The purpose of this report was to provide the Committee with an updated Corporate Risk Assessment 2023-24.

There are currently 11 risks on the Corporate Risk Register and every one of those risks has been reviewed by the Corporate Management Board.

Mitigating actions remain in place with no changes made to the categorisation of the risks since the review in January 2023.

It was noted at a previous meeting that Members wanted to see improvements in the presentation of the document. A new risk management software program is being tested currently and this could improve the quality of the report so that we can look at targets, dates and action plans and also make it clearer where changes have been made to the corporate risk assessments. It is hoped that a new report will be available for Members when the Corporate Risk Assessment is next presented to the Committee.

As part of the process of highlighting the risks for Members, the Group Manager, ICT made a presentation on cybersecurity.

To highlight the importance of the issue, and a specific current concern, he drew attention to the fact that the Council’s email security gateway blocks 450 phishing emails per day.

Using the National Cyber Security Centre’s 10 Steps to Cyber Security to structure his presentation, he discussed issues as follows:

1.     Risk Management – taking a risk-based approach to securing data and systems.

2.     Engagement and Training – collaboratively building security that works for people in the organisation.

3.     Asset Management – knowing what data and systems we have and what business needs they support.

4.     Architecture and Configuration – designing, building, maintaining and managing systems securely.

5.     Vulnerability Management – keeping systems protected throughout their lifecycle. It should be noted that a recent regional internal audit of this area of work received an audit opinion of substantial assurance.

6.     Identity and Access Management – controlling who and what can access systems and data.

7.     Data Security – protecting data where it is vulnerable.

8.     Logging and Monitoring – designing systems to be able to detect and investigate incidents.

9.     Incident Management – planning a response to cyber incidents in advance.

10.Supply Chain Security – collaborating with suppliers and partners.

In response to the presentation, a Member asked how we back up our systems. The Group Manager, ICT responded by saying the Council’s systems were run, day-to-day, out of the data centre in Bridgend, but the Council also has a co-hosting agreement with Rhondda Cynon Taff. All the Council’s data was held on a live synchronous backup at the Rhondda Data Centre.

Another Member discussed the issue of training and keeping up with developments such as AI, false QR codes, and the misuse of personal identities. The Group Manager, ICT responded by highlighting this was an ever-changing threat and that it is necessary to address the issue of how we educate staff about cybersecurity. He suggested he could speak to his line manager and the Chief Officer – Finance, Performance  ...  view the full minutes text for item 77