"Subject Audit Commission Report on IT Security Awareness"
Committee: Audit Committee Date: 21 October 2008 Agenda item: 7 Wards: All Subject: Audit Commission Report on IT Security Awareness Lead officer: Caroline Holland – Director of Corporate Services Lead member: Councillor Samantha George Forward Plan reference number: n/a Contact officer: email@example.com Recommendation: That the actions listed in the action plan in Appendix A are carried out by the IT Services, Internal Audit and Information Governance teams within the Corporate Services Department. 1 Purpose of report and executive summary 1.1 The Audit Commission carried out a “Your Business at Risk” survey in March and April 2008, to which staff were encouraged to respond. A good proportion of staff did so (55.75%). The survey assessed the level of awareness of security issues amongst staff. 1.2 There were separate surveys for ICT staff and other staff. The Audit Commission has now reported on the results of these. 1.3 The reports give a generally good picture, showing that employee perceptions of ICT controls within Merton are in line with national averages. Naturally, there are areas where the Council could seek to further strengthen controls and these are the subject of an action plan. 2 Details 2.1 The Audit Commission’s reports have been considered by IT services Management Team, and an action plan has been drafted. Internal Audit have also contributed to the action plan. Some of the recommendations have still to be considered in detail, and timescales set. 2.2 The main report says that employee perceptions of ICT controls within Merton are in line with national averages. For ICT staff, perceptions of ICT controls within the council are slightly better than national averages. The reports say: “These suggest that ICT controls are strong and working as intended. There are areas where the Council could seek to further strengthen controls and these are highlighted in the detailed findings.” 35 2.3 As Merton had no input to the wording of the questions, we believe that some of the answers suffered from misunderstandings about the terminology used. For example a recommendation referred to the “Information Security Policy”, which is actually incorporated within our ICT Policy. 2.4 The table of recommendations appears at Appendix A. This table is a combination of the items from the two reports. 2.5 The IT Services security advisory group will consider how best to implement the recommendations, and will report progress to the IT Management Team. The actions will be monitored by IT Services’ master list of outstanding actions. 3 Alternative options 3.1 None for the purposes of this report. 4 Consultation undertaken or proposed 4.1 The reports have been shared with Internal Audit and Information Governance, for the purpose of producing a joint action plan. 5 Timetable 5.1 A timescale for each action is included in the table in Appendix A. 6 Financial, resource and property implications 6.1 None for the purposes of this report. There is unlikely to be any significant cost in implementing the recommendations. 7 Legal and statutory implications 7.1 None for the purposes of this report. 8 Human rights, equalities and community cohesion implications 8.1 None for the purposes of this report. 9 Crime and disorder implications 9.1 None for the purposes of this report. 10 Risk management and health and safety implications 10.1 None for the purposes of this report. 11 Appendices 11.1 The Action Plan is appended to this report. 36 12 Background Papers 12.1 Reports on (a) ICT staff responses and (b) other staff responses, as provided by the Audit Commission 37 Appendix A – List of Recommendations AC Recommendation Reason for Recommendation Proposed Action Timescale 1 Ensure staff are given clear 36% of staff said they haven’t been given We will clarify and extend the 31 Dec 2008 instructions about dealing with clear instructions about handling emails instructions on the intranet, in the emailed files from external sources. ICT policy and in staff bulletins 2 Ensure staff are informed of 37% of staff said they are not sent alerts No action required. Not applicable required actions when a virus risk is or told what to do when a new virus risk is identified and that they are aware identified. We do not agree, however, that how to report a virus infection. it is either necessary or advisable to tell staff in these circumstances. 3 Ensure there are clear procedures 61% of staff didn’t know if there were We will ensure that our obligations 1 April 2009 in place for reporting a virus measures in place to restrict the impact of for dealing with viruses are incident and that staff are made a virus. However, as they will expect IT specifically stated in the customer aware of these. Services to do this, we don’t know why Agreement (SLA). they would need to know specifically. 38 4 Ensure that there are documented As above. These have now been included in Completed procedures in place for recovering the IT Services Quality Manual as from a virus and that ICT staff have IT290 to IT293 inclusive. access to and are made aware of the procedures. 