CAIRNGORMS NATION­AL PARK AUTHORITY

Audit & Risk Com­mit­tee Paper 6 08/03/2019

Title: IT RISK

FOR DIS­CUS­SION

Pre­pared by: DANIE RAL­PH, FIN­ANCE MANAGER

Pur­pose

This paper is for the inform­a­tion of the Com­mit­tee and presents an over­view of IT risks noted in the Risk Register and what is cur­rently being done, and planned to be done, to mit­ig­ate ICT risk to the Author­ity and provide a road map for future IT development.

The paper also rep­res­ents a detailed ana­lys­is around spe­cif­ic stra­tegic risks and as such fol­lows up on pre­vi­ous intern­al audit recom­mend­a­tions that such detailed ana­lyses of risk aug­ments the Committee’s approach to and lead­er­ship of risk management.

Recom­mend­a­tions

The Audit & Risk Com­mit­tee is asked to:

a) Con­sider the inform­a­tion in the paper

Exec­ut­ive Summary

1. The Author­ity has recor­ded 4 spe­cif­ic IT ser­vice risks in the Risk Register, most recently presen­ted to the Board at its meet­ing in Decem­ber 2018

https://​cairngorms​.co​.uk/​r​e​s​o​u​r​c​e​/​d​o​c​s​/​b​o​a​r​d​p​a​p​e​r​s​/​0​7​1​2​2​0​1​8​/​1​8​1​2​0​7​C​N​P​A​B​d​P​a​p​e​r​9​A​n​n​e​x​3​S​t​r​a​t​e​g​i​c​R​i​s​k​R​e​g​i​s​t​e​r​V​1​.​0.pdf

a) A17 — Tech­nic­al: increas­ing ICT depend­ency for effect­ive and effi­cient oper­a­tions is not adequately backed up by ICT sys­tems sup­port; b) A18 — Tech­nic­al: cyber secur­ity is inad­equate to address risk of cyber-attack on sys­tems; c) A9.2 — Resourcing: CNPA IT ser­vices are not suf­fi­ciently robust/​secure/​or well enough spe­cified to sup­port effect­ive and effi­cient ser­vice deliv­ery; d) A13 Resourcing: lead body role for mul­tiple large scale extern­ally fun­ded pro­jects is unable to be sup­por­ted through avail­able cash flow and ICT systems.

1. The essen­tial com­pon­ent in each risk is bol­ded in para I and each will be con­sidered as part of an emer­ging IT approach with­in the Authority’s IT func­tion, which in turn will be developed into a fuller IT strategy. For con­veni­ence this is referred to by the short­hand name of SASI which is a con­veni­ent catch all for our IT val­ues and vision:

a) Stable — the ICT plat­form is avail­able dur­ing core work­ing hours with planned out­ages kept to a min­im­um; b) Access­ible — that staff are able to access data remotely to allow flex­ib­il­ity in work­ing prac­tices, such as work­ing from home, and spe­cif­ic user needs are listened to; c) Secure — that the data main­tained by the author­ity is not only adequately pro­tec­ted per Cyber Secur­ity PLUS cer­ti­fic­a­tion but is safe; and that staff using the Authority’s ICT sys­tems are pro­tec­ted from unsafe, mali­cious or undesir­able con­tent; d) Innov­at­ive — as a gen­er­al rule we fol­low Scot­tish gov­ern­ments approach to change, as out­lined in The Improve­ment Guide, start small and if it doesn’t work try some­thing else. We see the pro­cess as iter­at­ive and on-going with innov­a­tion mean­ing, in our IT con­text, lead­ing to improve­ment and sup­port­ing effi­ciency and effect­ive­ness in work­ing prac­tices and ser­vice delivery.

Intro­duc­tion

1. IT impacts on vir­tu­ally everything the Author­ity does: in gen­er­at­ing inform­a­tion, in decision mak­ing, fin­an­cial report­ing and mon­it­or­ing, achiev­ing oper­a­tion­al effect­ive­ness and effi­ciency, com­mu­nic­a­tions, resource man­age­ment etc.. In the future, with devel­op­ments in IT con­tinu­ally evolving and the Authority’s ways of work­ing chan­ging and adapt­ing to new tech­no­lo­gies and prac­tices, the depend­ency on IT will con­tin­ue to increase and the reli­ab­il­ity, integ­rity and avail­ab­il­ity of applic­a­tions and data, rather than ​“the IT sys­tem” will become more import­ant than ever, for users at all levels.

