The risks arising from cyber security are extremely high.
Failure to secure our ICT resources correctly could lead to critical failure in its ability to deliver front line services.
There are also risks around the loss of data, with personal data being lost or illegally obtained, and subsequent loss of trust and reputational damage.
This is especially important as the on premises data centre is used as a cloud solution for other partners.
The potential fines for loss of data from a breach can run into millions or could potentially leave us digitally paralysed, which would have an impact on residents and partners.
Cyber security is a significant risk that is recognised at a senior level.
By educating ICT staff, users, and elected Members to be aware of cyber security, and the associated risks, we can reduce our risk of:
- data loss
- fraud
- financial loss
- reputational damage.
It's an unfortunate fact of modern life that information security provisions have become a necessary part of our infrastructure.
We need a pragmatic balance between allowing ease of access and creativity of our employees, and necessary security restrictions.
Security of customer information, and related data, is of critical importance to us.
Our ICT security approach is to adopt and influence best practice guidelines as they evolve and ensure that good value for money investment decisions are made to deliver appropriate ICT security.
This includes:
- virus protection
- firewalls
- mobile device encryption
- strong passwords
- locked down desktops
- 2 factor authentication for remote access
- related provisions.
Protecting our technology estate, data, and our users from cyber-threats (such as hackers attempting to gain unauthorised access to our data or damage our network) will remain a top priority.
We are engaged regionally and nationally in cyber security activity and align closely to the work of the National Cyber Security Centre (NCSC).
We are also working towards adopting and meeting the Cyber Assessment Framework for Local Government.
End user security: staff, Councillors, contractors, consultants and customers
We have a comprehensive ICT Security Policy, which includes an Acceptable Use Statement and a Personal Commitment Statement for all:
- staff
- Councillors
- contractors
- consultants engaged to carry out work for and on our behalf with access to our systems and data.
This Policy also applies to all our owned end-user devices, for example:
- PCs
- laptops
- tablets
- thin clients
- smartphones
- other hand-held devices
- devices not owned by us that access our systems and data.
The objective of the ICT Security Policy is:
- to create a corporate wide policy that provides a ‘baseline’ level of protection of ICT assets and resources that are provided, supported, and maintained by our ICT service. This includes services provided by external contracted third parties on its behalf
- to establish a set of governing principles for the security of inter-organisational networking between our systems and our partners.
All controls, mechanisms, and procedures are designed to protect our ICT infrastructure from abuse or misuse.
These also counter the additional vulnerability that results from the use of electronic communication beyond our organisational boundary.
Staff, Councillors, contractors, and consultants engaged to carry out work for and on our behalf will be provided with end-user devices, such as laptops and smart phones, to carry out their role, which should always be used for council work.
A key part of the policy is ensuring that only official medway.gov.uk email accounts are used for Council business, and the auto-forward of emails from any other email accounts are not allowed.
This will ensure that all personal or sensitive data is encrypted using our software and all required virus controls are in place.