5 Ensure that there are measures in As above. In addition to the procedures noted Completed place to restrict the impact of a virus above, briefings for directly affected in the event of a virus outbreak and ICT staff have been held. that ICT staff are made aware of these measures. 6 Encourage best practice whereby 32% of staff indicate that they write their We will emphasise the existing 31 Dec 2008 passwords are not written down. passwords down – higher that the message through staff bulletins, and national average of 29%. address any issues with centrally allocated passwords. AC Recommendation Reason for Recommendation Proposed Action Timescale 7 Continue promoting awareness of 39% of staff are not aware of the anti- The anti-fraud strategy is reviewed Ongoing the anti-fraud strategy and its fraud strategy, and 67% are not aware of each year and communicated to content to employees. its key elements. employees by leaflets, email and bulletins. Induction training includes the contents of the policy and this is carried out on a quarterly basis. All staff, new or otherwise, are welcome at these sessions. Other anti-fraud training is also carried out on an ad-hoc basis, e.g. managers’ workshops. All these will continue but we will consider doing a bit more in relation to the contents of the strategy. 8 Ensure that systems most at risk 53% of ICT staff don’t know whether the Anti fraud training is a key element 31 Mar 2009 from fraud are identified and that systems at most risk from fraud have of the Induction training programme 39 ICT staff are aware that this has been identified (although the national and is carried out quarterly. ICT been done. average is 70%!) staff are welcome at these sessions or a special ICT session could be arranged. 9 Ensure that all ICT staff are aware Only 57% of ICT staff are aware of it, Further awareness sessions will be 31 Jan 2009 of the documented access control national average is 48%. 33% of ICT arranged. All new ICT staff will be policy. staff don’t think that we have one. briefed on this as part of their induction. 10 Ensure staff only have access to 79% of staff said they could only access IT Services has already started 28 Feb 2009 information required to perform their the information they require. 13% said reviewing access permissions, and job. they could access more than they should. this work will continue AC Recommendation Reason for Recommendation Proposed Action Timescale 11 Ensure that all staff are aware of 24% of staff don’t know whether they are The rules are already in the ICT Ongoing – at the Council's policies regarding prevented from installing software on their Policy, and the subject of regular least three installing software on machines and PCs, and 33% don’t know whether they bulletins. These will continue. awareness copying software from machines. can copy software. articles will be put into Merton Bulletin in the next 12 months. 12 Ensure that all ICT staff are aware 18% of ICT staff say the council has no These are already in ICT Policy, but 31 Dec 2008 of the council’s controls to prevent such controls and 29% didn’t know will be further publicised within IT the copying or removal of software. Services 13 The council's policy on internet 12% of staff say they haven’t been told Our ability to monitor internet use is 31 Dec 2008 usage and emails should be their internet use will be monitored (there stated explicitly in the ICT Policy, reiterated to staff. is clearly ambiguity in this question, which and there is little to be gained by would have been interpreted by staff in repeating this. More publicity will be different ways). 45% don’t know that large given to the way we filter and or executable emails will be blocked. quarantine email messages. 40 14 Ensure that managers review Only 35% said internet activity logs are We currently produce reports on 31 Mar 2009 internet activity logs and that staff reviewed by managers request, but are working on a fair are made aware that this is being way to produce random reports too. carried out. 15 Ensure that all users sign a Only 33% said they are required to sign a Heads of service to identify posts 30 April 2008 confidentiality undertaking as part of confidentiality undertaking as part of their that handle confidential data. For their conditions of service. conditions of service. This is not part of new staff, a clause will be built into the standard contract. their particulars of employment. For existing staff, an investigation is required on the implications of change of contract to accommodate this change. AC Recommendation Reason for Recommendation Proposed Action Timescale 16 Ensure that all staff are aware of 24% don’t know there is a data protection All Information Governance policies, 15 Feb 2009 the Council's data protection policy, 45% don’t know we have a DPO. including the Data Protection Policy arrangements, their responsibilities 26% say their DP responsibilities haven’t have been reviewed and will be under the Data Protection Act and been explained to them, and 9% are relaunched after adoption by CMT. the Council's procedures with unsure. 