Revolutionise resident services with AWS: London Borough of Lambeth
Case Study |

Cyber Security Strategy (2022-2025) – Durham County Council

Cyber Security Strategy (2022-2025) – Durham County Council

Durham County Council (DCC) has developed a Cyber Security Strategy which outlines the council’s approach to cyber resilience and security.

This cyber security strategy sets out Durham’s approach for protecting their information systems and the data they hold to ensure the services we provide are secure and our residents, businesses and stakeholders can safely transact with us.

This strategy demonstrates their commitment and the key actions they will take to further establish a trusted digital environment for DCC. They aim to strengthen and secure DCC from cyber threats by increasing security awareness throughout their workforce, investing in their systems and infrastructure, deterring adversaries and developing a wide range of responses, from basic cyber hygiene to the most sophisticated defences.

Jump to section

Challenges

  • The council continues to use an increasing range of technology, from apps and the cloud to different devices.
  • Much of our business is done online, such as corresponding with residents and local businesses, carrying out case work, and reviewing reports and papers for council meetings.
  • This direction of travel is expected to continue and accelerate; making effective cyber security ever more crucial in protecting against new types of threats, risks and vulnerabilities.

Approach

The purpose of the strategy is to give assurance to residents and other stakeholders of the council’s commitment in delivering robust information security measures to protect resident and stakeholder data from misuse and cyber threats and to safeguard their privacy through increasingly secure and modern information governance and data sharing arrangements – both internally and with partners.

Through delivery of this strategy, Durham will comply with and embed the principles of ‘Cyber Essentials Plus’; a government-backed, industry-supported scheme to help organisations protect themselves against common online threats. We will also follow the “10 Steps to Cyber Security” framework published by the National Cyber Security Centre.

The scope of this strategy includes all DCC’s information systems, the data held on them, and the services they help provide. It aims to increase cyber security for the benefit of all residents, businesses, partners and stakeholders; helping to protect them from cyber threats and crime.

Outcomes and benefits

Critical success factors for the council and their cyber strategy include:

  • Develop appropriate cyber security governance processes and a security framework with policies/procedures reviewed on a regular basis.
  • Create a cyber-specific Business Continuity Management Plan and review DCC’s Incident Plan to include emergency planning for cyber attack.
  • Maintain, rehearse and regularly review an incident response and management plan, with clearly defined actions, roles and responsibilities. A copy of all incidents shall be recorded regardless of the need to report them. Set up playbooks to support test exercises on a regular basis; to ensure effective reaction to incidents when they occur.
  • Create test plans with security testing as a standard. Reconcile current systems in place and previous review points (build into Enterprise Architecture).
  • Review vendor management – process of assessments of third parties.
  • Explore Active Cyber Defence tools and new technologies to ensure DCC has best solutions to match with threats.
  • Apply the government’s cyber security guidance – 10 Steps to Cyber Security.
  • Provide relevant cyber security training for staff and elected members.
  • Apply a regular schedule of cyber exercises, within the wider cycle of multi-agency incident response and recovery exercises.

View original case study article at democracy.durham.gov.uk [PDF]

View the council’s report on the strategy [PDF]