WARNING - By their nature, text files cannot include scanned images and tables. The process of converting documents to text only, can cause formatting changes and misinterpretation of the contents can sometimes result. Wherever possible you should refer to the pdf version of this document. CAIRNGORMS NATIONAL PARK AUTHORITY Audit Committee Meeting 26 August 2005 Paper 4 Address: 3rd floor Ballantyne House Fax: 84 Academy Street 01463 715080 Inverness IV1 1LU Telephone: 01463 713500 Website: www.audit-scotland.gov.uk 17 August 2005 Miss J Hope Chief Executive Cairngorms National Park Authority 14 The Square Grantown-on-Spey Moray PH26 3HG Dear Jane 2004/05 Audit As part of the above audit I have completed a Computer Services Overview. My findings from the overview are contained in the attached Appendix and the recommendations in the Action Plan were agreed with the Head of Corporate Services. If you want further information on the report’s findings please telephone me at the number above. Yours sincerely Robert W Clark Senior Audit Manager Enc cc D Cameron, Head of Corporate Services Cairngorms National Park Authority 2004/2005 Audit Computer Services Overview Appendix 1. As part of our planned audit work for 2004/2005 we issued a Computer Service Review (CSR) Client Questionnaire (CQ) to the Head of Corporate Services at Cairngorms National Park Authority (CNPA) to allow us to assess the Authority’s approach to information and communications technology management. 2. The main aim of the CSR CQ is to provide a high-level risk based assessment of ICT services. The process can provide an indication of strengths and identify potential control or administrative opportunities that may warrant consideration by management. The CSR CQ assesses the following key control objectives: • ICT Strategy – ‘An ICT Strategy that enables the formal introduction of information systems to meet corporate business objectives has been prepared’; • Organisation Structure – ‘An organisation structure that ensures corporate, departmental and local information needs are provided is in place’; • Installation Management – ‘Appropriate standards and working practices for securing and controlling both local and remote sites are in place’; • Service Delivery – ‘Arrangements to ensure that prescribed levels of service agreed between client and contractors/partners are delivered, monitored reported’; • Asset Protection – ‘Investment in hardware, software and data assets is protected to conform with statutory and corporate requirements’; • Business Continuity/Contingency – ‘Appropriate measures to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disaster are in place’; and • Telecommunications And Networking – ‘A network strategy reflecting local-area and wide-area requirements, addressing security, resilience and disaster recovery, has been prepared’. 3. The information provided by management during our CSR CQ process has highlighted a number of areas of good practice, including: • the authority’s Management Team has responsibility for discussing and influencing the strategic direction of ICT matters in the authority. A corporate and operational plan have been prepared; • robust and comprehensive policies on the acceptable use of IT facilities, email and the Internet have been implemented; • audit logs are monitored regularly and action taken when required; • effective procedures for IT asset management have been implemented; • the authority is participating in an Efficient Government forum discussing ways to share services and resources which may assist with business continuity planning arrangements. 4. As part of our assessment of the CSR CQ, we also identified some challenges and higher risk exposure areas where there are opportunities to improve current administrative and operational practices. We consider that this briefing will be of assistance to management in terms of identifying areas of risk exposure for management attention. The main risk exposure areas identified were as follows • a formal ICT strategy setting out the vision and future information needs of the authority has not yet been prepared. Without this in place staff and other stakeholders may not be aware of the technical direction and ICT infrastructure standards adopted by the authority; • physical and environmental protection measures for the Grantown computer room are not satisfactory. Air conditioning and fire detection/protection measures should be considered and paper files stored in the room should be removed; • a formal business continuity plan has not yet been prepared. The authority should document their arrangements and make staff aware of the proposed plans. Testing and maintenance of the plan should take place on a regular basis. Refer to Action Plan Points 1, 2 and 3 ACTION PLAN Table Page/Para Ref 2/4 Rec No 1 Recommendation The Authority should prepare a formal ICT strategy setting out its vision and future information needs. Medium priority Responsible Officer Head of Corporate Services Agreed Yes Agreed Completion Date December 2005 Page/Para Ref 2/4 Rec No 2 Recommendation The Authority should review the physical and environmental protection measures for the computer room at Grantown-on-Spey with particular emphasis on air conditioning, fire detection/protection measures and the removal of the paper files stored in the room. Medium priority Responsible Officer Head of Corporate Services Agreed Yes Agreed Completion Date September 2005 Page/Para Ref 2/4 Rec No 3 Recommendation The Authority should prepare a formal business continuity plan and staff should be made aware of its contents. Testing and maintenance of the plan should take place on a regular basis. High priority Responsible Officer Head of Corporate Services Agreed Yes Agreed Completion Date December 2005