Christchurch Borough Council Internal Audit Services Annual Audit Plan 2008- 09 Review of: Information Security Final Report content: - Action Plan - Management Summary Introduction Objectives Executive Summary Control Assurance Statement - Detailed Findings Prepared by: Debbie Wiltshire Auditor Date: 3 December 2008 Draft Report INFORMATION SECURITY Action Plan High Priority Control Weaknesses Objective Weakness Found Risk Exposure 1 There is no corporate policy or strategy in relation to information security. Failures in information security resulting in loss of, damage to or disclosure of data. 4 The contract for support for the Academy system does not contain robust clauses covering information security. Unauthorised disclosure of or corruption to data. 4 Inadequate system support arrangements for the Academy system. Loss of or interruption to service delivery of a business critical system. Recommended Action It is recommended that a strategic information security policy is written and approved by members to demonstrate management direction and support for information security. It is recommended that the contract with the provider of the support for the Academy system be reviewed to include strengthened controls covering information security. It is further recommended that the arrangement for the provision of support for the Academy system be reviewed to ensure that the current Management Response Officer Responsible Agreed Date of Action 31-3-09 Agreed Information (ICT) Manager Agreed Information (ICT) Manager & Head of Revenues and Benefits 31-3-09 Agreed Head of Revenues and Benefits 31-3-09 Draft Report INFORMATION SECURITY arrangement provides adequate protection for the authority in the event of a serious system failure. Medium Priority Control Weaknesses Objective Weakness Found Risk Exposure 2 The responsibility for information security has not been assigned to a specific senior member of staff. There is a risk that adequate systems and procedures would not be implemented and monitored without a specific senior member of staff being highlighted as having this responsibility. 3 There are no records of USB ports that have been ‘unlocked’ to allow use of portable memory storage devices. There is a risk of data being downloaded to portable storage devices without authorisation. Recommended Action Management Response Officer Responsible It is recommended that the responsibility for information security be designated within the job description of a senior member of staff and that this is also reflected in the information security policy referred to above. It is recommended that a log of all ‘unlocked’ USB ports is maintained and monitored, and that controls are implemented to ensure that only Agreed. A practical demonstration of the need for this has arisen in relation to the National Fraud Initiative returns. Not having one identified member of staff co-ordinating this has resulted in there being outstanding returns yet to be made. Information (ICT) Manager Agreed Information (ICT) Manager Agreed Date of Action 31-3-09 31.3.09 Draft Report INFORMATION SECURITY 3 Data downloaded to portable storage devices is no protected by encryption. Unauthorised disclosure of data. 3 There is not corporate Unauthorised procedure for cleansing data disclosure of data from obsolete hardware or for the disposal of the hardware. 4 Use of generic network and system user names and passwords for temporary staff. No clear audit trail in the event of unauthorised disclosure, loss of officially issued portable storage devices can be used of which an inventory will be maintained to record who the devices are issued to. It is further Agreed recommended that consideration be given to introducing controls to ensure any data downloaded onto a portable storage device is protected by encryption. It is recommended that the Information security Policy includes clear instructions on a procedure to be followed when disposing of IT hardware that is not longer of use to the authority. It is recommended that the practice of using generic username and Information (ICT) Manager 31-3-09 Agreed Information (ICT) Manager 31-3-09 Agreed Information (ICT) Manager 31-3-09 Draft Report INFORMATION SECURITY or damage to data. 6 There are few business critical systems with detailed written operating procedures. There is a risk of insecure or incorrect operation of information processing systems. 6 There are no corporate release management, change management or configuration management procedures. Interruption to service delivery or loss of data due to incorrect or unauthorised actions to information management systems. passwords for temporary staff and others is ceased and that all temporary staff are issued with unique user names and passwords to provide a similar level of risk control as with permanent staff. The user names and access permissions should be revoked when the temporary member of staff leaves the authority It is recommended that all detailed operating procedures are written for all business critical system operating within the authority. It is recommended that detailed procedure covering Release Management, Configuration Management and Change Control are drawn up and Agreed Information 31-3-09 (ICT)Manager Agreed Information (ICT) Manager 31-3-09 Draft Report INFORMATION SECURITY 6 There are no corporate acceptance criteria or testing procedures for implementing new information systems. Interruption to service delivery as a result of failure of new information systems being implemented. 