Scottish Local Authority Security Group SLASG Scottish Local Authority Security Group Briefing for 23rd January 2015 Participating Local Authorities and Partners Representatives from all 32 Scottish Local Authorities receive members questions, responses and weekly roundup. Representatives from the following partners receive weekly roundups, have an invitation to attend group meetings where pertinent, and regularly use the group as a conduit for distributing information and consultation. SEPA NHS NSS SCRA COSLA Scottish Gov SWAN NRoS Improvement Service Police Scotland SOCITM Members • Information Security Managers / Officers • ICT Security Managers / Officers • ICT Managers / Officers with an interest in Information Security • DPA/Information Governance Specialists Remit ‘A Local Authority forum to discuss common Information security concerns and best practice’ ‘The group has no formal decision making responsibilities, but aims to influence and advise on information security related issues’ Aims Develop a common voice for Information Security issues Share best practice Develop common strategies and policies Share alerts Report Incidents Act as a knowledge base Benchmark peers Share product/technology knowledge PSN knowledge sharing Organisation • Annually elected chair and depute • Representation from All 32 Scottish local authorities • Meet every 2 months • Group member and partner presentations • Supplier and third party speakers Other Activities • Regular mailing list • Web hosted ‘shared data repository’ • Registered on WARP.GOV.UK as a Scottish Warning, Advice and Reporting Point (SLGWARP) with Web presence • Participants on the SWAN Information Assurance Panel • Participants on the MyAccount Scotland IAMSF (Information Assurance Standards and Management Forum) • Participants in NHS Scotland Information Security Forum Benefits • Access to other Information Security professionals who understand the problems unique to councils and can help identify both risks and solutions. • Assistance in understanding issues relating to Information Security where expertise or experience is lacking • Sharing of policies / strategies/ practices - no need to reinvent the wheel • 'Live' discussions rapidly identify common risks and potential solutions • Conduit to disseminate critical security information, eg Heartbleed and Poodle, and contribute to the gathering of threat intelligence and impact of Security related issues Recent Meetings • • • • • • • 16th December at Stirling Management Centre, PSN Changes. Certification process will be changing-1 year and 2 year certificates may be granted depending on the information assurance posture of the submitting organisation, in cases of “low” IA posture, an on site inspection may be carried out. LA’s will not be bound by SPF in 2016 BPSS or disclosure checks will no longer be required by GDS except for key Systems/Network admins, although MOU’s and agreements with other organisations such as DWP will still require the BPSS standard checks, therefore those accessing PSN hosted systems or utilising gcsx email addresses will still need checked Anyone falling into the above categories who have been with the organisation longer than 5 years will not require a BPSS check No longer a requirement to separate old BIL2 and BIL3 data types. GPG’s and AP’s…including AP7 are no longer mandatory, they are for guidance only Successes Continual professional development seminars Input, collaboration, and consultation with other organisations – PSNA, SWAN, MyAccount (Improvement Service), WARP.GOV, Scottish Government, NHS Scotland Sharing of, compliant, best practice Implementation of new architectures / practices / business processes Future • Development of collaboration technologies • Alternative / improved funding streams • Decreasing use of vendor sponsorship • Better use of expert speakers • Improving influence over external organisations and their impact on local authority processes • Grow the WARP activity