To receive an update from the Internal Audit and Risk Manager on the management actions from the Information Security 2022/23 audit.
Minutes:
The committee received an update on the information security audit, presented by the internal audit and risk manager, the IT programmes manager, the head of corporate services, and the people and culture manager. The update was requested at the last committee meeting, on the 4 July 2023, in responses to several items on the information security audit being overdue and high risk.
The internal audit and risk manager informed members that there were 12 actions open in July but since then, 10 had been actioned and there were only two still open. The two open actions were on the cyber security response strategy and the business continuity disaster recovery testing scenarios.
Members enquired into a recent data breach at Capita around March 2023 and the IT programmes manager clarified that none of the councils’ infrastructure or data was affected.
On information security training, the people and culture manager confirmed that they had worked with IT and a revised IT policy and training were available for members and officers. She also confirmed that officers monitored cyber training statistics, which could also be provided to the committee, through the councils LEAH platform (an online training portal). The people and culture manager highlighted that they had provided a deadline to staff, asking them to read and understand the IT policies by the end of quarter three, and that new staff would be provided with a list of compulsory training alongside their contract of employment.
When asked if the councils ran tests to check officer and member compliance and understanding of IT policies, the IT programmes manager confirmed that a question-and-answer section was included in the training and the head of corporate services added that once the councils were outside of the Capita contract, they were more able to run compliance tests. However, the committee noted that since the training was issued, members and officers were more aware of potential IT breaches and were taking more precautions.
Members then asked if there was a review of the times insecure or unsafe sites were attempted to be accessed. The IT programmes manager clarified that all devices on the councils’ network were managed through a proxy service which, if identifying a threat or risk, would prevent access and the councils received a monthly report from Capita about those numbers. However, the numbers provided would be for all the five councils in the Capita contact rather than just the South Oxfordshire and Vale of White Horse District Council numbers. Finally, he also noted that once the councils moved out of the Capita contract, similar cyber defences would be needed to be provided by the councils themselves and at that stage he would know the exact figures.
Finally, the committee inquired into the take-up and completion rate of the IT training and if there was a difference in requirements between full and part-time members of staff. The head of corporate services confirmed that they did run reports on this and that the take up could be better for both staff and members. He also said he was speaking to the heads of service to encourage their teams to complete the training or to do refresher courses, due to the changing nature of cybersecurity. On full time and agency staff, the people and culture manager added that they had made a matrix for agency and contracted employees to identify what training was needed at what stages of employment. Members asked if a matrix could be provided for members and the people and culture manager said that training guides already existed but that more assistance, or training days, could be provided should a knowledge gap about accessing or completing the training be identified.
The committee thanked all the officers for their answers to their questions and the work they had done to close the open actions from the internal audit.