The report of the Assistant Director Finance and Technology is to follow.

Contact:  Ben Jay 07815 473236

The Committee received the report of the Assistant Director Finance and Technology – copy attached to the signed Minutes – which identified the current use of cloud-based services by the Council and considered its use of these systems (including wider networks and data centres) to house its data and network systems.  It focused on the approach to assurance for internal controls and risk management for these services.  The report also considered the current position in terms of consistency of approach across different types of use of the cloud and the desirability of increased controls and risk management and consistency how these were being applied.

The Assistant Director Finance and Technology introduced his report and drew the Committee’s attention to the key points.  He explained that although there were risks associated with systems hosted within the cloud, the Council and the Council’s IT team did not differentiate in terms of the ways that internal controls and risk management were approached between cloud-based systems and on premises systems.  Overall, there was considerable confidence that there were good internal controls and a good level of engagement risk management around the core network and core systems of the Council to the extent that they were hosted in the cloud or similar arrangements.  There was however an ongoing increase in the level of risk in the external environment, eg cyber-attacks, cyber-resilience and cyber-security so it was important to constantly review the arrangements around internal controls and risk management.  The report sets out where they were and the Committee were invited to comment on whether or not that was felt to be sufficient or whether there were any areas where controls could be included or improved.

The Infrastructure Security and Innovation Manager took members through the report.  He gave the background to the Council’s use of the cloud, which was not new as the Council had been using cloud services for over ten years.  Things had changed slightly recently due to the elevation of cyber risk which had meant putting some additional controls in, including setting up an IT Business Continuity Recovery Group and working with risk, audit and data protection around ensuring that controls were in place.

The Council currently had a ‘cloud where appropriate’ model which aligned to the Government’s approach of how to implement cloud systems.  Cloud services were suitable for some things but not for others and also, the authority had to be conscious of value and often cloud services did not provide best value and so the Council currently had a mix of cloud based and on-premises based approaches.  Some of the smaller system providers for particular service areas had not previously been in a position to provide cloud-based services but as these reached their maturity level, these options were now available to these business areas and would be considered during the procurement process.

The Infrastructure Security and Innovation Manager highlighted some of the controls and compliance areas that were in place.  He explained that ICT had specialist teams and also worked very closely with data protection, with information governance, with risk, audit and procurement so when a new system was proposed all these business areas work together to ensure that the NCSC guidance was followed, that the supplier was a fit and was capable of delivering the service and that ICT were able to manage that supplier arrangement.  Once the system was in place, these business areas continued to work with ICT to ensure they continue to manage the relationship.

The Infrastructure Security and Innovation Manager informed the Committee that the biggest cloud system that the Council had was the Microsoft Office Suite.  As part of the supplier development cycle it was important to have those management controls in place to handle changes in software and products which were changed, often at short notice, to meet public demand.  He highlighted the biggest risk area that they were working to control was the level and breadth and the different maturity levels of how business areas managed their supplier arrangement with the company working with the risk team around enhancing how our system administrators and information asset owners understand the risks to their systems and how they manage them.

In response to a query, the Infrastructure Security and Innovation Manager explained that not all local authorities operated their cloud systems in the same way as it depended on the suppliers however Microsoft Office Suite did operate in the same way across local authorities as the supplier defined how it operated.  Shropshire’s acuity levels were probably possibly higher than some because we had been doing it for quite a long time. He confirmed that controls around the secure cloud for Office 365 met PSN accreditations and so they had to work with Microsoft around the controls to secure the cloud and additional controls were added however those controls were no longer needed as Microsoft had introduced a lot of the things that the Council needed to assure customers that what they provided was secure.  He confirmed that Shropshire was in line with best practice.

In response to a further query, it was confirmed that there had been a couple of breaches that year.  Part of the ICT Business Continuity Recovery Group was to help address and make sure any lessons learnt were followed up and he informed the Committee that the risk profile continued to reduce.  However, no system was completely secure and there was always a risk for cloud and on-premises systems from cyber-attacks.

In response to a query, the Infrastructure Security and Innovation Manager explained that the global large vendors recognised the need for UK data centres and provided their services using these UK centres. Smaller vendors tended to provide their systems using UK based anyway.  He confirmed that the Council currently had no data services based outside of the UK.  Part of the procurement process was to ask where they were based and if only available outside of the UK, a business decision would be taken around the risk of that data being held maybe in a less secure location.  It was confirmed that Nuneaton was still the Council’s secondary data centre and backups were also done into the cloud as well.  Currently there was a business case going through for a more cyber-focussed backup solution.

The Assistant Director Finance and Technology explained that they were looking to bring Nuneaton to be the same level of capability as Shirehall and that the overall level of cover was being improved to ensure 24/7, 365 cover including on-call teams.

A further question was raised about whether anything proactive was being done in relation to the effects of the war in Ukraine and linkages between Russia and China and the increased likelihood of cyber-attacks.  In response, the Infrastructure Security and Innovation Manager reported that NSCE had issued guidance in January ahead of the Russian invasion, that elevated activity would be seen so the Council created another group in response to that to work through some additional security measures.  He informed Members that the levels of attack from China had increased slightly since January but not from Russia.  It was confirmed that the Council’s firewalls block attacks or attempts to connect to external firewalls from Russian IP addresses approximately twice a second and from Chinese IP addresses approximately four times a second which equated to in excess of half a million per day.

The Infrastructure Security and Innovation Manager informed Members that the Council had a team of four staff specialising in IT security, however the levels were constantly kept under review.

The Chairman was alarmed at the level of risk involved and the scale of attacks but was however reassured by the level of defence of IT systems and the level of security in place.

RESOLVED:

Members have considered and are satisfied with the levels of assurance placed before it in terms of internal controls and risk management of the Council’s cloud services.