Agenda item

To follow

The Committee considered a report of the Assistant Director of Corporate Governance and Strategic Financial Management, which updated Members on information security breaches, risk issues/actions.

The submitted report was the annual report of the Senior Information Risk Owner (SIRO) to the Audit Committee highlighting Information Security Incidents and related matters which have occurred throughout 2021/22.

The position of SIRO, within Oldham Council was held by Anne Ryans, Director of Finance with Mark Stenson, Assistant Director of Corporate Governance and Strategic Financial Management acting as Deputy SIRO. The SIRO responsibilities extend to cover the MioCare Group Community Interest Community and the Unity Partnership Ltd (during 2021/22) under the service level agreements in place with the Council’s Information Management Team. Operational day to day responsibilities for the management and reporting of information risk, and information security breaches, rests with the Information Management Team.

The Committee was informed that there were 80 information security incidents reported during 2021/22, compared to 68 during 2020/21. It was thought likely that number of incidents in 2020/21 were reduced due to the coronavirus pandemic as during 2019/20 there were 103 incidents. Specific incidents that occurred during both 2020/21 and 2021/22 were summarised in a table attached at Appendix 1 to the report.

The Committee was informed that Caldicott Guardian is a senior role in an organisation which processes health and social care personal data. The duty of the Guardian is to ensure that personal data is used legally, ethically and appropriately, and that confidentiality is maintained. The Council currently has two Caldicott Guardians - one for Children’s Services and one for Community Health and Adult Social Care.

The Information Management Team has worked with both Caldicott Guardian’s to raise awareness, provide training, and issue key messages to staff. Furthermore, the Information Management Team and the Children’s Caldicott Guardian analysed trends across the four incidents and issued specific guidance to staff relating to how to minimise the risk of information being disclosed in error or shared inappropriately due to redaction issues.

Members were reminded that cyber-criminals continue to be an increased risk particularly around sending 'phishing' emails with the aim of getting users to click on a malicious link. It is important therefore to remember that a single malicious link could lead to a successful attack, which could in turn compromise the IT network and put all information at risk. Reminders have been sent to all employees and Councillors requesting completion of the Council’s interactive Mandatory Cyber Security training course. Cyber awareness guidance has also been added to the Council intranet and circulated to all staff. To further reduce risk, further work is being carried out to heighten awareness of phishing emails.

Cyber criminals often target employees of organisations in order gain unauthorised access, infiltrate the network and compromise data, Local Authorities are popular targets. To reduce the risk, the Council successfully changed its policy on password complexity to align with the recommendations of the National Cyber Security Centre (NCSC). External independent validation has shown an improvement in the Council’s password posture.

All software, including device operating systems, will eventually become out of date. The use of products which no longer receive security updates and where the latest security mitigations are not present make high impact incidents more likely. Work is being undertaken across the Information Management Team and IT to implement a policy and system to reduce the likelihood and impact of compromise of legacy systems In line with NCSC recommendations.

RESOLVED
That the report be noted.