1.1

This report details the internal audit review of procedures, controls, and the management of risk in relation to information (inc. cyber) security.  The audit has been undertaken in accordance with the 2022/23 internal audit plan agreed with the joint audit and governance committee of South Oxfordshire District Council (South) and Vale of White Horse District Council (Vale).  The audit has a priority score of 21.  The audit approach is provided in the audit framework in Appendix 1.

1.2

The following objective areas have been covered during the course of this review:

2.1

Information (inc. cyber) security was last subject to an internal audit review in November 2020 and seven recommendations were raised.  All seven recommendations were agreed, and a limited assurance opinion was issued.

2.2

One recommendation has been implemented, one recommendation has been partly implemented and five recommendations have not been implemented. One recommendation is restated in this review (Rec 3) and four recommendations are no longer applicable.

3.1

Limited assurance: There are some weaknesses in the adequacy of the internal control system which put the system objectives at risk and/or the level of non-compliance puts some of the system objectives at risk.

3.2

11 joint recommendations have been raised in this review. Six high risk, three medium risk and two low risk.

4.1

Information security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private, and sensitive information or data from unauthorised access, use, misuse, disclosure, destruction, modification, or disruption.

4.2

Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.

4.3

South and Vale have a statutory duty under the following legislations and associated regulations in relation to the use, storing and handling of information:

4.4

The councils’ IT services, including IT/Cyber security, was outsourced on the 1 August 2016 to Capita, as part of the five councils’ partnership (5CP). Capita have a service delivery plan (SDP) and service specification (SS) for the services they provide and have developed a specific plan for IT security. The SDP and SS describes the service that will be carried out for the five councils under contractual agreements signed by all participating parties, including for IT (cyber) security controls.

4.5

The councils also hold contractual agreements with a number of IT service providers of cloud-based applications, including Unit4, LoneAlert and Zellis (ResourceLink). The management of IT security and disaster recovery routines for these applications falls outside the direct responsibility of the councils and Capita.

4.6

The government’s National Cyber Security Centre (NCSC) defines a cyber security incident as:

·         A breach of a system’s security policy to affect its integrity or availability; and/or

·         The unauthorised access or attempted access to a system that

a)    actually, or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of an information system or the information that system controls, processes; or

b)    constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. Such incidents could be either intentional or accidental in nature but can be determined by the root cause.

4.8

Examples of cyber security incidents may include, but not limited to un-targeted and targeted cyber-attacks. Un-targeted cyber-attacks, attackers indiscriminately target as many devices, services, or users as possible. To do this, they use techniques that take advantage of the openness of the internet, which include:

·         phishing - sending emails to large numbers of people asking for sensitive information (such as bank details) or encouraging them to visit a fake website;

·         water holing - setting up a fake website or compromising a legitimate one in order to exploit visiting users;

·         ransomware - which could include disseminating disk encrypting extortion malware; and

·         scanning - attacking wide swathes of the Internet at random.

4.9

In targeted cyber-attacks, an organisation is singled out because the attacker has a specific interest in the business or has been paid to target the organisation. A targeted attack is often more damaging than an un-targeted one because it has been specifically tailored to attack systems, processes, or personnel, in the office and sometimes at home. Targeted attacks may include:

·         spear-phishing - sending emails to targeted individuals that could contain an attachment with malicious software, or a link that downloads malicious software;

·         deploying a botnet - to deliver a DDOS (Distributed Denial of Service) attack; and

·         subverting the supply chain - to attack equipment or software being delivered to the organisation.

5.0

The Local Government Association (LGA) recognises that in recent years there has been a significant rise in cyber security related incidents affecting the public sector across the globe, as well as a marked increase in the number of attacks targeting national infrastructure, such as healthcare, local government and even water supplies. Not only are these incidents becoming more frequent, but they are also becoming increasingly sophisticated and appear to be carried out by advanced, persistent threat actors that have access to considerable resources. As a response to this, it is vital for authorities to ensure they have the knowledge, means and support to effectively defend themselves against determined adversaries and relentless cyber-attacks.

