Scottish Local Authority Security Group
SLASG
Scottish Local Authority
Security Group
Briefing for
23rd January 2015
Participating Local Authorities and
Partners
Representatives from all 32 Scottish Local Authorities receive members
questions, responses and weekly roundup.
Representatives from the following partners receive weekly roundups, have an
invitation to attend group meetings where pertinent, and regularly use the
group as a conduit for distributing information and consultation.
SEPA
NHS NSS
SCRA
COSLA
Scottish Gov
SWAN
NRoS
Improvement Service
Police Scotland
SOCITM
Members
• Information Security Managers / Officers
• ICT Security Managers / Officers
• ICT Managers / Officers with an interest in
Information Security
• DPA/Information Governance Specialists
Remit
‘A Local Authority forum to discuss
common Information security concerns
and best practice’
‘The group has no formal decision
making responsibilities, but aims to
influence and advise on information
security related issues’
Aims
 Develop a common voice for Information Security issues
 Share best practice
 Develop common strategies and policies
 Share alerts
 Report Incidents
 Act as a knowledge base
 Benchmark peers
 Share product/technology knowledge
 PSN knowledge sharing
Organisation
• Annually elected chair and depute
• Representation from All 32 Scottish local authorities
• Meet every 2 months
• Group member and partner presentations
• Supplier and third party speakers
Other Activities
• Regular mailing list
• Web hosted ‘shared data repository’
• Registered on WARP.GOV.UK as a Scottish Warning,
Advice and Reporting Point (SLGWARP) with Web
presence
• Participants on the SWAN Information Assurance Panel
• Participants on the MyAccount Scotland IAMSF
(Information Assurance Standards and Management
Forum)
• Participants in NHS Scotland Information Security Forum
Benefits
• Access to other Information Security professionals who
understand the problems unique to councils and can help
identify both risks and solutions.
• Assistance in understanding issues relating to
Information Security where expertise or experience is
lacking
• Sharing of policies / strategies/ practices - no need to
reinvent the wheel
• 'Live' discussions rapidly identify common risks and
potential solutions
• Conduit to disseminate critical security information, eg
Heartbleed and Poodle, and contribute to the gathering of
threat intelligence and impact of Security related issues
Recent Meetings
•
•
•
•
•
•
•
16th December at Stirling Management Centre, PSN Changes.
Certification process will be changing-1 year and 2 year
certificates may be granted depending on the information
assurance posture of the submitting organisation, in cases of
“low” IA posture, an on site inspection may be carried out.
LA’s will not be bound by SPF in 2016
BPSS or disclosure checks will no longer be required by GDS
except for key Systems/Network admins, although MOU’s and
agreements with other organisations such as DWP will still
require the BPSS standard checks, therefore those accessing
PSN hosted systems or utilising gcsx email addresses will still
need checked
Anyone falling into the above categories who have been with
the organisation longer than 5 years will not require a BPSS
check
No longer a requirement to separate old BIL2 and BIL3 data
types.
GPG’s and AP’s…including AP7 are no longer mandatory, they
are for guidance only
Successes
 Continual professional development seminars
 Input, collaboration, and consultation with other
organisations – PSNA, SWAN, MyAccount (Improvement
Service), WARP.GOV, Scottish Government, NHS
Scotland
 Sharing of, compliant, best practice
 Implementation of new architectures / practices / business
processes
Future
• Development of collaboration technologies
• Alternative / improved funding streams
• Decreasing use of vendor sponsorship
• Better use of expert speakers
• Improving influence over external organisations and
their impact on local authority processes
• Grow the WARP activity