Royal Borough meets tough deadline for GCSx compliance

Benefits achieved for The Royal Borough

• Automating policy distribution

  NETconsent enables automatic and consistent distribution of policy documents, making it easy to ensure that all employees receive, read and accept the policies that are relevant to their role.

• Reducing administrative workload

  NETconsent significantly reduces administrative effort, with realtime visibility of users’ acceptance or refusal, allowing the receipt and status of policies to be tracked easily.

• Providing proof of compliance

  With its comprehensive tracking and auditing capabilities, NETconsent makes it easy for the Royal Borough to prove individual users’ compliance with GCSx CoCo and many other policies.

Rigorous controls for information assurance

The Royal Borough of Kensington and Chelsea employs approximately 3,500 people, and provides a wide range of local government services for residents, visitors and the business community – delivering the highest quality at the best value for taxpayers.

As a local authority, the Council is responsible for the administration of many important services – everything from education and healthcare through to the distribution of benefits. Such services require large volumes of personal and sensitive data to be managed securely.

In recent years, the methods by which central and local government agencies store and communicate information have come under increasing scrutiny. As a result, local authorities are putting rigorous controls in place to ensure information assurance. These controls can be wide-ranging: many focus on the automated monitoring of IT systems or the physical security of government facilities. However, an arguably more important aspect of security management is to ensure that employees understand the implications of security breaches, and are properly trained to avoid them.

Addressing the human factor of policy management

Following an audit, the Royal Borough identified the risks and implications of not implementing a formal process that would manage the Council’s information assurance policies and many other aspects of working practice. They reported that without such a process, employees would be less likely to read policies thoroughly, and would therefore be less able to comply with the rules. The auditors’ recommendation was simple: a method needed to be developed to confirm employees’ acceptance and understanding of the policies.

A cross-departmental project team from HR, Internal Audit and Information Systems began the search for a system to automate the distribution of policies, record users’ agreement, and prove that the Council had taken steps to consistently communicate policies and raise awareness. Following an evaluation of three software solutions, NETconsent was selected as the most effective automated policy management system for use within the Council.

Successful pilot

The implementation started with a pilot project involving 150 people. Initially, there was some anxiety that employees might complain if they were suddenly forced to read and electronically accept policies, so the pilot began using NETconsent Informer, which simply introduced the NETconsent policy module, notified the relevant users that they would soon start receiving their policies online and explaining what they needed to do then.

NETconsent Informer was used to follow up the initial communication by the Heads of Department, reminding people of the anticipated change to the policy management process and helping them get accustomed to the new NETconsent screen appearing at logon. As a result of this initial groundwork, 99 percent of users accepted the full NETconsent automated policy management system without any issues when it was subsequently introduced in enforced mode.

“NETconsent Informer has become an invaluable method to communicate short messages to our staff in a manner that catches their attention without making significant demands on our usual internal communications resources, such as email.” says Barry Holloway, Head of Information Services.

Meeting critical Code of Connection deadline

One of the most important pillars of the UK government’s increasingly rigorous approach to information assurance is use of the Government Connect Secure Extranet (GCSx). The ability to communicate with other government agencies is absolutely mission-critical, meaning the Council needs to connect to the GCSx network.

 

As well as implementing technical controls, the Royal Borough needed to ensure that every user given access to GCSx had read and signed a Personal Commitment Statement (PCS) indicating their agreement to adhere to the IT security controls required by the Code of Connection (CoCo). With NETconsent already in place for policy management, it was the obvious tool to complete this task within the required timeframe.

“100% of users signed up to the PCS within the required two weeks,” says Andrew Wilson, Benefits Training Manager at the Royal Borough of Kensington and Chelsea. “A less automated approach would have undoubtedly taken much longer and been very resource-intensive.”

With this important contribution from NETconsent, the Royal Borough was able to meet the CoCo compliance deadline, ensuring uninterrupted communications with other government agencies. Usage of GCSx within the Council is set to increase over the coming months, and as more users are introduced to the system, the time and cost savings already gained through NETconsent are likely to be increased further.

Extending the use of NETconsent

NETconsent is also being used by the Finance department to manage its Payment Card Industry Data Security Standard (PCI DSS) policy and Internal Audit also sees many possibilities for extending the use of NETconsent throughout the Council.

“Publishing best practice guidelines is only the first step towards improving standards,” declares John Barnett, Senior Audit Manager. “NETconsent’s ability to monitor who has actually read our policies helps increase efficiency and improve working practices on the ground.”

Increased efficiency and stronger evidence of compliance

A ubiquitous policy, which affects nearly 1,000 Council staff, is the Mobile Phone Usage Policy, which must be signed before staff are given a Council mobile phone for business use. In the past, employees needed to download, print and sign the appropriate policy and put it in the internal mail. For workers at outlying offices, this could result in a delay of three to four working days.

 

NETconsent has eliminated this paperwork completely. If a user’s role requires a mobile phone, they are simply added to a NETconsent group which automatically presents them with the mobile phone policy next time they log on. “The process has become self-enforcing” says Barry Holloway, Head of Information Services. “NETconsent takes care of policy management without any need for us to ‘chase up’ users. There is no paperwork to file, and yet improved levels of reporting provide stronger evidence of compliance and enable assets to be better tracked.”

Within four days of going live, over half of the users had accepted the mobile phone policy. At the end of the allocated four weeks, all mobile phone users had either agreed or declined the policy. Those refusing the policy were found to be no longer using corporate mobile phones. As a result, the Council now has a more up to date view of phone ownership and has been able to redeploy several phones.

“We believe users are much more likely to take on board important messages when they are presented to them in a timely manner,” says Barry Holloway. “NETconsent is helping the Council change its approach to policy management – making it easier for users to understand the requirements without having to wade through lots of paperwork, and giving us the transparency we need to monitor policy compliance while reducing administrative workload.”