Cyber governance - questions for a chief executive to ask

A list of questions for a chief executive to ask their teams to help understand the cyber resilience of a council.

Gather information

  • Does the council have a cyber security strategy? If it does not, does your council have a technology or digital strategy and does cyber security form a clear and defined part of this?
  • Who has responsibility and accountability for cyber security consider councillors, leadership and officers (inside and out of IT)?
  • Who scrutinises the effectiveness of plans and change programmes in relation to cyber. How do large digital change programmes interact and how are risks and dependencies managed, are they managed at the right level?

Leadership

  • Do councillors receive regular cyber security updates from senior officers and leaders – including on threats, incidents and near misses?
  • Is there sufficient funding for cyber security?
  • Are senior leaders aware of the level of cyber threats, critical systems and servers? What the risk is to residents, data, service delivery, infrastructure etc?
  • Do senior managers have the necessary knowledge, understanding, and information to make difficult strategic decisions about technology/digital projects to align to strategy, good practice and standards. How do conflicts get resolved?
  • Do leaders across the council understand that cyber risk is growing, must be managed and can never be eliminated?
  • What communication is taking place around cyber risk and policy with the organisation and is it two-way?

Training

  • Are staff given training on their role in reducing cyber-risk? Is cyber security understood as a whole workforce issue?
  • Does the training work and how do we know? How is the training reinforced, progressed, focussed?
  • Do leaders have the right cyber security knowledge to effectively make decisions on this matter?
  • Have leaders undertaken the Cyber Governance Code of Practice Cyber Governance Code of Practice?

Review

  • How does the council currently assess its cyber security posture against good practice, and how do we plan improvements where necessary? (use of frameworks such as the CAF for Local Government and Cyber 360 implementation tool)
  • Have the council taken opportunities for independent review of its approach to cyber security where available?
  • How does the council monitor its networks and how are issues prioritised and delt with?

Asset management

  • Does the council have a register of all its physical, information and software assets? Do these all have clear owners?
  • Does the council’s management of assets lead to more informed risk management?

Risk management

  • Does the council define and clearly communicate the cyber security risk appetite?
  • How does the council incorporate cyber security into wider risk management planning?

Supply chain

  • Who is responsible for managing cyber risks in supply chains?
  • Do tender documents clearly require bidders to provide evidence of their cyber security accreditations? Are contract clauses about cyber risk and management practices?
  • Are we able to communicate our cyber security strategy and requirements clearly and competently to those in the supply chain?
  • Do organisations in our supply chain meet our cyber security requirements?

Data management

  • What methods of back up do we use, e.g. cloud storage, tape, external hard drives and how are these managed and tested?
  • What advanced access control do we have on sensitive data, who has access to this and why?
  • What important data is backed up in multiple locations and ways, and does it need to be?

Response and business continuity planning

  • Do we have a comprehensive, effective response and recovery plan with cross organisational representation in the event of a cyber-attack or incident? Is this exercised and tested and are senior leaders involved?
  • Do we have measures in place to ensure that work and operations are able to carry on as normal, or at minimal acceptable levels in the event of an incident?
  • Have we considered how services will operate in the event of systems not being available for prolonged periods of time?

Lessons learnt

  • Have the details of the incident been documented effectively and stored in a secure place?
  • Will there be a review into how this happened, and will cyber security measures be looked upon closely because of the incident?
  • Are decision makers transparent and communicating with relevant officers, members and stakeholders?