rationale User accounts that are no longer required should be removed to ensure that access cannot be obtained to the Council's network and data. A procedure to review dormant remote access accounts is not currently in place. Capita occasionally receive a leaver's form from line management, however, this is not consistent. A leaver's list is published on the intranet by HR each month which is checked by Capita to disable accounts. Audit testing identified that out of a sample of 6 leavers in the last 12 months, only two had their access disabled with some having left the organisation in The same was confirmed for two mobile phone users who left in 2009 but are both still active on the mobile phone user and system. It could not be confirmed whether their mobile devices had been returned. Failure to implement formal procedures for disabling remote user accounts increases the risk of confidentiality on the system being compromised resulting from unauthorised access. Management Response There is now a procedure in place that covers this issue - Dormant accounts are deactivated and equipment returned. Implementation Responsibility and Timetable IT & Customer Services Manager implemented. 10/11 Remote Working Page 12 South Northants Council

12 Recommendation 5 Monitoring of Remote Access to the Network We recommend that the Council consider enhancing security on the network by implementing the following controls: The regular review of remote access logs is performed for potential security violations; and Implementation of an Intrusion Detection System (IDS). Priority Priority 2 Rationale Monitoring remote access connection attempts helps to ensure that unauthorised attempts at network access are identified and preventative action is put in place. It was identified through our testing that: Although remote access is logged, specific events are not reviewed; and The Council currently does not have any Intrusion Detection Systems in place over the corporate network, although this is being reviewed as part of achieving compliance with CoCo requirements. Unless processes are put in place for the monitoring of remote access sessions and alerts configured to alert staff in the event of suspicious activity, there is a risk that unauthorised access attempts could occur without the Council being aware. Management Response The Surecloud system has been installed and implemented. It is an IDS and log recording system meeting GCSX standards. Implementation Responsibility and Timetable Tim Bartlett (IT Team Leader) implemented. 10/11 Remote Working Page 13 South Northants Council

13 Recommendation 6 IT Asset Register Management should ensure that all laptop, PC and mobile phone assets are updated on to an IT Asset Register when new stock is received and issued to user, and when stock is returned or disposed. Priority Priority 2 Rationale A complete, accurate and up-to-date IT Asset Register would help to ensure that management are able to account for and locate all the Council's IT assets. A Configuration Management Database (CMDB) was installed by Capita to discover all hardware devices in April 2010 and has started to populate the database. At the time of the audit this was still being configured and it was indicated that the Council is unsure whether the CMDB will be able to discover remote machines attached to the network. A procedure is yet to be developed to ensure that mobile devices are recorded in the Asset Register. Failure to maintain an up-to-date, accurate and complete IT Asset Register may expose the Council to the risk of equipment not being identifiable and traceable in the event of loss or theft. This may affect the Council's ability to claim on its insurance for the loss or damage of equipment. Management Response All devices on the network are captured on the IT asset register. The current system does not capture mobile phones or Laptops that have NEVER been connected to the network. The proposed shared working arrangement with Cherwell DC is likely to present an opportunity to improve the current system. Implementation Responsibility and Timetable Tim Bartlett (IT Team Leader) ongoing. 10/11 Remote Working Page 14 South Northants Council