6 Inadequate network controls for remote access to networks and systems. Potential for unauthorised access to networks and information systems. implemented. It is recommended that a comprehensive set of acceptance criteria and testing procedures is developed to ensure that all new systems are tested fully during the implementation process. The testing process and its results should be documented for each system being implemented. It is recommended Agreed that adequate network enhancements are made to increase the controls in place to enable remote access to networks to be secure, and for tools to be available to the IT team to enable them to monitor network access. Information (ICT) Manager 31-3-09 Draft Report INFORMATION SECURITY 6 Robust policies and procedures for the transfer of data through interfaces to business critical systems. Data transfer may be corrupted or be incomplete resulting in inaccurate date being held in business critical systems. It is recommended that a policy is written and procedures are documented for the transfer of data through interfaces into business critical systems. 8 There are no corporate procedures covering the procurement or enhancement of new information systems. There is a risk that information systems may not be adequate for the purpose required. It is recommended Agreed that comprehensive procedures are developed that cover the procurement or enhancement of IT systems to include specifications for appropriate security controls, instructions for cleansing of data before migration to the new system and pre implementation testing. The requirement to follow these procedures should be referred to in the Information Security Policy. Information (ICT) Manager 31-3-09 Draft Report INFORMATION SECURITY 9 There is no system for classifying, logging or reporting Information Security Incidents. There is a risk of repeated information security incidents going unnoticed and the appropriate corrective action not being taken in a timely manner. There is a further risk that costs associated with information security incidents will not be known. 10 The current business continuity arrangements are not robust and have not been tested. There is a risk that in the event of an incident resulting in loss of premises or systems that service delivery would be disrupted and critical business information could be lost or corrupted. It is recommended Agreed that a formal process for reporting logging and monitoring information security incidents be set up. This should include a classification for different types of incidents, a ranking of the risk associated with those incidents and the costs associated with the incident. The Information Security Policy or one of its supporting documents should make reference to the need to follow the process. It is recommended Agreed that a review of business continuity arrangements takes place to include the requirements of all service areas within different timescales and that arrangements are put in place to ensure mitigating Information (ICT) Manager 31-3-09 Information (ICT) Manager 31-3-09 Draft Report INFORMATION SECURITY 11 Reference to legislative requirements is not contained in a high level policy covering information security. Breach of legislative requirements leading to unauthorised disclosure of data and reputational damage to the authority actions to enable the authority to meet the timescales are undertaken. It is recommended Agreed that the Information Security Policy includes reference to the statutory and legislative requirements relating to information security to enable the authority to evidence sound procedural practices in this area. Information (ICT) Manager Low Priority Control Weaknesses Objective Weakness Found Risk Exposure 4 Lack of instruction available to staff covering information security Unauthorised disclosure of data. Recommended Action It is recommended that an internal training programming covering the new information security policy is arranged to increase staff awareness of the requirement s of the Management Response Agreed Officer Responsible Information (ICT) Manager Agreed Date of Action 31-3-09 Draft Report INFORMATION SECURITY 4 Lack of appropriate sanctions for security breaches. Staff unaware of their responsibilities in respect of information security resulting in unauthorised disclosure of data. 6 There has been no testing of the recovery of an information system from backed up data. Loss of data and interruption to services delivery following a system failure. 7 The system does not prevent staff using the same or similar passwords when change is forced after a set period of time. Passwords being known and used by unauthorised members of staff policy and of their individual level of responsibility for information security It is also recommended that the Information Security Policy includes reference to the responsibilities of all members of staff and that breaches of the policy could result in disciplinary action. It is recommended that as part of the business continuity process there is a set schedule of testing of recovery of IT systems from backed up data. It is recommended that password protocols are strengthened to prevent staff from reusing the same password within a set number of changes and that it requires a minimum 31-3-09 Agreed. It is also felt that overall responsibility for Business Continuity should be assigned to a senior member of staff in order to promote a corporate Business Continuity Approach. Agreed Information (ICT) Manager 31-3-09 Information (ICT) Manager 31-3-09 Draft Report INFORMATION SECURITY number of character changes each time the password is reset. Draft Report INFORMATION SECURITY Management Summary Introduction This Audit has been undertaken in accordance with the 2008-2009 audit plan. In undertaking this audit our officers have acted independently at all times and met the standards for internal audit prescribed in the CIPFA Code of Practice for Internal Audit in Local Government. This report provides an opinion on the adequacy of internal control based