2. This paper will there­fore provide mem­bers of the Audit and Risk com­mit­tee an over­view of IT risks, their inter­de­pend­ence, com­plex­ity, likely increas­ing cost and how what we are doing and intend to do to mit­ig­ate risk.

Stable and Access­ible (risks A17, A9.2, A13)

1. As work­ing meth­ods are increas­ingly digit­al, it is import­ant that access is avail­able, and secure, not only dur­ing work­ing hours but at all times so it is appro­pri­ate to look at these 2 com­pon­ents together

2. Like all organ­isa­tions the Author­ity is depend­ent on reli­able ICT to allow its staff to work effect­ively and effi­ciently. And like all organ­isa­tions of a sim­il­ar size there is an abso­lute lim­it to the ser­vice IT can provide as, with increased reli­ance on shared ser­vices and ​“cloud” solu­tions, any fail­ure in access to the inter­net is out­with the con­trol of the Author­ity so we are reli­ant on extern­al pro­viders to mit­ig­ate ser­vice dis­rup­tion. That said the rest of this sec­tion con­siders what the Authority’s IT func­tion can do and is doing to provide sta­bil­ity, and effect­ive and effi­cient oper­a­tions. How­ever, it has to be real­ised that as ​“cloud” solu­tions become more pre­val­ent and pop­u­lar, and the pre­ferred dir­ec­tion of travel of Scot­tish Gov­ern­ment, there is a reduc­tion in con­trol of access to applic­a­tions and soft­ware avail­able to the Author­ity and a grow­ing risk on the depend­ence of extern­al ser­vice pro­viders. While this is not a risk yet high­lighted in the Risk Register, if ​“cloud” solu­tions were to become the norm for the author­ity there is little more than can be done than note the risk of the lack of inter­net pro­vi­sion, for whatever reas­on, as any mit­ig­at­ing solu­tion is likely to be unaffordable.

3. The in-house IT func­tion is cur­rently one full time man­ager sup­por­ted by an IT appren­tice who star­ted in August 2018. Addi­tion­al tech­nic­al sup­port and advice is avail­able from the Loch Lomond & Trossachs IT depart­ment, who also provide the data backup func­tion as a hybrid ​“cloud” solu­tion, and the ​“help desk” func­tions to cov­er IT staff hol­i­days or absences.

4. Extern­al con­sult­ants are only used on the intro­duc­tion of new or updated software/​hardware where it is more cost effect­ive to do so: for instance a new stor­age sys­tem will be in place before the end of Feb­ru­ary. The hard­ware will be delivered to HQ and con­figured remotely by the pro­vider who has the expert­ise to carry this out quickly.

5. There is close cooper­a­tion with Loch Lomond and quarterly off-site meet­ings are now planned with their team, in addi­tion to form­al monthly tele­phone tech­nic­al catch ups between the IT line staff. This is over and above fre­quent liais­on day to day operations.

6. Over the last 2 years ​“unplanned” down­time of the sys­tem is neg­li­gible. ​“Planned” down­time is usu­ally to facil­it­ate imple­ment­a­tion of urgent patches, email serv­er restarts or the install­a­tion of new or replace­ment hard­ware with­in the serv­er room. Usu­ally major hard­ware upgrades are sched­uled for hol­i­days or week­ends to min­im­ise dis­rup­tion. Staff work­ing at home can access emails at any time, and can have access to the Serv­er with VM soft­ware. Access­ib­il­ity issues using the VM have been sig­ni­fic­antly reduced with resid­ual issues often caused by con­nectiv­ity issues at the user end rather than the Authority’s sys­tems, so are out­with our con­trol environment.

7. The IT depart­ment not only runs the infra­struc­ture but is also involved with mobile device sourcing and man­age­ment, tele­phony and copier/​printing man­age­ment. All the Authority’s tele­phony needs are now met by the MS Lync sys­tem which means that costs have reduced as a ded­ic­ated line between HQ and Bal­later is no longer needed. This saves £20,000 per year, and BT call charges have been replaced by usage charges by the Lync provider.

