- Council – Review current ICT Policies, Strategy, BCP and carry out an ICT Risk Assessment
- Council being audited by the Audit Office annually, address lack of Risk Management Policy
- Increase in the effectiveness and competence of attacks
- Complexity of deploying solutions from multiple vendors
- Pressures from Management and stakeholders to secure environment
- Limited Budget and Resources
- Evaluation of risks against future planned projects and upgrades
- Follow an ISO 27001 ISMS approach and methodology
- Review current risks; review risk registers and gain an understanding of the current security posture
- Identify and classify the information, crown jewels, sources, locations, and critical infrastructure
- List potential attack vectors and rate all risks
- Carry out workshops with key stakeholders (including decision makers) to make sure that everyone understands the risks. Identify the costs and consequences of the risks.
- Provide a revised ICT Risk Register with a high-level plan that can be integrated within the ICT Strategy
|What did we learn?|
- There is a wide gap of understanding between Management, ICT Team and the councils staff. Expected outcomes and goals can vary quite dramatically.
- Collating all the information and details in a simplified format and helping all stakeholders understand and accept the real risks is the key minimising time and budget wastage.
- Improving and investing in security needs to become an integral part of ICT Strategic Planning.
- In some cases, the risk can be addressed by the adoption of some relatively simple and low cost strategies.