Case Studies

Caerphilly County Borough Council

Data security and the user by Paul Lewis, IT Development Manager at Caerphilly County Borough Council

As 88 per cent of data breaches are caused by user negligence, the importance of staff awareness in data protection is fundamental, writes Paul Lewis, IT Development Manager at Caerphilly County Borough Council...

User awareness is fundamental to Caerphilly County Borough Council's information assurance objectives. The council's requirements for automating this area was being driven by the increasing importance of data handling and data security for which a number of legislative and regulatory initiatives had been introduced. This included the Government Connect Standard (GCSx), PCI DSS, ISO 27001 and adherence to the Data Protection Act. It was imperative that the council was able to ensure understanding and compliance amongst staff, elected members and trusted third parties, and provide demonstrable evidence of awareness and engagement activities. Availability of information is a critical part of information assurance – however, making data available to employees is one of the biggest risks that a modern day council must manage.

We were aware that previous customary methods of employee communication, such as email and corporate intranet, would not allow the council to fulfil its regulatory obligations. An enhanced, sustainable model for information assurance was required, one that would deliver continuous and repeatable user awareness and accountability right across the organisation. The IT team realised that in order to achieve this effectively, it needed a dedicated compliance automation tool that would meet the very specific, best practice requirements.

The solution
The council's 10,000 strong workforce is made up of a diverse range of staff, 4,000 of whom are IT users who must be consistently included in the IT assurance awareness programme. Alongside this, the council required an uncomplicated solution that would be straightforward to implement, unburdensome to manage and would allow us to achieve quick wins in user awareness and accountability across the entire council.

After going to the market through a competitive and rigorous tender process, Caerphilly County Borough Council selected a leading IT assurance awareness solution, MetaCompliance Advantage, to assist in supporting the council's user awareness and employee engagement requirements. IT assurance software guarantees employee participation in policy and compliance communication. As a result, the system will provide the necessary management tools to implement appropriate policy and governance measures to improve audit readiness and demonstrate compliance in internal processes and employee best practice.

Securing information assurance
Deploying the IT assurance awareness solution looks set to bring a number of key benefits to the council's information assurance programme. It will allow user awareness and accountability with verifiable communication and situational awareness functionality. The software will also automate the necessary demonstrable evidence that is mandatory in adhering to legislative and regulatory obligations.

The automated risk assessment and measurement of information assurance posture will deliver sustainable, best practice compliance and allow the organisation to streamline the information governance expenditure.

88% of all data breaches can be traced back to user negligence, clear proof that the user presents the most significant threat to the security of data. Employee awareness is the single biggest differentiator between nominal and best practice information governance programmes, and is an essential factor in maintaining regulatory compliance and IT assurance. Traditional methods of communication, such as email and corporate intranet, simply won't deliver the necessary levels of awareness that are required. Public sector organisations must look to specialist compliance automation tools to ensure that they develop an educated, vigilant workforce that properly uses, values and protects the data held within its perimeters.