5.1

Obj1: Policy and Procedures

5.1.1

The 5CP/Capita have 14 IT cyber security policies and procedural documents, which have been agreed and implemented through the partnership. These polices are not specific to South and Vale operations, and due to this complexity, the policies and procedures are not issued to officers. The IT manager is developing an IT security policy, specific to South and Vale operations, which amalgamates all 14 5CP policies into one operational document. Aa of September 2022, the policy is in draft, awaiting senior management team (SMT) sign-off.

5.1.2

The annual review of 11 out of the 14 5CP/Capita polices are overdue. The policies are being reviewed and updated within the 5CP security working group; however, not all policies have been approved and published.

5.1.3

During the previous internal audit in 2019/20 the organisation had not developed their own cyber security strategy, due to other priorities. This was still the case at the time of this review (September 2022). 5CP/Capita have a cyber incident response procedure from a technical service perspective; however, there is no localised plan that covers internal council operations. The assurance team are developing a South and Vale cyber response incident plan, which has not been finalised.

5.1.4

The councils have embedded a variety of controls to mitigate the occurrence of a cyber security breach, as documented in the draft joint IT security policy. Controls include requirements for passwords, email usage, internet and wireless networks, virus checking software, screen savers, the storage of business data, system updates, confidentiality, confidential media, remote access, mobile telephony, security incidents, business continuity, and IT systems monitoring.

5.1.5

In November 2021, South and Vale launched multi-factor authentication (MFA) to provide an extra layer of protection to council systems, which has improved cyber security for staff, council members, and the organisation.

5.1.6

The councils have in place their own joiner/mover/leaver (JML) process with Capita, where authorised individuals (usually service manager level and above) may approve requests for changes to IT systems and account access by submitting the relevant form to the Capita service desk. A copy of the agreed JML policy/procedures could not be provided during the review; however, a copy was provided by Capita following the internal audit exit meeting. The 5Cs JML procedure does not reflect the South and Vale approval process in place; however, controls within this area are due to be reviewed.

5.1.7

Weaknesses were identified within the sample testing of the current JML process. The Capita service desk had not updated the councils’ approved personnel list and were found to be using an historic (outdated) version. Furthermore, our results identified anomalies within 18 (60%) of the 30 requests sampled, where ten (33%) request forms were approved by individuals not listed on the appropriate authorisation list for the period and eight (26%) were not supported with a physical request form on file (requests had been submitted directly via email or phone call to the service desk). Additionally, none of the ‘mover’ change requests submitted to Capita following a role change or movement to another service within the councils’ evidenced requests for prior access to be revoked (mailboxes/systems/shared folders), but focused on approving additional access permissions, which may impact data protection and information governance requirements.

5.1.8

Area assurance: Limited

Four recommendations have been made as a result of our work in this area (Recs 1 to 4).

5.2

Obj2: Training and guidance

5.2.1

A cyber security training module (stay safe online) is available on the online learning management system, Learning, Education and Achievement Hub (LEAH) and has been developed with guidance and information from the National Cyber Security Centre (NCSC). The module forms part of the mandatory induction training for new starters to complete during the six-month probation period. The course has been available on LEAH since December 2020, and it is the individual service manager’s responsibility to monitor their team’s completion through the HR probation review process.

5.2.2

As at July 2022, 56 officers across had completed the mandatory online training module since December 2020. Based on a total of 540 (356 South and 184 Vale) employees (July 2022), this represents a 10% completion rate.

5.2.3

Agency staff and contractors working on behalf of the councils are not required to complete the mandatory training, as they are not directly employed by the councils and fall outside of the HR onboarding process. The councils do not keep a record of the number of agency/temporary hires made; however, based on a recent Freedom of Information (FOI) request, South and Vale paid a total of £2,457,897 (South £1,999,216 and Vale £458,681) for temporary agency staff for the period (1 April 2021 to 31 March 2022), including recruitment costs.