14 Recommendation 7 Mobile Phone Devices Management should ensure that security settings on mobile device handsets such as ipaqs are adjusted to incorporate the following: Devices should be required to be protected by a power on password or PIN. Default passwords or pin codes need to be changed on initial use, these should not be deactivated unless authorised in writing by ICT; Devices should be set to Non-discoverable or Hidden to help prevent information disclosure; and Users should be restricted from reconfiguring the security settings on the device. The remote wipe solution currently in place should be developed to ensure all the data stored on the mobile phone is wiped. Additionally, the approved list of mobile phones issued to users should be reviewed for accuracy and should be completed for future mobile phones requests for remote workers. Priority Priority 2 Rationale Enabling PIN security and restricting users from reconfiguring mobile device handset security settings would help to ensure that minimum security standards are enforced by the Authority. This would also help to ensure that in the event that the handset is lost or stolen, data confidentiality is not easily compromised. It was identified that default settings on the handsets are not adjusted to require PIN entry on power on. Additionally, users have the ability to reconfigure the security settings on their handset and therefore have the ability to disable the requirement for PIN entry as well as any other security features set. The remote wipe solution removes data but it does not remove any other data such as attachments or the contact list stored on the phone. Audit testing confirmed that a list of approved mobile phones had been in place 5 years ago, though this has not been updated for the past 5 years. Where security settings on mobile data device handsets are not configured or can be changed, there is a risk that in the event that the handset is lost or stolen data confidentiality may be compromised. Failure to distribute only approved mobile devices increases the risk that smart phones with weak security settings could be distributed, thus potentially compromising data security. 10/11 Remote Working Page 15 South Northants Council

15 Management Response For all IPAQ: Devices could be pin protected, but are not currently, Devices are set to Non-discoverable / Hidden Users are restricted from reconfiguring security settings The remote wipe solution ensures all data is wiped. All Smart-phones that have access to or other corporate data have been reviewed as suggested. Implementation Responsibility and Timetable IT & Customer Services Manager July /11 Remote Working Page 16 South Northants Council

16 Recommendation 8 Mobile Device Encryption Management should ensure that all confidential and sensitive data held on Laptops and mobile device handsets such as ipaqs is adequately encrypted. Priority Priority 2 Rationale Encryption on portable data storage devices would help to ensure that in the event that the device is lost or stolen that data confidentiality is not easily compromised. This also helps the Council with compliance with the Code of Connection and Data Protection requirements. It was identified that data encryption is not currently used on the laptops or the ipaq handsets issued by the Council. However, this is being reviewed as part of achieving compliance with CoCo requirements. Where data held on mobile storage devices such as laptops and ipaq handsets is not adequately protected, there is a risk that if these devices are lost or stolen that data confidentiality may be compromised. This could mean that the Council is not protecting data in accordance with Data Protection principles. Management Response We currently have no mobile device encryption. Whilst this is desirable it is also prohibitively costly - However shared working arrangement with Cherwell DC is likely to present an opportunity to implement such a solution at lower costs. Additionally no RESTRICTED data is held on any laptop or mobile device As such I request that this recommendation be categorised as a lower priority. Implementation Responsibility and Timetable Tim Bartlett (IT Team Leader) ongoing. 10/11 Remote Working Page 17 South Northants Council

17 Recommendation 9 Remote Working Code of Connection The requirements of the Code of Connection regarding the use of Council users home IT equipment for accessing the Council network should be finalised to ensure that the Council is in line with Code of Connection requirements. Processes should be established to provide assurance that adequate controls relating to security and virus protection have been put in place. Priority Priority 2 Rationale Confirming the requirements of the Code of Connection with regards to access to the Council network via users own IT equipment helps to ensure that the Council is in compliance with the Code of Connection and has also taken steps to secure the network from unauthorised activity and virus attack. The Council currently allows users to access the Council network and data via their own PCs and laptops. The latest version of the Code of Connection places increased controls and restrictions on using personal IT equipment to access Council data. We understand that the Council is currently in discussions with the assessors on the exact requirement of this. Failure to confirm the status of the requirements of the Code of Connection could mean that the Council is not in line with the code of connection requirements; Furthermore, the use of users own PCs to access Council systems could expose the Council to the risk of weak security settings on PCs opening up vulnerabilities to the Council network. Management Response The Council passed its most recent Health Check and Code of Connection assessment. Implementation Responsibility and Timetable IT and Customer Services Manager implemented. 10/11 Remote Working Page 18 South Northants Council