on the work undertaken. In giving this opinion it should be noted that assurance cannot be absolute. The most an Internal Audit service can provide is reasonable assurance that there are no major weaknesses in the framework of internal control. A major weakness may be defined as one that could feasibly lead to a significant impact on the: Ability of the services to function normally Ability of the service to meet national or local rules and regulations Service’s reputation Service’s financial standing Value for money of the Service’s activities In determining the level of assurance placed on the controls in the system by the Auditor, the following issues are taken into account. Where the Auditor agrees that the control objectives are met in full, ‘reasonable assurance’ will be given. Where the Auditor agrees that the control objectives are met in full but some further improvement can be made which are reflected in the recommendations, then the control assurance statement will reflect this. Where the Auditor cannot agree that the control objectives have been met the control assurance statement will state that ‘reasonable assurance cannot be given’. 12 Draft Report INFORMATION SECURITY Objectives The purpose of the audit work was to ensure that control systems adequately meet the objectives set out below, as agreed with service management. I have reviewed the documented framework of internal control and REF selectively tested areas in accordance with my assessment of risk, including those areas identified at our initial meeting when the scope of the audit was discussed. I have concluded that: 1 INFORMATION SECURITY POLICY - To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. 2 3 4 5 6 7 8 9 10 11 INTERNAL ORGANISATION - To manage information security within the organisation. ASSET MANAGEMENT - To achieve and maintain appropriate protection of organisational assets and to ensure that information receives an appropriate level of protection. HUMAN RESOURCES SECURITY - To ensure that all employees, contractors and third parties are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organisational security policy in the course of their normal work, and to reduce the chance of human error. PHYSICAL AND ENVIRONMENTAL SECURITY - To prevent unauthorised physical access, damage and interference with the authority's premises and information. To prevent loss, damage, theft or compromise of assets and interruption to the authority's activities. To ensure the correct and secure operation of information processing facilities. COMMUNICATIONS & OPERATIONS MANAGEMENT - To ensure the correct and secure operation of information processing facilities. ACCESS CONTROL - To control access to information INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT & MAINTENANCE - To ensure that security is an integral part of information systems. To prevent loss, error, unauthorised modification or misuse in applications. To ensure the security of system files. INFORMATION SECURITY INCIDENT MANAGEMENT - To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken BUSINESS CONTINUITY MANAGEMENT - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters to ensure their timely resolution. COMPLIANCE - To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements. To ensure compliance with the authorities information security polices and procedures 13 Agreed. Yes, No or N/A No No Yes* Yes* Yes No Yes* Yes* No Yes* Yes* Draft Report INFORMATION SECURITY For those ‘yes’ answers marked with an asterisk, please refer the action plan for recommended actions for necessary improvement. Executive Summary Information security is currently high profile and very sensitive. There have been numerous highly publicised occurrences of breaches of information security resulting in loss of personal data in many public sector organisations. Each time this happens it damages the public reputation of the organisation concerned. It is critical therefore that the authority is aware of the risks it faces in relation to information security and is able to identify where strengthening controls would improve the security of information, including personal data. The risk of reputational damage to the authority can then be reduced. Unfortunately some data losses are due to human error and are difficult to prevent with even the tightest controls, but raising awareness of staff to the required procedures and the reason for these being in place can also contribute reducing this risk. The information manager, appointed in the last year, has already made considerable progress in highlighting and improving some of the control weaknesses in this area. He has given significant co-operation and input to this audit review, and the auditor is grateful for that co-operation. Controls Assurance Statement On the basis of my work it is my opinion that, dependant on the implementation of the recommendations, the framework of internal control gives reasonable assurance that the resources managed are adequately controlled with due regard to value for money. Signed __Debbie Wiltshire________________ Date___3 December 2008_________ (For Internal Audit Partnership) 14 Draft Report INFORMATION SECURITY Detailed Finding Where controls have been assessed as adequately meeting the control objectives no further report is included. Where detail is included, this explains the weakness found, the associated risk and the recommended action. OBJECTIVE 1 INFORMATION SECURITY POLICY - To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. 1.1 At the time of the audit review there was no overarching strategic information security policy in place 1.2 There is a risk that without clear responsibilities and guidance for procedure relating to information security that the authority could be a victim of loss of, damage to or unauthorised disclosure of data which could result in reputational damage to the authority. 