5.2.4

Review found that of the 32 new starters in the sample period (September 2021 to December 2021), 16 (50%) were casual staff who would not necessarily be required to complete the mandatory training due to holding positions with limited systems access (café assistants, elections canvassers and Beacon duty officers). Of the remaining 16 individuals, two (12%) had completed the mandatory module within the required six month period and 14 (88%) had not completed the mandatory training module, and were still employed by the councils.

5.2.5

The HR Advisory team are developing a new employee induction programme which is due to be launched in November 2022. Although the mandatory cyber security module forms part of a new starter’s induction programme, it does not require new starters to read the IT Security Policy. Additional training materials have been purchased through MetaCompliance to strengthen the information and cyber security training provided to officers. The IT Manager is working with the HR Advisory team to add the training materials in LEAH.

5.2.6

Information and cyber security training was last provided to councillors in June 2020, following the 2019 council elections. No further training has been delivered since this initial training session; however, a new councillor cyber and data security presentation is being developed by the assurance team, with assistance from the IT manager, which will be shared with members after the elections in May 2023. There are information and cyber security pages on Jarvis specifically for councillors, which provide information on home working, passwords complexities, scam awareness, ransomware, and the dangers of public Wi-Fi. It also has information on how to access the council network through the VPN and using MFA. The member newsletter, InFocus, is another source of information (e.g., IT updates, cyber security reminders).

5.2.7

The Jarvis ‘Be Cyber Secure’ information page promotes the importance of cyber security to protect the councils’ IT equipment and safeguard against data leaks and financial loss. This page provides officers details on workstation security, passwords complexity, scam awareness, ransomware, and the dangers of public Wi-Fi. The guidance also advises officers what to do if they suspect their internet security has been breached, with contact and escalation details, and signposts officers to the relevant cyber security training available on LEAH. A link is also present on this page directing officers to the ‘Managing Information’ page, which gives further, specific information, on the management of records and data protection.

5.2.8

Following the adoption of flexible working arrangements, further guidance has been published relating to home and remote working. The guidance includes IT security and best practices for officers utilising communication apps, including Microsoft Teams, WhatsApp and Zoom and provides detailed information to support officers conduct their duties securely from a remote location (non-council building). We identified a conflicting statement within the guidance regarding Wi-Fi connection access, which needs review.

5.2.9

The cyber and data security group (made up of officers from IT, assurance, information governance and communications) have implemented quarterly ‘communication takeovers’ to promote and remind officers and members of their responsibilities surrounding information and cyber security. This involves various ‘hot topics’ being communicated via an email outburst to all employees. These outbursts are generally targeted around holiday seasons to reiterate the councils’ message on data and information security over this period. Topics have included, general security guidance, password complexities and staying cyber safe. This channel is also used to issue reactive communications and directions for incident management following any potential information security risk being identified, whether directly by the councils, or through the extended 5CP security working group.

5.2.10

Area assurance: Limited

Three recommendations have been made as a result of our work in this area (Recs 5 to 7).

5.3

Obj3: Information and security breach reporting 

5.3.1

The 5CP have an agreed cyber security response and incident management policy, last reviewed in August 2020. This is supported by the 5CP cyber incident response procedure (last reviewed July 2022), which details the process and procedures to be followed by Capita IT staff and 5CP officers (including members who form the joint 5CP security working group) in response to a cyber security incident.

5.3.2

Both documents detail the agreed reporting process and incident management route, including identification, detection and analysis, containment, eradication, recovery, and incident closure. The different types of cyber/information security incidents are also categorised and graded through a triage matrix with a stepped incident response plan for each priority level. A priority 1 incident is categorised as distributed denial-of-service (DDoS) attack against the 5CP network, attacks against network infrastructure, network disruption for a large segment of council users, ransomware/criminal activity, and destructive malware. For each priority 1 (P1) major incident, a post incident report (PIR) is required to be completed by Capita and issued to all implicated parties including a summary of the incident management response and lessons learned.

