Paper 8 - Outstanding Recommendations Update

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh Audit and Risk Com­mit­tee Paper 8 20 June 2025 Page 1 of 3

For decision

Title: Update on out­stand­ing intern­al audit recommendations

Pre­pared by: Dav­id Camer­on, Deputy Chief Exec­ut­ive and Dir­ect­or of Cor­por­ate Services

Pur­pose This paper presents an update on actions under­way which address out­stand­ing intern­al audit recom­mend­a­tions on con­trols relat­ing to inform­a­tion tech­no­logy, cyber secur­ity and inform­a­tion man­age­ment. The paper pro­poses revised, updated actions for adop­tion by the Com­mit­tee in place of the exist­ing recom­mend­a­tions which in some cases are out­dated fol­low­ing sig­ni­fic­ant action by the Park Authority’s teams work­ing in this area.

Recom­mend­a­tions The Audit and Risk Com­mit­tee is asked to: a) Agree the six pri­or intern­al audit recom­mend­a­tions set out at 1 are super­seded. b) Agree the adop­tion of the three actions set out at 6 as replace­ment actions required to imple­ment an appro­pri­ate over­arch­ing con­trol envir­on­ment for the Park Authority’s IT and data man­age­ment oper­a­tions. c) Agree to receive updates on pro­gress against these actions as part of updates on action in imple­ment­ing audit recom­mend­a­tions. d) Agree the scope of any intern­al audit work in these areas over the next 12 months should reflect the status of the cur­rent evol­u­tion of the Park Authority’s oper­at­ing envir­on­ment for IT and data services.

Back­ground

1. The update on out­stand­ing intern­al audit recom­mend­a­tions presen­ted to the Audit and Risk Com­mit­tee at its pre­vi­ous meet­ing high­lighted six of 20 out­stand­ing recom­mend­a­tions that link to the Park Authority’s work in the areas of inform­a­tion tech­no­logy, cyber secur­ity and inform­a­tion man­age­ment. The recom­mend­a­tions are: a) We recom­mend that CNPA should per­form a risk assess­ment as well as a gap ana­lys­is of the cur­rent tech­no­logy, policy and busi­ness envir­on­ment, to identi­fy the key cyber secur­ity risks. [Par­tially complete]

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh Audit and Risk Com­mit­tee Paper 8 20 June 2025 Page 2 of 3

b) We recom­mend that CNPA estab­lish pro­ced­ures for hand­ling cyber secur­ity events. These pro­ced­ures may take the form of play­books that spe­cific­ally detail which actions should be taken in the event of a cyber-attack. [Par­tially com­plete] c) We recom­mend that CNPA should per­form a risk assess­ment as well as a gap ana­lys­is of the cur­rent tech­no­logy, policy and busi­ness envir­on­ment, to identi­fy the key cyber secur­ity risks. In con­duct­ing that risk assess­ment and gap ana­lys­is, CNPA should refer to recog­nised lead­ing cyber secur­ity frame­works includ­ing the Scot­tish Gov­ern­ment Cyber Resi­li­ence Frame­work [Par­tially com­plete] d) We recom­mend that the next devel­op­ment of the IT and Data Strategy includes a fin­an­cial strategy. This should set out, at a high-level, indic­at­ive cap­it­al and rev­en­ue costs asso­ci­ated with achiev­ing expec­ted out­comes from the strategy. This should be alloc­ated for each fin­an­cial year. [Incom­plete] e) We recom­mend that CNPA review the cur­rent policy suite that is in place and devel­op and imple­ment policies that address policy areas cov­er­ing data man­age­ment and reten­tion; inform­a­tion trans­fer; cloud secur­ity; access con­trol; back up and resi­li­ence; data labelling; [Par­tially com­plete] f) We recom­mend that CNPA devel­ops a test­ing plan/​schedule for BCP which should be reviewed reg­u­larly to ensure a stra­tegic approach to test­ing is developed and imple­men­ted [Incom­plete]

1. The recom­mend­a­tions above are all inter-related, with inform­a­tion tech­no­logy infra­struc­ture and approaches influ­en­cing data man­age­ment; and over­all inform­a­tion and data strategies linked to risk man­age­ment and busi­ness continuity.

