The report of the Head of Automation and Technology is attached.

Contact:  David Baker (01743) 254118

B.  First line assurance: Audit Report Management Response – Information Security Management and IT Acceptable Usage Policy

The report of the Assistant Director Legal and Governance is attached.

Contact:  Tim Collard (01743) 252756

The Committee received the report of the Head of Automation and Technology – copy attached to the signed Minutes – which provided an update on the actions taken or planned to address the recommendations arising from various audit reports

The Head of Automation and Technology took members through the paper and responded to a number of queries.  It was noted that some dates in the action plan had not been met and did not have new target dates attached to them, also, some actions were marked as green even though the dates were into the following year.  Assurance was sought that the extended dates were nothing to be concerned about.  In response the Head of Automation and Technology explained that those actions marked green were being managed effectively or were progressing on target so even though some of the dates had passed it was because the risk was being managed effectively or that they were no longer deemed to be a potential risk for escalation.

Referring to paragraphs 9.7 and 9.10 on page 25 of the report, it was noted that effective controls were in place for the management of the Council’s telecommunications contract and for the ICT Business Support function.  A query was raised as to whether these controls were being audited, whether they were operating satisfactorily and did not pose any risks for the authority.  In response, the Head of Automation and Technology explained that they posed no risks to the authority and were regularly monitored both internally and with suppliers to ensure those contracts were being managed effectively and to ensure the Council were getting the most effective solutions and prices from its suppliers.  Alternative sources of procurement were also considered.

In response to a query around the security of legacy systems and third-party contractor access, the Head of Automation and Technology stated that nothing was completely safe as there would always be an element of risk, however, as supplier chain attacks were increasing and to ensure the Council’s suppliers were robust, they were looking more closely at the suppliers’ security mechanisms and procedures.  They also identified those accounts that had not been used for periods of time and reviewed them to ensure that they were either disabled or removed completely so that access did not continue. He confirmed that the risk was being effectively managed and that as the legacy systems dropped away, they would become less of a risk.

In response to a query around the security implications of telephony contracts ‘rolling’ beyond their contract end dates, the Head of Automation and Technology explained that there was no security risk in this, the only risk would be if the service were to be turned off you could not then provide that service.  However, they did have an understanding with suppliers so that did not happen, instead, it just moved into an area of recurring billing.  He confirmed that they had regularly quarterly meetings with the suppliers plus regular internal meetings to ensure this did not happen.  He informed the Committee that they have had to procure the new telephony contract with the same supplier anyway due to the PSTN switch off in 2025 so that service could not actually be reprocured.  It was hoped that this situation would not reoccur with the new controls that were in place.

The Head of Automation and Technology provided an update in relation to the new Equipment Replacement Programme.  He confirmed that there was now a centralised budget which allowed them to identify those areas that were in most urgent need of new equipment and rolling these out to ensure a level playing field.  He went on to say that new devices should be replaced every 3 to 4 years to avoid security and productivity issues.  This regular refresh programme would ensure that staff were more productive and could do their work better with a more secure device.  He confirmed that everyone would be up to a good standard within the next 12 months.

Concern was raised at the inability to leave telephone messages for officers using the current wi-fi telephony.  The Head of Automation and Technology agreed to take this away to look into and would report back.  In terms of the Revised Executive Management structure, the Head of Automation and Technology confirmed that the new structure was in place although there was still some work to be done with structuring the ICT department and to that end there was a maturity assessment for ICT and a skills assessment currently being undertaken to understand where they were and whether they were delivering the best possible use of skills, were there any gaps in the skills and does the structure within ICT accurately reflect what they were trying to deliver in the upcoming digital strategy and Shropshire plan.

The External Audit informed the Committee that the outstanding recommendations in relation to IT still needed to be resolved and would be picked up with the Head of Automation and Technology and would be reported back to the next meeting.

RESOLVED:

1. that the contents of the report and the progress made to address the audit recommendations be noted.

2.  that further measures that may be appropriate, or areas for further measures that they wished officers to investigate be considered.  

3.  that the Audit Committee is satisfied that sufficient progress has been made to address previous Committee concerns in the IT function.