18 Recommendation 10 Health & Safety Assessment Review The Health & Safety assessments should be reviewed on an annual basis to ensure that users home circumstances are still suitable for home or remote working. Priority Priority 3 Rationale The Remote Workers Health and Safety Risk Assessment helps to ensure that users have reviewed their home/remote working requirements and that these have been confirmed as suitable for users to work away from the office. Audit testing identified that the annual review of Health and Safety Assessments for home workers is not always performed. Failure to undertake adequate annual review of Health and Safety Assessments on all home/remote workers increases the risk that these workers may suffer injuries as a result of unsuitable remote working conditions, which could mean the Council may not operate in compliance with Health and Safety legislation. Management Response This recommendation will be forwarded to all managers. Implementation Responsibility and Timetable Helen Marshall (Health and Safety Advisor) implemented. 10/11 Remote Working Page 19 South Northants Council

19 Appendix 1 Terms of Reference: 10/11 Remote Working Scope of the Audit: The audit specifically covered the following areas and control objectives: Remote Working Policies and Procedures; Remote Working Risk Assessment; IT Support Arrangements; Access Controls for Remote Access to the South Northamptonshire District Council Network; Logical and Physical Security of Mobile Devices; Health and Safety; and Monitoring. The audit took a sample of projects and evaluated the extent to which they have been managed in accordance with the corporate policy and procedures. Start of fieldwork: 27 th May 2010 Audit Staff Andrew Robinson - Deloitte 2 Day Aditi Babla - Deloitte 9 Days 11 Days Senior Auditees Mike Shaw IT Manager Reporting Deadlines and Distribution Draft Report 12 th August 2010 Distribution Mike Shaw IT Manager Martin Henry Head of Finance David Price Director of Community Engagement and Corporate Services 10/11 Remote Working Page 20 South Northants Council

20 Final Report 24 th March 2011 Distribution Mike Shaw IT Manager Martin Henry Head of Finance David Price Director of Community Engagement and Corporate Services Jean Morgan Chief Executive 10/11 Remote Working Page 21 South Northants Council

21 APPENDIX 2 Implementation Timetable and Responsibility Ref No Recommendation Priority Management Response Implementation Responsibility 1 Remote Working Strategy 2 The Council is undergoing a Mike Shaw A Remote Working Strategy should be developed to medium to long term strategic IT and Customer define the objectives, scope, anticipated benefits of review of accommodation needs as Services remote working and an action plan to achieve these part of the Moat Lane regeneration Manager benefits. This can also be used to identify changes in programme with hot-desking and the Council s accommodation strategy that may be remote working practices a defined delivered as a result of users working remotely. outcomes. Implementation Deadline On-going 2 Information Security Policy and Terms & Conditions of Use The Information Security Policy should be finalised and enhanced to incorporate the following areas of laptop usage: In light of this major change programme it is felt that the current approach of line managers assessing their officer s ability / suitability for remote working best suits the Council s current needs and is fully supported by policies and procedures that are already in place. 2 To be confirmed. Graham Thorpe Information Systems Officer To be confirmed. 10/11 Remote Working Page 22 South Northants Council

22 Ref No Recommendation Priority Management Response Implementation Responsibility The return of IT equipment upon termination of employment; Not leaving laptops in an empty office; Processes for the storage of laptop at home; Guidance on the use of laptop in public spaces or when travelling; and The use of Kensington locks to secure laptops. Implementation Deadline Additionally, staff should be issued with Terms and Conditions of Use for laptops and mobile phone devices and should be required to confirm that they have read, understood and agree to comply with them 3 Remote Working Risk Assessment and Risk Register Management should ensure that the risks associated with home and offsite working are assessed and addressed within the ICT Risk Registers. This should include in particular the potential increased risk of breaches in data security and confidentiality when Council information is accessed using laptops, USB s or smart phones away from the office. This can also assist in demonstrating the controls that the Council has put in place to mitigate these risks. 2 As stated previously individual line managers are best placed to assess their officers - this is supported by Council procedures including risk assessments. Mike Shaw IT and Customer Services Manager Not applicable. 10/11 Remote Working Page 23 South Northants Council

