Agenda item

To consider the information provided and to agree that a further report be brought back to  a future meeting of the Committee in order to provide an update on the re-assessment process and results.

20.1           The report of the Business Transformation Group Manager, circulated at Pages No. 165-168, provided Members with information about the Council’s compliance with the Public Services Network. Members were asked to consider the information provided and agree that a further report be brought back to a future meeting of the Committee to provide an update on the reassessment process and its results.

20.2           The Business Transformation Group Manager explained that the Council currently used the Public Services Network to exchange data electronically with other connected agencies. To remain accredited to the Network the Council had to complete an annual assessment process and failure to meet the required standards may result in the Council’s connection being withdrawn. The Council was currently authorised to connect to the Network until 2 October 2014 at which point it must prove compliance with the latest Public Services Network requirements. This was a key risk issue which was the reason for bringing it to the Audit Committee for information.

20.3           Currently the main users of the Network were Revenues and Benefits and Customer Services with the connection for the Revenues and Benefits service being essential as it was the only way it could make returns to the Department for Work and Pensions. The Network allowed the agencies that used it to work together in a transformational way as it looked and felt like a single network for a number of different services and agencies. It would mean that security would become less of a problem for each organisation as they had demonstrated through the compliance process that they were all working to the same standards.

20.4           The Business Transformation Group Manager indicated that this was not merely an IT issue as the Council had to prove that its information governance was strong and met all necessary requirements, including the notable requirement that the Council must complete security checks for all staff that had access to Public Services Network level data. It was possible that this requirement may be extended to all Council IT users by 2015, which could include Members, and this would have funding implications for the Council as each check cost a minimum of £25. In addition, there were a number of areas where Councils had issues in meeting compliance requirements including: restrictions regarding access to Council systems by employees using personal/home or other non-Council devices; the extensive work needed to patch and upgrade IT systems; issues that arose from completely separating some systems e.g. email into Public Service Network and non-Public Services Network variants; legacy software and hardware where items could no longer be patched to a compliant level, for example Windows XP – this operating system was still in use on computers that wanted to access Council systems; an appropriate focus on information security; and funding of the requirements for the Public Services Network - this had been estimated by some IT Managers at between 10% and 25% of the annual IT budget.

20.5           The Council would shortly be submitting its assessment and the results of that would be brought back to a future meeting of the Committee. Early indications, following an external health check, had suggested some areas for improvement which had now been addressed including setting, use and management of passwords; internal security/trusted users; and weak change management/patching policy. The check had otherwise been very successful. In terms of the reassessment, where issues were identified the application would have to be resubmitted with those issues addressed. There may be multiple resubmissions within a three month period following the recertification due date so the Council had a chance to address any weaknesses identified.

20.6           A Member questioned whether the Business Transformation Group Manager was looking at the introduction of a better policy for Members that used their own equipment. In response, he was advised that the same policy could not be used for Members as was used for staff and the intention was that the Members part of the policy would become a Code of Practice which would be a much more simplified version. It was anticipated that this would be introduced for the new Council after the May 2015 election.

20.7           Accordingly, it was

                  RESOLVED          1. That the information provided be NOTED.

 2. That it be AGREED that a further report be submitted to a future meeting of the Committee to provide an update on the reassessment process and results.