Secure (risks A18, A9.2)

1. The Author­ity takes the secur­ity of its net­work, ICT assets and data ser­i­ously and has a num­ber of pro­to­cols and policies in place to pre­vent and mit­ig­ate risk. Secur­ity is much wider than purely cyber secur­ity, which is of grow­ing con­cern gen­er­ally, and cov­ers not only the phys­ic­al secur­ity of indi­vidu­al items of hard­ware but of the whole ICT infra­struc­ture and estate. The ​“estate” com­prises the ​“serv­er”, laptops, tab­lets and desktop devices, print­ers and mul­ti­func­tion devices and increas­ingly any oth­er web enabled devices.

2. SG have recently inves­ted £2.7m in what is known as the ​“Inter­net of Things” (IoT). The IoT is the inter­con­nec­tion of com­put­ing devices embed­ded in every­day objects enabling them to send and receive data. The IoTScot­land will provide a wire­less net­work for applic­a­tions and ser­vices to col­lect data from devices and send that data without the need for 3G/4G or Wi-Fi, sup­port­ing busi­nesses ​“to devel­op new and innov­at­ive applic­a­tions chan­ging the way they work”. In our case this could mean remotely access­ing data on people coun­ters or cam­era traps.

3. As the range of devices cap­able of being con­nec­ted increases so does the risk of secur­ity breach, and why a great deal of effort is placed not just on the phys­ic­al secur­ity of assets but on cyber secur­ity and the pre­ven­tion of unau­thor­ised access to the system.

4. The pro­to­cols and policies in use range from the tag­ging of high value assets, restrict­ing access to the serv­er room at all times, restrict­ing access to the sys­tem to only iden­ti­fied staff users, to run­ning spe­cif­ic coun­ter­meas­ures in the back­ground of serv­er and sys­tem oper­a­tions (fire­walls, email scan­ning etc) to for­ward­ing on email warn­ings on spe­cif­ic threats – phish­ing or oth­er fraud. Third party sup­pli­ers, for example banks, also carry reg­u­lar updates and warn­ings about threats which must be observed by staff.

5. Author­ised access to the ​“sys­tem” is there­fore on 2 levels (1) access to the infra­struc­ture /​servers is restric­ted to IT staff only, or on occa­sions with spe­cif­ic per­mis­sions to Loch Lomond staff or third parties when new kit or soft­ware is added, and (2) at staff mem­ber level, where access to the sys­tem, on any hard­ware device, is by a recog­nised user name and pass­word, which is changed reg­u­larly. There­fore only des­ig­nated and recog­nised indi­vidu­als can access the sys­tem and data.

6. Unau­thor­ised access to the ​“sys­tem” is more chal­len­ging and GCHQ reck­on that any organ­isa­tion can only pro­tect itself to about 80% of the threats, which of course grow in fre­quency and soph­ist­ic­a­tion. To an extent we will always be behind the curve in address­ing cyber secur­ity but can mit­ig­ate the threat not just by appro­pri­ate pro­cesses and cer­ti­fic­a­tion but by vigil­ance (phish­ing, CEO and invoice frauds) to adopt­ing best prac­tice and recog­nising that all staff that they have a part to play.

7. The Author­ity has recently gained the Cyber Essen­tials Secur­ity PLUS cer­ti­fic­a­tion, which is a test of the Authority’s IT sys­tems by an extern­al Cer­ti­fy­ing Body.

8. A primary object­ive of the UK Government’s Nation­al Cyber Secur­ity Strategy is to make the UK a safer place online and to achieve this the Cyber Essen­tials scheme was intro­duced in 2014. It is a cost-effect­ive assur­ance mech­an­ism developed by CREST (CybeR ESsen­Tials!) for the Nation­al Cyber Secur­ity Centre (NCSC), the inform­a­tion secur­ity arm of GCHQ and focuses on 5 essen­tial mit­ig­a­tion strategies:

a) bound­ary fire­walls and inter­net gate­ways b) secure con­fig­ur­a­tion c) access con­trol d) mal­ware pro­tec­tion e) patch management

Cyber Essen­tials Secur­ity Plus cer­ti­fic­a­tion looks spe­cific­ally at the following:

a) can mali­cious files enter the organ­isa­tion from the inter­net either through web traffic of email mes­sages? b) how effect­ive the anti-vir­us and mal­ware solu­tions are if mali­cious con­tent enters the Author­ity, and c) should the Authority’s pro­tec­tion meas­ure fail how likely is it that it will be com­prom­ised due to fail­ings in patch­ing the Authority’s work­sta­tions. (Tech­no­logy sub­ject to cyber attacks includes desktop PCs, laptops, tab­lets, smart­phones and inter­net con­nec­ted ser­vices includ­ing email, web and applic­a­tion servers.)

