Regulatory requirements are increasing in every industry and government bodies are
under intense pressure to improve information security and assurance. As a notable
example, the Government Connect Secure Extranet (GCSx) is now the only authorised
channel that local authorities and central government can use to share sensitive
data with each other.
The Royal Borough of Kensington and Chelsea Council needed to demonstrate compliance
with the GCSx
Code of Connection (CoCo) within a challenging deadline. Using NETconsent
automated policy management software, the Royal Borough guaranteed that all GCSx
users had read, accepted and signed the required CoCo Personal Commitment Statement
– meeting a key compliance requirement quickly and at low cost.
Benefits achieved for The Royal Borough
-
Automating policy distribution
NETconsent enables automatic and consistent distribution of policy documents, making
it easy to ensure that all employees receive, read and accept the policies that
are relevant to their role.
-
Reducing administrative workload
NETconsent significantly reduces administrative effort, with realtime visibility
of users’ acceptance or refusal, allowing the receipt and status of policies
to be tracked easily.
-
Providing proof of compliance
With its comprehensive tracking and auditing capabilities, NETconsent makes it easy
for the Royal Borough to prove individual users’ compliance with GCSx CoCo
and many other policies.
Rigorous controls for information assurance
The Royal Borough of Kensington and Chelsea employs approximately 3,500 people,
and provides a wide range of local government services for residents, visitors and
the business community – delivering the highest quality at the best value
for taxpayers.
As a local authority, the Council is responsible for the administration of many
important services – everything from education and healthcare through to the
distribution of benefits. Such services require large volumes of personal and sensitive
data to be managed securely.
In recent years, the methods by which central and local government agencies
store and communicate information have come under increasing scrutiny. As a result,
local authorities are putting rigorous controls in place to ensure information assurance. These
controls can be wide-ranging: many focus on the automated monitoring of IT systems
or the physical security of government facilities. However, an arguably more important
aspect of security management is to ensure that employees understand the implications
of security breaches, and are properly trained to avoid them.
Addressing the human factor of policy management
Following an audit, the Royal Borough identified the risks and implications of not
implementing a formal process that would manage the Council’s information
assurance policies and many other aspects of working practice. They reported that
without such a process, employees would be less likely to read policies thoroughly,
and would therefore be less able to comply with the rules. The auditors’ recommendation
was simple: a method needed to be developed to confirm employees’ acceptance
and understanding of the policies.
A cross-departmental project team from HR, Internal Audit and Information Systems
began the search for a system to automate the distribution of policies, record users’
agreement, and prove that the Council had taken steps to consistently communicate
policies and raise awareness. Following an evaluation of three software solutions,
NETconsent was selected as the most effective automated policy management system
for use within the Council.
Successful pilot
The implementation started with a pilot project involving 150 people. Initially,
there was some anxiety that employees might complain if they were suddenly forced
to read and electronically accept policies, so the pilot began using NETconsent
Informer, which simply introduced the NETconsent policy module, notified the relevant
users that they would soon start receiving their policies online and explaining
what they needed to do then.
NETconsent Informer was used to follow up the initial communication by the Heads
of Department, reminding people of the anticipated change to the policy management
process and helping them get accustomed to the new NETconsent screen appearing at
logon. As a result of this initial groundwork, 99 percent of users accepted the
full NETconsent automated policy management system without any issues when it was
subsequently introduced in enforced mode.
“NETconsent Informer has become an invaluable method to communicate short
messages to our staff in a manner that catches their attention without making significant
demands on our usual internal communications resources, such as email.” says
Barry Holloway, Head of Information Services.
Meeting critical Code of Connection deadline
One of the most important pillars of the UK government’s increasingly rigorous
approach to information assurance is use of the Government Connect Secure Extranet
(GCSx). The ability to communicate with other government agencies is absolutely
mission-critical, meaning the Council needs to connect to the GCSx network.
“
100% of users signed up to the PCS within the required two weeks. A less automated
approach would have undoubtedly taken much longer and been very resource-intensive. ”
Andrew Wilson, Benefits Training Manager
As well as implementing technical controls, the Royal Borough needed to ensure that
every user given access to GCSx had read and signed a Personal Commitment Statement
(PCS) indicating their agreement to adhere to the IT security controls required
by the Code of Connection (CoCo). With NETconsent already in place for policy management,
it was the obvious tool to complete this task within the required timeframe.
“100% of users signed up to the PCS within the required two weeks,”
says Andrew Wilson, Benefits Training Manager at the Royal Borough of Kensington
and Chelsea. “A less automated approach would have undoubtedly taken much
longer and been very resource-intensive.”
With this important contribution from NETconsent, the Royal Borough was able to
meet the CoCo compliance deadline, ensuring uninterrupted communications with other
government agencies. Usage of GCSx within the Council is set to increase over the
coming months, and as more users are introduced to the system, the time and cost
savings already gained through NETconsent are likely to be increased further.
Extending the use of NETconsent
NETconsent
is also being used by the Finance department to manage its Payment Card Industry
Data Security Standard (PCI
DSS) policy and Internal Audit also sees many possibilities for extending
the use of NETconsent throughout the Council.
“Publishing best practice guidelines is only the first step towards improving
standards,” declares John Barnett, Senior Audit Manager. “NETconsent’s
ability to monitor who has actually read our policies helps increase efficiency
and improve working practices on the ground.”
Increased efficiency and stronger evidence of compliance
A ubiquitous policy, which affects nearly 1,000 Council staff, is the Mobile Phone
Usage Policy, which must be signed before staff are given a Council mobile phone
for business use. In the past, employees needed to download, print and sign the
appropriate policy and put it in the internal mail. For workers at outlying offices,
this could result in a delay of three to four working days.
“
The process has become self-enforcing... There is no need for us to chase up users. ”
Barry Holloway, Head of Information Services
NETconsent has eliminated this paperwork completely. If a user’s role requires
a mobile phone, they are simply added to a NETconsent group which automatically
presents them with the mobile phone policy next time they log on. “The process
has become self-enforcing” says Barry Holloway, Head of Information Services.
“NETconsent takes care of policy management without any need for us to ‘chase
up’ users. There is no paperwork to file, and yet improved levels of reporting
provide stronger evidence of compliance and enable assets to be better tracked.”
Within four days of going live, over half of the users had accepted the mobile phone
policy. At the end of the allocated four weeks, all mobile phone users had either
agreed or declined the policy. Those refusing the policy were found to be no longer
using corporate mobile phones. As a result, the Council now has a more up to date
view of phone ownership and has been able to redeploy several phones.
“We believe users are much more likely to take on board important messages
when they are presented to them in a timely manner,” says Barry Holloway.
“NETconsent is helping the Council change its approach to policy management
– making it easier for users to understand the requirements without having
to wade through lots of paperwork, and giving us the transparency we need to monitor
policy compliance while reducing administrative workload.”