2. The Park Author­ity has designed and imple­men­ted step change devel­op­ments in its inform­a­tion tech­no­logy and data man­age­ment envir­on­ment over the last couple of years. This has included move­ment to Microsoft 365 and cloud-based oper­a­tions; com­plete over­haul and imple­ment­a­tion of records man­age­ment sys­tems based on Share­Point; evol­u­tion and enhance­ment of our Inform­a­tion Man­age­ment and GIS sys­tems and team resources; and suc­cess­ful imple­ment­a­tion of IT Man­age­ment actions to secure Cyber Essen­tials Plus accreditation.

3. This invest­ment, and work by our teams, has made sig­ni­fic­ant pro­gress in address­ing a range of con­trol weak­nesses high­lighted in pri­or intern­al audit reports. As noted above, most recom­mend­a­tions have been clas­si­fied as ​‘par­tially com­plete’ with action pro­gress­ing. Some recom­mend­a­tions have not been pro­gressed as work in these con­trol areas can only begin once we have made a decision on how best to devel­op our IT and Data Man­age­ment sys­tems. For example, we need to embed our approaches to both IT use and inform­a­tion man­age­ment, before redesign­ing and imple­ment­ing busi­ness con­tinu­ity plans and actions. The most

Cairngorms Audit and Risk Com­mit­tee Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh Paper 8 20 June 2025 Page 3 of 3

appro­pri­ate approach to busi­ness con­tinu­ity plan­ning will be determ­ined by how our inform­a­tion is held and backed up, and by the vari­ous ways of access­ing that information.

1. There are strong links between the Cairngorms IT infra­struc­ture and net­work and that of Loch Lomond and the Trossachs Nation­al Park Author­ity (LLT­NPA) through shared ser­vices activ­it­ies that have now been in place for sev­er­al years. With evol­u­tion of the teams at both Cairngorms and LLT­NPA, and sig­ni­fic­ant changes in our oper­at­ing envir­on­ments, there is also a need for review and refresh of these shared ser­vices arrangements.

Future Action

1. Giv­en the scale of refresh and renew­al of the Park Authority’s oper­at­ing envir­on­ment, we are now in the pro­cess of devel­op­ing a new, stra­tegic over­view of our pos­i­tion and estab­lish­ing an updated long-term dir­ec­tion on our IT and Inform­a­tion Man­age­ment. The key actions under­way to bring the Park Author­ity to a clear basis for robust, sus­tain­able and secure oper­a­tions are: a) Estab­lish an IT Strategy, encom­passing a refreshed under­stand­ing of our shared ser­vice arrange­ments with LLT­NPA, togeth­er with a cos­ted action plan which under­pins future deliv­ery of IT and data ser­vices. We are work­ing to com­plete this before the end of the cur­rent fin­an­cial year, 31 March 2026. b) Com­plete our embed­ding of inform­a­tion man­age­ment approaches, includ­ing GIS and oth­er data man­age­ment and pub­lic­a­tion policies, includ­ing our stat­utory records man­age­ment duties Again, we are work­ing to com­plete this before the end of the cur­rent fin­an­cial year, 31 March 2026. There is some depend­ency of this work to com­ple­tion of the IT Strategy work. c) Devel­op our busi­ness con­tinu­ity plan in the con­text of the evolving IT Strategy and inform­a­tion man­age­ment approaches and embed an under­stand­ing of the Park Authority’s approach to busi­ness con­tinu­ity across the organ­isa­tion. We expect June 2026 is the earli­est feas­ible dead­line for effect­ive com­ple­tion of this ele­ment of work.

2. It seems appro­pri­ate to replace the six out­stand­ing intern­al audit recom­mend­a­tions with the above three actions.

3. Updates on pro­gress against these three actions will be provided to the com­mit­tee at appro­pri­ate inter­vals, includ­ing as part of updates on out­stand­ing audit recommendations.

Dav­id Camer­on davidcameron@​cairngorms.​co.​uk 11 June 2025