Meeting: Audit Committee (County Hall, Durham - Committee Room 1a - 06/03/2009 09:00:00 AM)
Item: A3 Information Security
Report of Jim Cox, ICT Project Leader (Information Security) |
1 An ISO27001 Compliance Progress report dated 26th November 2008 was issued to the Chair of the Audit Committee in December 2008. This report provides details of the progress made since then, towards compliance with ISO27001 for its Information Security policies and procedures.
Background
2 In 2001, following the preparatory work done to avoid any possible Y2K disasters, DCC started work on putting in place Policies and Procedures that were compliant with British Standard 7799 (Information Security). The standard was upgraded to ISO 17799 and then renumbered to ISO 27001.
5 An IS training plan has been discussed with corporate HR, which is to be supported by an on-line IS system, ensuring all members of staff agree to abide by all relevant DCC IS policies and procedures. These policies and procedures, along with all other relevant IS documentation, are available on the DCC Intranet IS page.
UPDATE: Unfortunately, the server hosting the on-line IS system - CETIS - crashed and was irreparable. A replacement system is being sought which will meet the increased needs of the new Unitary Authority. A number of on-line training systems are already in use by DCC Services and the intention is to utilise one of them to host the IS information.
Investigating the options available will take some time, so it is unlikely that a system will be in place when the compliance assessment takes place in mid March 2009. However, if a decision has been made on the choice of system and an implementation/development plan agreed then the assessor might regard our situation sympathetically.
In order to ensure that DCC continues to move towards ISO27001 Certification, a full-time IS officer needs to be identified who can make sure that all the policies and procedures are maintained at an appropriate standard. This officer should report to a Chief Information Officer (or equivalent) based in central service support.
UPDATE: No full-time IS Officer has so far been appointed and it would appear that the structure for the new Unitary Authority contains no provision for one. The LGR Information Management workstream has already made a suggestion that this discipline would best sit in the Deputy Chief Executive’s Office - along with the other disciplines associated with Information Governance.
Contact: Jim Cox Tel: 0191 370 8638 |
Appendix 1: Implications |
Local Government Reorganisation
(Does the decision impact upon a future Unitary Council?)
The medium term aim is to gain advanced compliance for the new Unitary Council shortly before the ISO27001 standard is revised in 2010.
Finance
A Strategic Support Agreement with Sapphire Technologies costs approximately £20,000 annually.
UPDATE: The on-line system to house the IS information should cost approximately £2,000 per annum for support and maintenance.
Staffing
One member of staff is needed to ensure compliance with all policies & procedures developed.
UPDATE: It is likely that more than one full-time member of staff will be needed as the policies and procedures need to be reviewed and updated on a regular basis. Also, the on-line IS system will need developing and maintaining, especially when the ISO standard is reviewed and updated.
Equality and Diversity
All policies and procedures are developed for the benefit of all members of staff and are available on the DCC Intranet. Should they be needed, copies can be produced in Braille, large print and in a variety of languages.
Where appropriate, plain English is used.
Accommodation
N/A
Crime and disorder
The Information Security Officer at Aykley Heads Police Headquarters has been involved in the production and review of all policies and procedures.
The main purpose of producing the policies and procedures is to provide DCC members of staff with guidelines so that they can avoid situations where crime and disorder becomes an issue.
Sustainability
By ensuring the most efficient and effective use of ICT equipment, DCC staff can minimise the need to replace ageing hardware. Also, by protecting the same equipment - especially when teleworking - the working life of the hardware can be maximised.
When equipment does need to be replaced, DCC always strives to purchase the most sustainable products that meet the business needs of the user.
UPDATE: Disposal of ICT equipment is always done in the most environmentally friendly way.
Human rights
N/A
Localities and Rurality
By providing guidance on the most secure way of using ICT equipment when “out and about”, DCC is attempting to make sure services can be delivered locally, where appropriate.
Young people
The policies and procedures apply equally to young people as to all other classifications.
Consultation
All Services within DCC, as well as all District Councils, have been involved in the production of the policies and procedures - along with the ISO at the Police Headquarters (see Crime & Disorder above). Expertise from Sapphire Technologies has also benefited the project.
Health
The guidance included in the policies and procedures is designed to minimise any adverse effects of using ICT equipment.
Attachments