5.3.3

South and Vale have been impacted by one priority 1 (P1) security incident since April 2022. In June 2022, Capita were informed of a P1 phishing incident across the 5CP that impacted both South and Vale users (a phishing email purporting to be from Dorset council was opened by 29 users across the 5CP). A copy of PIR is outstanding; however, there is no agreed timescale for reports to be provided to affected parties and a verbal recommendation has been raised. Following the reporting of a cyber/information security incident, the councils’ information governance team now includes details of all incidents onto the council’s data breaches and security incident log, to assist identifying any potential trends or weaknesses in local (council owned) process and procedures.

5.3.4

The Jarvis ‘Be Cyber Secure’ information page states what officers are required to do in the event of a suspected cyber security breach. This includes the appropriate reporting route and contact details. A similar page is published for councillors.

5.3.5

The cyber and data security group meets monthly (via Teams) to discuss current and emerging cyber and data risks across South and Vale and those shared between the 5CP to ensure there are suitable controls in place to protect the organisation.

5.3.6

South and Vale form part of the external 5CP IT Security Working Group, which meets monthly. Representatives from IT, assurance and information governance teams represent South and Vale, with similar representation from the five councils and Capita. During the meetings, Capita shares performance metrics relating to information security and data incidents, encryption, anti-virus updates on devices, patching, devices not rebooted, malware and phishing summaries, spam detections and spoof email interceptions.

5.3.7

Area assurance: Full

One verbal recommendation has been made as a result of our work in this area.

5.4

Obj4: Risk management

5.4.1

South and Vale have their own corporate risk registers, which are maintained by the assurance team. The latest risk registers were presented to the Joint Audit and Governance Committee (JAGC) on 5 July 2022. Both risk registers have four medium to high risks in relation to information and cyber security controls, including the highest risk facing both councils, in relation to third party business continuity and disaster recovery routines (see objective 5).

5.4.2

The corporate risk registers are routinely reviewed (at least every six months) and shared with SMT prior to being presented to members at JAGC. Within the corporate risk registers mitigations and planned actions are also documented against each IT security risk. The corporate risk registers acknowledge and recognise several cyber threats and risks to information security breaches and malicious attacks.

5.4.3

Individual service team risk registers (29 in total) are available on Jarvis and are reviewed and updated on a quarterly basis. A named officer (risk champion) for each service team is allocated the responsibility to review and update the register. This is then submitted to the assurance team to review and publish on Jarvis.

5.4.4

We reviewed a sample of 16 (55%) service team risk registers to confirm whether information and cyber security risks is identified and acknowledged. Only eight (50%) risk registers contained cyber/information security related risks and mitigations, including included six services perceived at a higher risk due to their involvement/access to operating systems, financial systems, accounts, and/or sensitive personal data. In addition, 14 (88%) of the 16 risk registers are overdue for review. Furthermore, high level risks identified in the corporate risk registers are not consistently cascaded through to the service team risk registers, to ensure that operational controls are in place.

5.4.5

In June 2021, both South and Vale were selected to undergo a cyber security penetration test by the Local Government Association (LGA). The test was conducted on behalf of the LGA, by Dionach. The test identified several critical and high-risk issues, in addition to lower risk issues identified in all areas of the assessment. The councils were issued with a joint action plan suggesting recommendations to address the issues raised. Overall, 48 recommendations were raised (five critical, 11 high risk, 15 medium risk, and 17 low risk). The recommendations have been reviewed and are now outdated, as some areas have changed across the estate since the test date. The LGA report was passed to Capita, as service providers, to review and provide response. Capita are now conducting their own annual penetration tests and it is planned that the findings of from the 2021 and 2022 tests will include responses to the LGA report; however, the status of progress against these recommendations was unclear.