1.3 It is recommended that a strategic information security policy is written and approved by members to demonstrate management direction and support for information security. OBJECTIVE 2 INTERNAL ORGANISATION - To manage information security within the organisation 2.1 The responsibility for ensuring adequate systems and procedures in relation to information security are in place is not currently designated with a senior member of staff’s job description. 2.2 It would be appropriate for this responsibility to be designated within the job description of the information manager. 2.3 There is a risk that adequate systems and procedures would not be implemented and monitored without a specific senior member of staff being highlighted as having this responsibility. 2.4 It is recommended that the responsibility for information security be designated within the job description of a senior member of staff and that this is also reflected in the information security policy referred to above. OBJECTIVE 3 ASSET MANAGEMENT - To achieve and maintain appropriate protection of organisational assets and to ensure that information receives an appropriate level of protection. 3.1 There is currently an inventory of information technology hardware which has recently been reviewed and updated. 3.2 It is the policy of the authority that all USB ports on CBC computers are ‘locked’ and can only be ‘unlocked’ by the IT team on request. 15 Draft Report INFORMATION SECURITY 3.3 There is no log maintained of which USB ports have been ‘unlocked’ and would be available to use. 3.4 It is recognised that the ready availability of portable storage devices, such as memory sticks poses, a high level of risk to information security. Improved controls in this area can help to reduce this risk. Memory sticks are inexpensive and small making them easily available for personnel to use to download data – perhaps to complete work at another location. 3.5 A log of all USB ports that are currently ‘unlocked’ and a review of the continued need for each individual occasion of this would help to improve controls. 3.6 Controls should be put in place to ensure only officially issued portable storage devices can be used in USB ports on EDDC computers. 3.7 It is recommended that a log of all ‘unlocked’ USB ports is maintained and monitored, and that controls are implemented to ensure that only officially issued portable storage devices can be used of which an inventory will be maintained to record who the devices are issued to. 3.8 It is further recommended that consideration be given to introducing controls to ensure any data downloaded onto a portable storage device is protected by encryption. 3.9 Prior to April 2008 hardware was sometimes disposed of by being sold to members of staff. Although there was a practice of cleansing data from IT hardware there have been no records maintained of this happening and therefore there would be no evidence of this in the case of an incident arising. No issues have arisen so far. 3.10 There is currently no documented procedure to follow when IT hardware is surplus to requirements. There is a risk that data contained on obsolete IT hardware could be disclosed. 3.11 It is recommended that the Information security Policy includes clear instructions on a procedure to be followed when disposing of IT hardware that is not longer of use to the authority. OBJECTIVE 4 HUMAN RESOURCES SECURITY - To ensure that all employees, contractors and third parties are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organisational security policy in the course of their normal work, and to reduce the chance of human error. 4.1 When the information security policy is approved it will be beneficial to arrange internal training sessions for all staff to ensure heightened awareness of the policy, the risks around information security and their own responsibilities in relation to information security especially personal data. 4.2 There is a risk that, without the awareness of staff being raised to the importance of why controls are in place in relation to information security, data losses could occur, even inadvertently, resulting in reputational damage to the authority. 16 Draft Report INFORMATION SECURITY 4.3 It is recommended that an internal training programming covering the new information security policy is arranged to increase staff awareness of the requirement s of the policy and of their individual level of responsibility for information security. 4.4 It is also recommended that the Information Security Policy includes reference to t he responsibilities of all members of staff and that breaches of the policy could result in disciplinary action. 4.5 It was noted during the audit that the arrangement for the support and maintenance of the Academy system which records all Council Tax and Housing Benefits records as well as Council Tax records is with one individual operating as a sole trader. 4.6 The contract between CBC and the service provider does not contain strong contractual clauses about information security and yet the service provider has remote access to the Academy system, containing potentially the most sensitive personal data held by the authority. 4.7 The auditor is concerned that this places a risk on the authority and that this could be reduced by having an information security clause in the contract with the service provider. 4.8 The auditor is also concerned that this arrangement provides scant cover for what is a business critical system and that should there be a system failure when the service provider is unavailable for a period of time due to an unforeseen event, then the service delivery to benefit recipients and council tax payers could be severely affected. 