Agenda item

At the last meeting of the ASAC, it was agreed that a report be brought back to the next Committee regarding the actions that the Council are taking in relation to cyber security. The report at Appendix 1 provides an update on progress in implementing the Brent and Shared Technology Service (STS) cyber security Strategies.

Peter Gadsdon, Strategic Director, Customer and Digital Services, introduced a report requested at the previous meeting, regarding the actions that the Council were taking in relation to cyber security.  Details on the progress in implementing the Brent and Shared Technology Service (STS) cyber security strategies had been set out in Appendix 1 of the report.  In considering the report the Committee noted:

·                The nature and background of the Shared Technology Service (STS) as a shared IT service providing services for the London Boroughs of Brent, Lewisham & Southwark, with Brent as the host borough. 

·                Within Brent, the Council had been one of the first to develop and agree a Cyber Security Strategy (BCSS).  This had been in place since 2019 and had been designed to strengthen Brent’s IT network and support delivery of the 2019-23 Digital Strategy.  This had been supported by a cyber security work programme based around the key principles within the government backed “Cyber Essentials” scheme.  The BCSS had been detailed within Appendix 2 of the report and was currently being refreshed to align with Brent’s updated Digital Strategy 2022-26 and to ensure compliance with the latest security standards and Cyber Essentials certification. Additionally, the STS had also developed their own cyber security strategy (STSCSS) which had been provided within Appendix 3 of the report.  This had been aligned with Brent’s strategy with the recommendations having been embedded in all areas of new and emerging technologies which STS implemented for Brent and the other boroughs within the shared service.

·                The difference in infrastructure and arrangements between the boroughs within the shared service and challenges created by the rapidly changing nature of technology and cyber threats, with the STS committed to a programme of investment in infrastructure and cyber security as outlined within their Technology Roadmap.  Brent had invested £10m over 4 years to support delivery of the Roadmap alongside similar levels of investment by the other member boroughs.

·                The risk of cyber attack had been included as a key risk on Brent’s strategic risk register owned by the Managing Director of the STS.  Details on the various mitigation measures undertaken to manage the risk had been detailed within section 3 of the report.  Referring, as an example, to the high profile attack on Hackney Council’s IT network in 2020 members were advised that the STS had implemented a cloud based corporate back-up solution by Rubrik to counter any similar types of ransomware attacks.  This was supported by use of a third party Security Operations Centre to monitor unusual activity, disable and remove any detected threats along with a continual programme of activity to ensure that the versions of software and applications supported included the latest security updates.

·                In terms of network safety, all iPads which were out of date had been switched off, as well as older models of iPhones. A caching process was noted as being in place.

·                Whilst the measures identified had seen a reduction in cyber investigations over the last 12 months a self-assessment review of the organisations cyber security arrangements and demands on security functions managed by the STS and within the Council had been undertaken facilitated through an Internal Audit workshop.  The findings from the workshop in terms of gaps and issues identified had been collated, shared and built into development of the strategy.

The Committee was then invited to raise questions on the report, which are summarised below:

·                Members were keen to explore any potential gaps in the strategy which had been identified as a result of the work facilitated by Internal Audit and the longer term work planned to develop the strategy and risks identified.  In response members were advised that a majority of the gaps identified were process driven, either involving processes in place which needed improving or existing processes which needed documenting.  In terms of technical recommendations, there were still some software and operating systems that needed updating which were subject to a continual update programme of work.  In addition, in depth reviews and penetration tests were being carried out by an external specialists, as well as Public Service Network in order to assess resilience with guidance being monitored and followed from the National Cyber Security Centre. It was also noted that the STS had also established a cyber security team including a number of cyber-analysts who also conducted regular checks as part of the compliance submissions.

·                A further query was raised in relation to the management of replacement/redundant hardware and any Bring Your Own Device (BYOD) policy as part of the cyber security strategy. In response members were advised of the controls in place in relation to asset and device management, which included a programme of replacement for end of life mobile devices and introduction of Multi Factor Authentication for all Office 365 access.  In terms of use of own devices these would be controlled as they would only be able to connect to any Brent applications through a secure network connection.  It was noted, however, that members currently accessed the network through a separate dedicated server with members being their own data controllers.  This meant they were currently responsible for ensuring the devices they used were subject to the latest updates and would need to provide their devices to STS to upload these. This process was, however, being changed to provide a secure part of the main server through which the necessary security patches and updates could be automatically uploaded to their devices.  Once connected to Brent applications these connections would be via a secure network.

·                In terms of progress on Cyber-Essentials certification it was noted that accreditation was planned for submission in early January 2022.

·                Members welcomed the positive relationship established between STS and Internal Audit with it noted that a review of the Council’s security controls developed to prevent and detect incidents given the increasing reliance on technology to support more flexible ways of working was also planned as part of the Internal Audit Plan to commence in Q4 2022.

As no further issues were raise the Chair thanked officers for their work in presenting the report and update for the Committee and it was RESOLVED to note the update provided and ongoing work to develop, implement and manage the Brent and STS cyber security strategies. .