Agenda item

The Board will review the Security Report and the different background items which will cover an update on IT, activity to maintain the cyber security of the organisation, the security programme and the overall Information Management and Technology (IMT) work programme.

Declarations of Interest:

None

Witnesses:

Paul Brocklehurst, Head of IMT

Chris Millard, Group Manager, Business Solutions

Morgan Rees, Technical Delivery Manager

Lorraine Juniper, Programmes Manager

Key points raised in the discussion:

1.    The report was introduced by the Group Manager of Business Solutions who explained that the IMT Service had responsibility for security compliance and the technical security controls needed to protect the organisation against cyber threats. It was highlighted to Members that due to the challenging world with ongoing new technology including social media there are ongoing risks with sensitive information.

2.    It was stated they were currently undergoing a security review to update the security policy and approach, including security training, new tools and techniques and more internet access and review of supporting security technology. The focus would be on tailoring security to people’s jobs, including opening up access to websites and applications where it was appropriate to the role.

3.    The Technical Delivery Manager informed the Board that they currently have undertaken a number of operation tests for Cyber attacks including internet based attacks to ensure they are identified and blocked each year. The Board was informed that the IMT service had trailed two new security products known as ‘Smoothwall’ and ‘Splunk’ which had allowed IMT staff to monitor usage easily and also give access to Internet sites. The purpose of these was to protect the organisation in a more hostile technical world.

4.    It was noted that the virus attack against the County Council on 2 February 2016 did not disrupt any Council activity or result in direct costs to the Council, and the IMT team was reviewing security arrangements in the light of the attack.

5.    The Council worked under the same compliance regime as East Sussex,  used the same security tools and technology and worked together to share intelligence.  Therefore integration as a result of the Orbis partnership would not impact negatively on either party. The audit report provided reassurance about the security arrangements in place.

6.     It was reported that technology boards for each directorate were responsible for deciding items for inclusion in the project work plan.  Projects were funded from a combination of service and IMT central funding, with IMT funding used to support the top priority projects. The technology boards were chaired by senior managers. The Board requested further details about the process for agreeing funding decisions for IMT projects.  Once this information had been reviewed the Board would decide if there were further areas it wished to scrutinise.

7.    The Board noted that savings were achieved by re-negotiating contracts rather than by putting projects on hold, and the team had been working very effectively over the last eighteen months to ensure cost savings were made.

8.    The Board noted that Paul Brocklehurst, the Head of IMT, would be leaving the Council at the end of the month. The Chairman thanked him on behalf of the Board for his contribution at Surrey, and it was reported that his replacement would be Matt Scott from East Sussex County Council, who would fulfil the role for both Councils.

Resolved:  That the Board reviews the further details to be provided about the process for agreeing funding decisions for IMT projects and decides if there are further areas it wishes to scrutinise.