4.9 It is recommended that the contract with the provider of the support for the Academy system be reviewed to include strengthened controls covering information security. 4.10 It is further recommended that the arrangement for the provision of support for the Academy system be reviewed to ensure that the current arrangement provides adequate protection for the authority in the event of a serious system failure. 4.11 It was reported to the auditor that temporary staff are generally issued with generic user names and passwords for logging into IT systems when they work at the authority. It is likely that supervisory staff also have knowledge of these usernames and passwords in order to train and induct temporary staff. 4.12 Use of generic user names and password removes any audit trail of who might be responsible for unauthorised access to data or actions which might cause corruption of data leading to service delivery failures. 4.13 Risks associated with temporary staff in relation to unauthorised access to or inappropriate use of personal data are higher than with permanent staff as the organisation has not had the opportunity to undertake the same level of checks as when appointing permanent staff. 4.14 It is recommended that the practice of using generic username and passwords for temporary staff and others is ceased and that all temporary staff are issued with unique user names and passwords to provide a similar level of risk 17 Draft Report INFORMATION SECURITY control as with permanent staff. The user names and access permissions should be revoked when the temporary member of staff leaves the authority OBJECTIVE 6 COMMUNICATIONS & OPERATIONS MANAGEMENT - To ensure the correct and secure operation of information processing facilities. 6.1 It was not possible to locate detailed operating procedures for all systems. Detailed operating procedure assist staff when using the system in question and also assist IT staff in the event of a system failure. 6.2 It was established that there are some business critical system for which there are no detailed operating procedures including the planning system (PACS) and the asset management system (NVM). Should there be a major system failure there is a risk that the recovery of the information contained within the systems would be impaired which could result in an adverse effect on service delivery. 6.3 It is recommended that all detailed operating procedures are written for all business critical system operating within the authority. 6.4 There are no strict change control procedures in place. There are informal, undocumented procedures. 6.5 There is a risk that changes to systems that are unauthorised or unrecorded may result in system failure which may be difficult to recover from and could result in service delivery failure. 6.6 It is recommended that detailed procedure covering Release Management, Configuration Management and Change Control are drawn up and implemented. 6.7 There are no set acceptance criteria for testing new systems. When a new IT system is implemented it is necessary to test the application to ensure data is handled in the way expected and that appropriate data migration can be undertaken to ensure continuity of service delivery and quality of data. 6.8 Without these criteria and procedures in place there is a risk of service delivery failure or corruption of data when new business critical It systems are implemented. 6.9 It is recommended that a comprehensive set of acceptance criteria and testing procedures is developed to ensure that all new systems are tested fully during the implementation process. The testing process and its results should be documented for each system being implemented. 6.10 There is a regular programme of backing up systems to ensure the integrity of data held in the event of a system failure. 6.11 However the recovery of a system from backed up information has not been tested. 6.12 It is recommended that as part of the business continuity process there is a set schedule of testing of recovery of IT systems from backed up data. 6.13 There are no tools available to assist the IT team to monitor network access. 18 Draft Report INFORMATION SECURITY 6.14 There are increasing requests for remote access to the corporate network. The current infrastructure is not considered suitable or adequate for the increased demands for remotes access to networks. 6.15 Improvements to controls are already being made, for example, the introduction of two factor authentication when logging into the network remotely. 6.16 There is a risk that without appropriate controls in place when the network is being accessed remotely inappropriate or unauthorised use or access to systems could corrupt system leading to inaccurate data, loss of data or loss of service delivery to customers. 6.17 It is recommended that adequate network enhancements are made to increase the controls in place to enable remote access to networks to be secure, and for tools to be available to the IT team to enable them to monitor network access. 6.18 There are no polices or procedures in place covering the transfer of data through interfaces into business critical systems. This is particularly important in relation to the data transferred into the Griffin finance system from other systems including the income management system and the leisure management system. 6.19 There is a risk that data transfer may be corrupted or be incomplete resulting in inaccurate date being held in business critical systems. 