Agenda item

To receive a report from the Head of Digital Transformation & Customer Engagement on the Information Security and Information Security Incident Policies.

The Cabinet had before it a report * from the Head of Digital Transformation and Customer Engagement.

The Cabinet Member for Quality of Living, Equalities and Public Health outlined the contents of the report with particular reference to the following:

• The Information Security practices were last reviewed three years ago. While noting that the Council IT network continued to meet the Public Sector Network compliance standards and underwent annual testing, it was crucial to ensure the Council policies remained aligned with current job roles, legislative updates, and best practices, could proactively manage the Council’s security and had a robust response if something went wrong.
• The updates to both the Information Security and Information Security Incident policies were shown highlighted in the document pack and summarised in 2.3 and 2.4 of the report.

• Job roles and responsibilities had been clarified and updated to reflect current staff titles and organisational structure.
• Clearer guidelines and processes had been added to assist staff in managing incidents, handling media, and protecting assets.
• Improvements to guidance on reporting and managing information security incidents, including handling theft, loss, or inappropriate disclosures, had been incorporated.
• These refinements improved clarity and ensured the Council workforce had the necessary guidance to maintain and respond to information security effectively.
• The contributions of the IT & Information Governance Board, established since the last review. This multidisciplinary team included key personnel such as the Deputy Chief Executive as the Senior Risk Information Officer (SIRO), the Head of Digital Transformation and Customer Engagement, and other key stakeholders.  There was a vital role in ensuring those updates were comprehensive and pragmatic.
• The financial, legal and risk assessments at the end of the report.  There was a phrase “Failure to protect information security could lead to significant data loss and fines” against each one.  This language reflected the seriousness of Information Security to this Council, and was reflected on the Corporate Risk Register.

Discussion took place regards to:

• Discussions about the Risk Register in relation to home working was not a formal requirement and should this be considered as using equipment at home?
• Hardware, Software and Mobile App - should the Policy cover this in greater detail?
• No mention of AI in the Policy should the Council be encouraging use of this and have protection in place for staff?
• The review period of two years, as this came up in the Risk Register should this be 1 year?

RESOLVED that:

1. That the revised Information Security and Information Security Incident policies be APPROVED.

2. That the Head of Digital Transformation & Customer Engagement be given delegated authority to make minor amendments to current MDDC Information Security and Information Security Incident policies as required by legislative changes, formal guidance or local operational considerations in consultation with the IT & Information Governance board be APPROVED.

(Proposed by Cllr D Wulff and seconded by Cllr G DuChesne)

Reason for Decision:

Failure to protect information security, whether physical assets or data could lead to significant data loss and fines by regulatory bodies and reputational damage to the Council.

Note: * Report previously circulated.