23 Ref No Recommendation Priority Management Response Implementation Responsibility 4 Leavers and Dormant Accounts 2 There is now a procedure in place Mike Shaw A procedure to review leavers as well as dormant that covers this issue - Dormant IT and Customer remote access accounts should be developed to help accounts are deactivated and Services ensure that remote access is promptly removed for equipment returned. Manager users on the termination of their employment and all IT equipment or mobile devices are returned. 5 Monitoring of Remote Access to the Network 2 The Surecloud system has been Tim Bartlett We recommend that the Council consider enhancing installed and implemented. It is an IT Team Leader security on the network by implementing the IDS and log recording system following controls: meeting GCSX standards The regular review of remote access logs is performed for potential security violations; and Implementation of an Intrusion Detection System (IDS). 6 IT Asset Register Management should ensure that all laptop, PC and mobile phone assets are updated on to an IT Asset Register when new stock is received and issued to users, and when stock is returned or disposed. 2 All devices on the network are captured on the IT asset register. The current system does not capture mobile phones or Laptops that have NEVER been connected to the network. Tim Bartlett IT Team Leader Implementation Deadline Implemented. Implemented. On-going 7 Mobile Phone Devices Management should ensure that security settings on mobile device handsets such as ipaqs are adjusted to 2 The proposed shared working arrangement with Cherwell DC is likely to present an opportunity to improve the current system. For all IPAQ: Mike Shaw IT and Customer Services July /11 Remote Working Page 24 South Northants Council

24 Ref No Recommendation Priority Management Response Implementation Responsibility incorporate the following: Devices could be pin protected, Manager but are not currently, Devices should be required to be protected by a power on password or PIN. Default passwords or pin codes need to be changed on initial use, these should not be deactivated unless authorised in writing by ICT; Devices should be set to Non-discoverable or Hidden to help prevent information disclosure; and Users should be restricted from reconfiguring the security settings on the device. The remote wipe solution currently in place should be developed to ensure all the data stored on the mobile phone is wiped. Devices are set to Nondiscoverable / Hidden Users are restricted from reconfiguring security settings The remote wipe solution ensures all data is wiped. All Smart-phones that have access to or other corporate data have been reviewed as suggested Implementation Deadline Additionally, the approved list of mobile phones issued to users should be reviewed for accuracy and should be completed for future mobile phones requests for remote workers. 8 Mobile Phone Encryption Management should ensure that all confidential and sensitive data held on laptops and mobile device handsets such as ipaqs is adequately encrypted. 2 We currently have no mobile device encryption. Whilst this is desirable it is also prohibitively costly - However shared working arrangement with Cherwell DC is likely to present an opportunity to implement such a solution at lower costs. Tim Bartlett IT Team Leader Ongoing. 10/11 Remote Working Page 25 South Northants Council

25 Ref No Recommendation Priority Management Response Implementation Responsibility Implementation Deadline 9 Remote Working Code of Connection The requirements of the Code of Connection regarding the use of Council users home IT equipment for accessing the Council network should be finalised to ensure that the Council is in line with Code of Connection requirements. Processes should be established to provide assurance that adequate controls relating to security and virus protection have been put in place. 10 Health & Safety Assessment Review The Health & Safety Assessments should be reviewed on an annual basis to ensure that users home circumstances are still suitable for home or remote working. Additionally no RESTRICTED data is held on any laptop or mobile device. 2 The Council passed its most recent Health Check and Code of Connection assessment. 3 This recommendation will be forwarded to all managers Mike Shaw IT and Customer Services Manager Helen Marshall Health & Safety Advisor Implemented. April /11 Remote Working Page 26 South Northants Council

26 APPENDIX 3 Statement of Responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Deloitte & Touche Public Sector Internal Audit Limited St Albans March 2011 In this document references to Deloitte are references to Deloitte & Touche Public Sector Internal Audit Limited. Registered office: Hill House, 1 Little New Street, London EC4A 3TR, United Kingdom. Registered in England and Wales No Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte LLP, the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see for a detailed description of the legal structure of DTTL and its member firms. Member of Deloitte Touche Tohmatsu Limited 10/11 Remote Working 27 South Northants Council