Issue - meetings
ICT business continuity, resilience and disaster recovery
To provide further general information relevant to the committee’s wish to ‘explore issues around disaster recovery and related risks in greater depth’ and to ‘consider matters in relation to ICT business continuity and cyber security resilience’.
The Interim ICT Client Lead introduced the report, the key points included: the section of the report dealing with Internal Audit Recommendations (paragraph 4, agenda page 44) was highlighted and it was reported that the Internal Audit service (South West Audit Partnership – SWAP) had commenced a new piece of work, covering a number of different areas, at the request of officers; and it was not possible to fully ensure protection against all risks but the Technology Strategy that was in development would explore opportunities for improvement.
Responses were provided to questions from committee members, the key points included:
1. The Interim ICT Client Lead advised that the management responses marked as ‘partly complete’ would be flagged as part of the SWAP work and considered in completing the strategy. In particular, the Service Level Agreement (SLA) with Hoople Ltd would be reviewed thoroughly.
2. The Head of Information Technology for Hoople Ltd made a number of points, including: the company took its responsibilities around information security seriously; operational and procedural guidelines were followed; the company would look to achieve assurance on any platform it procured or managed; there was a dedicated Information Security Officer; the principles of information security were embedded across the organisation through standards such as ISO27001 and Cyber Essentials Plus, these were not explicitly required by Herefordshire Council but were in place due to being a delivery partner for other local agencies; staff development into new qualifications was encouraged; there were other measures taken to connect to government networks; and the audit process helped to achieve assurance.
The Chairperson suggested that consideration could be given to the inclusion of performance indicators within the SLA in relation to conformity with particular standards.
3. The Interim ICT Client Lead said that ‘hosted’ systems would be adopted where and when that was sensible and cost effective, with additional care taken in terms of selection and ensuring compliance with acceptable standards.
4. The Interim ICT Client Lead briefly commented on the complexities and opportunities of the digital integration of health and care systems. The Head of Information Technology reported that: Hoople Ltd was engaging with the Herefordshire and Worcestershire Integrated Care System to represent the technical interests of Herefordshire Council and a number of local health bodies; Herefordshire was ‘quite far ahead’ in terms of progress; and the Integrated Care Board had mature processes in terms of information governance and managing risks.
That the current assessment of the status in all matters of scope set out in the report be noted.