1. As men­tioned above con­cen­trat­ing on the 5 main con­trols will stop 80% of cyber-attacks. That still means that 1 in 5 attacks will/​could succeed.

2. The assur­ance to be gained from the cer­ti­fic­a­tion is that the Authority’s data is adequately pro­tec­ted and demon­strates the cyber secur­ity is being taken seriously.

3. The Cyber Essen­tials cer­ti­fic­a­tion is now embed­ded in IT pro­to­cols and the next round of cer­ti­fic­a­tion is sched­uled for Decem­ber 2019.

Innov­a­tion (risk A17, A18, A9.2, A13)

1. Innov­a­tion can mean many things and is often mis­un­der­stood. The word does not sit well with the Authority’s ICT needs as innov­at­ing can be chal­len­ging in a small NDPB with lim­ited fin­an­cial resources. For instance, we can­not by chan­ging work prac­tices save a great deal of money, and the applic­a­tions we use in oper­a­tions are mod­est – i Dox for plan­ning and MS Office for all oth­er needs, so we may not be able to achieve obvi­ous or sig­ni­fic­ant pro­ductiv­ity gains. We may, how­ever, be able to do things bet­ter, not neces­sar­ily quick­er or cheap­er and we will always be react­ing to change because ICT and soft­ware devel­op­ment is dynamic.

2. One area that is chan­ging is how we buy soft­ware, and how we pay for it. Over­all in the Gov­ern­ment sec­tor the trend is for Cap­it­al costs to reduce with a con­com­it­ant increase in costs charged to Resource, put­ting fur­ther pres­sure on stat­ic or redu­cing, grant-in-aid alloc­a­tions. The Government’s strategy for digit­al plat­forms is to move increas­ingly toward the ​“cloud”, which means that the ​“old” phys­ic­al mod­el of buy­ing on DVDs and car­ry­ing soft­ware on loc­al serv­ers is dis­ap­pear­ing. Buy­ing a ​“per­petu­al license” with an up ‑front cost is being replaced by a new mod­el for either an annu­al or monthly sub­scrip­tion fee, usu­ally per user, and with high­er prices for dif­fer­ent levels of fea­tures. This not only changes the type of cost incurred (resource rather than cap­it­al) but can see costs increase if the mix of user licences is not care­fully managed.

3. There is a poten­tial new stra­tegic risk to recog­nise in this regard either now or in the next few years, where the change in fin­an­cing IT ser­vices and the switch from cap­it­al to rev­en­ue pro­vi­sion places an unman­age­able pres­sure on the Authority’s budget capacity.

4. Vendors also appear keen to move users to ​“cloud” solu­tion which means the SaaS mod­el. SaaS is ​“Soft­ware as a Ser­vice” where soft­ware is dis­trib­uted and accessed over the inter­net. Soft­ware is bought on a sub­scrip­tion basis, updates are applied auto­mat­ic­ally without user inter­ven­tion. This is poten­tially a risk as we do not have the capa­city to ​“sand­box” (test updates before they are imple­men­ted) and / or imple­ment crit­ic­al updates only. Equally, there is also a risk mit­ig­a­tion in this ser­vice mod­el as there is no longer a need for organ­isa­tions to rely on loc­ally imple­men­ted soft­ware upgrades being implemented.

5. There are also infra­struc­ture changes implied from SaaS as no hard­ware is required (poten­tially a sav­ing too) as the soft­ware is not hos­ted loc­ally but in the cloud and is accessed via a web browser. And as sys­tems are vir­tu­al­ised this is more attractive.

6. So, increas­ingly we are buy­ing, or being offered, SaaS solu­tions. We are not being innov­at­ive as we are simply buy­ing what is being made avail­able. It is a com­plex area with some vendors still offer­ing ​“on-premises” vari­ations. We can man­age the costs by identi­fy­ing what we need, and only buy­ing into that level; work­ing closely with Loch Lomond NPA and achieve dis­counts by jointly pro­cur­ing SaaS and by man­aging the tim­ing of migra­tion of cur­rent applic­a­tions, run­ning them as long as we can under cur­rent license and agree­ments, without affect­ing effect­ive­ness, effi­ciency, and security.