15 Feb 2009 regard to the misuse of public data. 14% say they weren’t informed that misuse of personal data is a disciplinary Data Protection Responsibilities are offence and 7% are unsure managed by the Information Governance Manager. Since the survey was carried out, Information Governance has been included in all departmental inductions. 41 AC Recommendation Reason for Recommendation Proposed Action Timescale 17 Ensure that all ICT staff are aware 31% say their DP responsibilities haven’t The question appears to be based Current staff of their responsibilities under the been explained to them on the 1984 DP act. The 1998 Act briefed by 30 Data Protection Act and understand 29% say don’t know that misuse of has changed that requirement. Apr 2009 the Council's procedures with personal data is a disciplinary offence regard to the misuse of public data. 69% don’t know that systems containing The need to register systems personal information are registered with containing personal information with the Information Commissioner the Information Commissioner was a requirement of the 1984 Data Protection Act. The 1998 Act replaced it with a requirement to notify the commissioner of the purposes information is processed for, the sort of information involved, the groups of people concerned and the types of organisation it is shared with. The council maintains its data 42 protection notification. All ICT staff will be briefed on this. All new ICT staff will be briefed as part of their induction process. AC Recommendation Reason for Recommendation Proposed Action Timescale 18 Management should assure “Knowledge of the Computer Misuse Act We will go through the Acts 31 Dec 2008 themselves that ICT policies cover and the Public Interest Disclosure act in concerned and work out which the requirements of key legislation. particular are low…”. This may be messages need to be reinforced. Employee responsibilities in respect because we set rules and good practice Where necessary we will refer to of the Computer Misuse Act and the the relevant Act itself. based on the acts, but without specifically Public Interest Disclosure Act referring to them. Whistleblowing training is part of the should be re-iterated. Induction training programme and is open to all staff. References to PIDA are made in this and it is mentioned on the front of the Whistleblowing leaflet that is circulated to all staff on a yearly basis. We will continue to do this. Additional training on Whistleblowing can be arranged if felt necessary. 43 19 Management should assure Similar to the above recommendation, but As above 31 Dec 2008 themselves that ICT policies cover arising from the ICT staff questionnaire. the requirements of key legislation. Employee responsibilities in respect of the Public Interest Disclosure Act should be re-iterated. 20 Arrangements for information Only 45% of staff are aware of the Promotion of the ICT policy is 31 Dec 2008 security should be clearly Information Security Policy, slightly below already being addressed through communicated to staff and the national average. This may be compulsory security briefings. commitment from senior because ours has a different name. management emphasised. 21 Ensure that the Information Security 33% of ICT staff were not aware of an up The ICT Policy is already subject to 31 Dec 2008 for Policy is up to date and that all staff to date Information security policy (see regular review. Promotion is already both the ICT are made aware of it. above re difference in name). being addressed through Policy and the compulsory security briefings. briefings AC Recommendation Reason for Recommendation Proposed Action Timescale 22 Ensure that the council's 61% of ICT staff are not aware whether We only use external reviews in 31 Mar 2009 procedures for the independent independent reviews of information selected areas of security but will review of security information are security are undertaken, although there is consider doing more. made clear to all ICT staff. no real reason for them to know. 23 Ensure that ICT staff understand Most ICT staff don’t know if we comply, We will include reference to the Current staff what the BS7799 standards are and probably because we regard the standard standard (which is now called briefed by 30 the council's compliance with the as best practice rather than aiming for ISO27001) in documentation where Apr 2009 standards certificated compliance. appropriate. All ICT staff will be briefed on this. All new ICT staff will be briefed as part of their induction process. 24 Ensure that ICT staff have access This arose because 41% of ICT staff We have already increased Current staff to and are aware of the procedures were unaware of clear procedures for awareness of our internal quality briefed by 30 for reporting and following up reporting and following up security documentation, and will continue to Apr 2008 security incidents incidents do so. 44 All ICT staff will be briefed on this. All new ICT staff will be briefed as part of their induction process.