Meetings

Oral item

Dave Tosh gave an overview of the current preparations for GDPR, which was due to come into force in May 2018. Service areas were working on their personal data registers, the deadline for which was end January. Heads were advised to speak with Sue Morgan and Alison Bond if there were issues around retention, permission or consent.

Work was progressing to adapt guidance for Members and the likely requirements would be issued to them in the first instance.

ACTIONS:

·                Heads to assist their teams where decisions were needed on their personal data registers. Alison Bond to clarify the areas where there were still gaps in data or reasoning.

·                Matthew Richards to circulate the guidance prepared for Legal Services.

Presentation

The Board welcomed Drew Evans and Paul Peters to the meeting.

Drew explained to the Board that 6 million user accounts worldwide had been breached in January 2017 alone and that the biggest threat to an organisation’s cyber security is often found from within, therefore raising awareness amongst staff is the most effective form of defence. The Board were informed of the impact any potential cyber incident could have on an organisation, ranging from data loss right through to wide scale business disruption. In addition, there could be longer term impacts to reputation and stakeholder confidence.

Since last September a wide ranging assurance exercise had been conducted to review the Assembly’s robustness to any potential cyber threat. Whilst steps have been taken to reduce the risk of a cyber-attack, Drew re-emphasised the importance of improving staff awareness with regards to tackling any threat.

Drew informed the Board of the upcoming Cyber Security Awareness Week taking place from 6-9 March. These sessions, aimed at staff, will consist of short awareness raising videos along with an opportunity to ask questions afterwards. It was felt that given the importance of the topic it should be compulsory for staff to attend these sessions.

The Board were introduced to Detective Inspector Paul Peters, from TARIAN, who delivered the second of the awareness raising presentations. Paul talked the Board through examples of some of the threats posed to organisations through the use of social engineering, phishing emails, ransomware threats and DDOS (Distributed Denial of Service) attacks.

ACTIONS: Management Board agreed to make attendance at an awareness session mandatory for all staff; Service Heads were asked to strongly encourage their staff to attend the awareness raising sessions taking place between 6-9 March.

Alison Bond was welcomed to the meeting to deliver a short video and discussion on key information and cyber security issues, an area of increasing importance to the management and protection of Assembly information and one that ACARAC has requested be scrutinised.

The Assembly, like most organisations was extremely dependent on its information and systems but, with the number and type of attacks threatening information increasing, the potential risks to reputation, confidence, disruption and compliance were high. The Board were informed that restricting access and protecting information assets was central to cyber security.

It was recognised that, generally, the Assembly was very security conscious, with many tools and controls in place. It was, however, important to remind staff about security of email and the use of computers and the network, including the storage of restricted papers prior to destruction and during disposal.

Alison outlined the guidance in relation to malicious emails and that these emails can appear very sophisticated, meaning constant vigilance was needed. A message was also going to Members and their staff in relation to security of emails, computers and the network. The Board discussed other threats and how to mitigate the risks through user awareness, being mindful of assets, assessing and managing risk and being vigilant. Alison advised that the privacy impact assessment had been very intensive around the Assembly’s use of cloud services.

Alison would write to Heads to undertake an exercise, in their roles as Information Asset Owners, to identify and test the robustness of controls around their most important and sensitive assets.

Dave Tosh outlined the purpose of the framework, which was to bring together the responsibilities, structures, policies, procedural guidance and governance processes required to manage Assembly information.

The framework had been reviewed by the Audit and Risk Assurance Committee who were content with it. Management Board agreed that it was clear and accessible, but it would be useful to include FAQs to aid understanding and to clarify timescales for implementation.

The Board discussed the plans for raising staff awareness. Alison Rutherford (Information Governance Manager) would meet with Heads and work with teams to assist them in adopting and applying the requirements. Elisabeth Jones advised that Sue Morgan and Jon Tomkinson (Legal Advisers) could assist in this work. Dave Tosh also advised that Jan Koziel (Head of Procurement) was building information governance requirements into the terms and conditions for contractors to the Assembly.

Actions: Management Board members to raise any particular concerns with Alison Rutherford so that she can assist.