5.4.6

The assurance team are exploring options for taking out additional insurance policies for both South and Vale relating to cyber security attacks and information security breaches. Due to pandemic, and subsequent flexible working practices, there is a greater risk of information and cyber security breaches. Consequently, the assurance team decided to revisit the insurance policies to determine whether there is now a requirement to expand coverage based on the councils’ risk rating. The assurance team have instructed the insurance broker to begin the cyber risk evaluation process, to understand whether additional policy coverage is needed.

5.4.7

Area assurance: Limited

Three recommendations have been made as a result of our work in this area (Recs 8, 9 and one verbal recommendation).

5.5

Obj5: Disaster recovery and business continuity

5.5.1

As reported in the 2019/20 audit, there is no corporate (council owned) disaster recovery plan (DRP) in the event of a cyber/information security incident across council systems. Capita have a generic disaster recovery plan to cover their systems; however, as previously noted, this plan was rejected by both South and Vale as it is not specific to the organisation and does not meet the councils’ requirements. Since 2019/20, IT system management has progressed, with more IT applications being hosted on cloud-based servers and individual disaster recovery agreements in place with providers. Capita have also introduced annual disaster recovery testing routines for Capita hosted non-cloud systems (see 5.5.2 below). The requirement for a council owned DRP is mitigated, on the basis that suitable Business Continuity Plans (BCP) are in place.

5.5.2

Capita conduct annual disaster recovery (failover) testing across selected 5CP systems. Testing was completed for the South and Vale GIS system in June 2021: testing was successful, and no critical issues were identified. Testing in 2022 was conducted in July and the councils selected the ModGov (democratic services) system. Testing was successful; however, an unforeseen issue relating to database access resulted in calls to the IT helpdesk. It is anticipated that this issue will be documented on the lessons learned section of the Capita report, once received.

5.5.3

The Jarvis business continuity page advises that the councils are in the process of updating the business continuity strategy and in the event of an emergency in the districts, officers will require access to certain documentation (e.g., crisis management plan, setting up calls in an emergency). The documentation was last published in 2013 and a review is needed to confirm they still align to applicable legislation and the councils’ delivery of services and systems. The planned review of this area was put on hold due to the pandemic and diversion resources to other priorities.

5.5.4

Each service team has a business resilience plan (BRP) detailing its live status against challenges in delivering their services and work is underway to update plans with service teams. It is recommended that the business resilience plans (BRP) are acknowledged within an overarching corporate business continuity plan (BCP) to ensure that a consistent approach is taken in the event of a major systems failure. In addition, in the 5CP cyber incident response procedure, there is no acknowledgement of cyber and information security incidents that may occur ‘out of hours’, or over a long public holiday, such as the councils’ extended Christmas office closure, where there may be limited access to the councils’ DPO, SIRO and IT manager.

5.5.5

Capita have 30 days of backups at any one time; however, there is no cold store (offline) backup of council data. All backups are completed as cloud based (online) routines, as such, are more susceptible to potential major ransomware and malware cyber-attacks. There is a planned project underway to review the separation of South and Vale from Microsoft Office 365 applications, security controls and back-ups, and to move the council’s IT application servers to a cloud-based service (Microsoft Azure), giving the councils more control in relation to the management of these applications. The 5CP security working group has asked Capita to provide a suitable offline (cold store) backup solution for remaining servers hosted within the Nuvem platform, until these are transitioned to Azure, expected in Q1 2023.

5.5.6

Area assurance: Limited

Two recommendations have been made as a result of our work in this area (Recs 10 and 11).

6.1

Internal audit would like to take this opportunity to thank all staff involved for their assistance with the audit.

1.1

Audit recommendations have been assigned a risk rating, based on the below 3x3 risk matrix.  The risks identified in each recommendation are examined to determine:

·                     the impact the risk would have against achieving the objective; and

·                     the likelihood that the event will occur

1.2

To assist management in using our reports, we have categorised our recommendations, in line with the 3x3 risk matrix, according to their level of priority as follows:

Risk rating

3x3 risk score

Recommendation(s)

High risk

7-9

Recs 1, 2, 5, 8, 10 and 11

Medium risk

4-6

Recs 3, 6 and 9

Low risk

2-3

Recs 4 and 7

Very low risk

1

Two verbal recommendations were raised during audit fieldwork

1.1

The audit was designed to ensure that management have implemented adequate and effective controls over information (inc. cyber) security.

