Watch Environment Scrutiny Committee - Wednesday 14 January 2026 10.00 am
IT and Information Security
In this section
IT and Information Security
Staff training - to ensure that council data remains protected and secure, all staff must be trained according to their role prior to accessing council data. Training should be renewed every 2 years, as a minimum.
Access Controls – access controls to grant and revoke access to information and systems should be in place. This should include being able to promptly remove or block access for those who have changed roles or left the organisation.
Equipment Security - Any devices that can be used to access council data (including laptops, desktops, mobile phones/tablets) should have protective measures in place to protect the data being accessed.
Removable media - Removable media refers to USB drives, CDs, DVDs, secure digital cards and devices which permit the storage of data on memory cards, but also refers to hard-copy such as paper files. This type of media should only be used where there is a clear business need.
Encryption – Personal or sensitive council data should not be stored on any user device such as mobile phones, tablets, laptops etc, unless it is encrypted.
Passwords – Strong passwords must be used for any system holding council personal data – this means they should be made up of 12 characters or more and include a mix of letters, numbers and symbols.
Back ups and business continuity – regular backups should be taken in a way that ensures they can be restored in a timely manner to minimise any impact on our services. The backups should be kept secure and stored separately.
Testing – council data should not be held in any test environment without prior consent from the council.
Patching and updates – Software that is used to process council data should be patched and updated in a timely manner. Additionally, IT Health Checks should be conducted regularly to confirm effectiveness of patching.
Secure data transfer during service provision – Where there is a requirement to transfer data between the council and a contractor/supplier, this should be done so securely.
Email – all employees must be made aware of the importance of sending emails to the correct recipient(s) and, where they do not send to the correct recipient, the Security Incident Reporting process should be followed.
Last reviewed: