Meetings
Information Governance
This page gives details of any meetings held which will, or did, discuss the matter, and includes links to the relevant Papers, Agendas and Minutes.
Note: Meeting Agenda can change at short notice. Particularly where future meeting dates are indicated more than a week in advance. Please check before planning to attend a Committee Meeting that the item you are interested in has not been moved.
Meeting: 13/11/2017 - Management Board (Item 8)
Data Protection (GDPR) update
Oral
item
Minutes:
Dave Tosh
gave an overview of the current preparations for GDPR, which was due to come
into force in May 2018. Service areas were working on their personal data
registers, the deadline for which was end January. Heads were advised to speak
with Sue Morgan and Alison Bond if there were issues around retention,
permission or consent.
Work was
progressing to adapt guidance for Members and the likely requirements would be
issued to them in the first instance.
ACTIONS:
·
Heads to assist their teams where decisions
were needed on their personal data registers. Alison Bond to clarify the areas
where there were still gaps in data or reasoning.
·
Matthew Richards to circulate the guidance
prepared for Legal Services.
Meeting: 02/03/2017 - Management Board (Item 5)
Cyber Security Awareness
Presentation
Minutes:
The
Board welcomed Drew Evans and Paul Peters to the meeting.
Drew
explained to the Board that 6 million user accounts worldwide had been breached
in January 2017 alone and that the biggest threat to an organisation’s
cyber security is often found from within, therefore raising awareness amongst
staff is the most effective form of defence. The Board were informed of the
impact any potential cyber incident could have on an organisation, ranging from
data loss right through to wide scale business disruption. In addition, there
could be longer term impacts to reputation and stakeholder confidence.
Since
last September a wide ranging assurance exercise had been conducted to review
the Assembly’s robustness to any potential cyber threat. Whilst steps have been
taken to reduce the risk of a cyber-attack, Drew re-emphasised the importance
of improving staff awareness with regards to tackling any threat.
Drew
informed the Board of the upcoming Cyber Security Awareness Week taking place
from 6-9 March. These sessions, aimed at staff, will consist of short awareness
raising videos along with an opportunity to ask questions afterwards. It was
felt that given the importance of the topic it should be compulsory for staff
to attend these sessions.
The
Board were introduced to Detective Inspector Paul Peters, from TARIAN, who
delivered the second of the awareness raising presentations. Paul talked the
Board through examples of some of the threats posed to organisations through
the use of social engineering, phishing emails, ransomware threats and DDOS
(Distributed Denial of Service) attacks.
ACTIONS:
Management Board agreed to make attendance at an awareness session mandatory
for all staff; Service Heads were asked to strongly encourage their staff to
attend the awareness raising sessions taking place between 6-9 March.
Meeting: 14/07/2016 - Management Board (Item 4)
Cyber security
Supporting documents:
- Restricted enclosure 6
Minutes:
Alison Bond was welcomed to the meeting to deliver a short video and
discussion on key information and cyber security issues, an area of increasing
importance to the management and protection of Assembly information and one
that ACARAC has requested be scrutinised.
The Assembly, like most organisations was extremely dependent on its
information and systems but, with the number and type of attacks threatening
information increasing, the potential risks to reputation, confidence,
disruption and compliance were high. The Board were informed that restricting
access and protecting information assets was central to cyber security.
It was recognised that, generally, the Assembly was very security
conscious, with many tools and controls in place. It was, however, important to
remind staff about security of email and the use of computers and the network,
including the storage of restricted papers prior to destruction and during
disposal.
Alison outlined the guidance in relation to malicious emails and that
these emails can appear very sophisticated, meaning constant vigilance was
needed. A message was also going to Members and their staff in relation to
security of emails, computers and the network. The Board discussed other
threats and how to mitigate the risks through user awareness, being mindful of
assets, assessing and managing risk and being vigilant. Alison advised that the
privacy impact assessment had been very intensive around the Assembly’s use of
cloud services.
Alison would
write to Heads to undertake an exercise, in their roles as Information Asset
Owners, to identify and test the robustness of controls around their most
important and sensitive assets.
Meeting: 23/03/2015 - Management Board (Item 5)
Information Governance Framework - Paper 2
Supporting documents:
- Restricted enclosure 9
Minutes:
Dave Tosh outlined the purpose of the framework,
which was to bring together the responsibilities, structures, policies,
procedural guidance and governance processes required to manage Assembly
information.
The framework had been reviewed by the Audit and
Risk Assurance Committee who were content with it. Management Board agreed that
it was clear and accessible, but it would be useful to include FAQs to aid
understanding and to clarify timescales for implementation.
The Board discussed the plans for raising staff
awareness. Alison Rutherford (Information Governance Manager) would meet with
Heads and work with teams to assist them in adopting and applying the
requirements. Elisabeth Jones advised that Sue Morgan and Jon Tomkinson (Legal
Advisers) could assist in this work. Dave Tosh also advised that Jan Koziel
(Head of Procurement) was building information governance requirements into the
terms and conditions for contractors to the Assembly.
Actions: Management Board members to raise any particular
concerns with Alison Rutherford so that she can assist.