1.2

Internal audits are undertaken in accordance with a priority score stated within the schedule of auditable activity, and following an initial assessment by internal audit, external audit and the councils’ section 151 officer.

1.3

Drivers for audit reviews include:

·                     date last reviewed;

·                     last assurance rating;

·                     exposure to financial risk;

·                     exposure to fraud risk;

·                     exposure to reputational risk;

·                     exposure to legal risk;

·                     exposure to corporate risk; and

·                     whether an officer has requested a review.

2.1

The audit approach was developed with reference to the internal audit charter and by an assessment of risk and management controls operating within each area of the scope.

2.2

The aim of an audit is to establish if:

·                     there are adequate internal controls in effective and efficient operation;

·                     the processes are meeting the requirements of internal policy and procedural standards; and

·                     the processes are meeting external codes of practice, professional and statutory regulations.

2.3

The following procedures were adopted:

·                     identification of the role and objectives of each area;

·                     identification of risks within the systems and controls in existence to allow the control objectives to be achieved; and

·                     evaluation and testing of controls within the systems.

From these procedures we have identified weaknesses in the systems of control, produced specific proposals to improve the control environment and have drawn an overall conclusion on the design and operation of the system.

1.1

·                     Simon Turner, IT Manager

·                     Paul Merrick, Interim Executive IT Client (5CP)

·                     Tassadaq Hussain, IT Security Manager (Capita)

·                     Ian Thompson, Infrastructure Team Lead (Capita)

·                     Allison Holliday, Risk and Insurance Officer

·                     Gary Carey, Emergency Planning and Business Continuity Officer

·                     Yvonne Cutler-Greaves, Assurance Team Leader

·                     Sandy Bayley, Information Governance and Data Protection Officer

·                     Steve Culliford, Democratic Services Team Leader

·                     Steven Corrigan, Democratic Services Manager

·                     Abigail Lee, HR Co-ordinator

·                     Louis Raymond, Strategic HR Coordinator

·                     Jaydon Perrin, HR Advisor

·                     Trina Mayling, Strategic HR Business Partner

·                     Ben Coleman, Programmes and Assurance Manager

2.1

A copy of this final report has been distributed to the following officers:

·                     Paul Merrick, Interim Executive IT Client (5CP)

·                     Tassadaq Hussain, Information Security Manager (Capita)

·                     Parul Patel, Interim Head of IT Service 5CL’s (Capita)

·                     Yvonne Cutler-Greaves, Assurance Team Leader

·                     Trina Mayling, Strategic HR Business Partner

·                     Sandy Bayley, Information Governance and Data Protection Officer

·                     Simon Turner, IT Manager

·                     Ben Coleman, Programmes and Assurance Manager

·                     David Fairall, People and Culture Manager

·                     Mark Minion, Head of Corporate Services

·                     Harry Barrington-Mountford, Head of Policy and Programmes

·                     Patrick Arran, Head of Legal & Democratic (Monitoring Officer, DPO, SIRO)

·                     Simon Hewings, Head of Finance (S151 Officer)

·                     Adrianna Partridge, Deputy Chief Executive

·                     Mark Stone, Chief Executive

·                     Cllr Andrea Powell, South Portfolio Holder

·                     Cllr Debby Hallett, Vale Portfolio Holder

Contact Persons:

John Tredrea

Victoria Dorman-Smith

Auditor

Mob: 07598 553016

Email: john.tredrea@southandVale.gov.uk

Internal Audit Manager

Mob: 07766 780835

Email: victoria.dorman-smith@southandVale.gov.uk