7. In the medi­um term we can also look at wheth­er open source soft­ware offers real bene­fits com­pared to cur­rent pack­ages. Open source soft­ware is soft­ware which is designed to be pub­lic­ally access­ible. It doesn’t mean that the soft­ware is free, or any bet­ter than pro­pri­et­ary, but could be cheap­er and comes with its own set of risks.

8. If we accept the IT infra­struc­ture to be stable, access­ible and secure, we can still make improve­ments and innov­ate, likely to be small and incre­ment­al, hope­fully cost effect­ive over all aspects of ICT and work­ings. A few examples of what we are cur­rently doing are:

a) Con­tinu­ing to imple­ment man­aged digit­al change – for example the cur­rent CRM and Doc­u­ment Man­age­ment Sys­tems which will sup­port changes and devel­op effect­ive­ness in work­ing prac­tices; b) the IT man­ager is attend­ing the Smarter Work­ing Scot­land Con­fer­ence look­ing at smarter work­ing, paper­less pro­jects, digit­al reima­gin­ing and net­work­ing to see how oth­er organ­isa­tions are devel­op­ing their ICT strategies, and where we can learn from them; c) the IT man­ager is attend­ing the Improve­ment Scot­land work­shop to learn a new approach to intro­du­cing change; d) attend­ing the SG Digit­al Cham­pi­ons pro­gramme; e) try­ing walk in IT clin­ics to bring the users of IT closer to the IT team; f) using the BDO Per­form­ance and Stra­tegic Devel­op­ment advis­ory report to guide future devel­op­ments; g) improve­ments, mean­ing the reduc­tion in cost, car­bon foot­print and con­sum­ables have already been achieved by intro­du­cing new multi-func­tion devices for print­ing, copy­ing and scan­ning and redu­cing the num­ber of print­ers in the office. Monthly reports are now pre­pared show­ing the num­ber of pages prin­ted, and the cost in terms of trees, car­bon emis­sions and the equi­val­ent light bulb usage. h) Any oppor­tun­ity to reduce oper­at­ing costs with to com­prom­ising ser­vice will be looked at; i) a spe­cif­ic IT risk register is being developed, con­cen­trat­ing on oper­a­tion­al IT issues and also man­aging oppor­tun­it­ies as well as risks; j) look­ing at Scot­tish Wide Area Net­work (SWAN) again; k) look­ing at col­lab­or­a­tion with oth­er Nation­al Parks or NDPBs; l) edu­ca­tion and devel­op­ing closer work­ing rela­tion­ships between all staff and the IT team: while we can do a great deal to ensure the integ­rity and reli­ab­il­ity of the infra­struc­ture, cyber secur­ity etc., the biggest single threat to our IT sys­tems comes from the human ele­ment, staff. It takes only one per­son to open a mal­ware email and con­trol sys­tems can only provide sup­port along­side effect­ively trained users.

1. To keep IT secure, using the cur­rent apps, and main­tain a stable and access­ible sys­tem, to fur­ther devel­op the IT func­tion, it is going to cost more in cash resource terms. This not just due to infla­tion­ary pres­sures but because the dir­ec­tion of travel – the cloud – and that is will in part be dic­tated as part of Scot­tish Gov­ern­ments IT strategy and the Author­ity, as a small NDPB, will have to bal­ance what is asked of us with what resources are made avail­able, and work smarter.

Next Steps

1. We will con­tin­ue to identi­fy and mon­it­or IT risks and man­age­ment and mit­ig­ate them using appro­pri­ate con­trols. The con­trols do not oper­ate in isol­a­tion and are depend­ent on many factors. They can be com­prom­ised due to weak links, sub­ject to error and man­age­ment over­ride, and range from the simple to highly tech­nic­al, and increas­ingly com­plex. We can man­age them at the gov­ernance level and at the applic­a­tion and infra­struc­ture level: both have to be con­sidered and ranked into what are purely oper­a­tion­al IT risks and those that impact the Authority’s deliv­ery of its Plans.

Danie Ral­ph 12 Feb­ru­ary 2019 danielralph@​cairngorms.​co.​uk