6.20 It is recommended that a policy is written and procedures are documented for the transfer of data through interfaces into business critical systems such as the finance system. OBJECTIVE 7 ACCESS CONTROL - To control access to information 7.1 Employed staff are issued with unique user names and passwords for network and system access. Passwords issued to a new starter have to be reset at the first log in. Passwords have to comply with a minimum standard comprising combination of characters and have to be changed after a set time interval. 7.2 There is no restriction to users reusing the same or a very similar password each time it is changed. 7.3 There is a risk that if passwords are reused that the security of that password is weakened by other members staff learning its format. 7.4 It is recommended that password protocols are strengthened to prevent staff from reusing the same password within a set number of changes and that it requires a minimum number of character changes each time the password is reset. 19 Draft Report INFORMATION SECURITY OBJECTIVE 8 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT & MAINTENANCE - To ensure that security is an integral part of information systems. To prevent loss, error, unauthorised modification or misuse in applications. To ensure the security of system files. 8.1 There are no documented procedures to ensure that specifications for new business requirements for new information systems or enhancements to specify the requirements for security controls. 8.2 It is accepted that in most cases best practice has ensured that new IT system procurements or enhancements do include these specifications but that this depends on staff experienced in the procurement of new IT systems to be on every review or procurement group. 8.3 There is a risk that the initial design or procurement stage of a new system does not consider the appropriate controls for the security of information within a system the correction of which after the system had been implemented would be costly to undertake. 8.4 Detailed procedures would ensure a consistent approach across all systems. 8.5 It is recommended that comprehensive procedures are developed that cover the procurement or enhancement of IT systems to include specifications for appropriate security controls, instructions for cleansing of data before migration to the new system and pre implementation testing. The requirement to follow these procedures should be referred to in the Information Security Policy. OBJECTIVE 9 INFORMATION SECURITY INCIDENT MANAGEMENT - To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken 9.1 There is no system for classifying, logging or reporting Information Security Incidents. 9.2 Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents. 9.3 There should be mechanisms in place to enable the types, volumes and costs of information security incidents to be quantified and monitored. 9.4 There is a risk of repeated information security incidents going unnoticed and the appropriate corrective action not being taken in a timely manner. There is a further risk that costs associated with information security incidents will not be known. 20 Draft Report INFORMATION SECURITY 9.5 It is recommended that a formal process for reporting logging and monitoring information security incidents be set up. This should include a classification for different types of incidents, a ranking of the risk associated with those incidents and the costs associated with the incident. The Information Security Policy or one of its supporting documents should make reference to the need to follow the process. OBJECTIVE 10 BUSINESS CONTINUITY MANAGEMENT - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters to ensure their timely resolution. 10.1 The auditor has concerns about the adequacy of the business continuity arrangements currently in place. There is a business continuity plan but it has not been updated recently or tested. 10.2 A managed process should be developed and maintained for business continuity throughout the authority that addresses the information security requirements for business continuity. 10.3 Events that can cause interruptions to business processes shall be identified, along with the probability and impact of such interruptions and their consequences for information security. 10.4 Plans should be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required timescales following interruption to, or failure of, critical business procedures. 10.5 Business continuity plans should be tested and updated regularly to ensure that they remain relevant and effective. 10.6 There is a risk that in the event of an incident resulting in loss of premises or systems that service delivery would be disrupted and critical business information could be lost or corrupted. 10.7 It is recommended that a review of business continuity arrangements takes place to include the requirements of all service areas within different timescales and that arrangements are put in place to ensure mitigating actions to enable the authority to meet the timescales are undertaken. OBJECTIVE 11 COMPLIANCE - To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements. To ensure compliance with the authorities information security polices and procedures. 11.1 There are adequate practices in place for raising staff awareness of legislation around data protection and membership of the Dorset Information Management & Compliance Group ensures that updates to legislation are communicated to the authority. Documents and guidance notes produced by the DIM&CG are used for staff training and information. 21 Draft Report INFORMATION SECURITY 11.2 However some of the weaknesses identified above could result in unauthorised disclosure of information including personal data through human or system error. 11.3 It is recommended that the Information Security Policy includes reference to the statutory and legislative requirements relating to information security to enable the authority to evidence sound procedural practices in this area. 22