Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
A principles-led approach to information assurance and governance in local government
Cyber Security: A Peer-Reviewed Journal,
5
(4),
361-377
(2022)
Abstract
This practice-based paper explores a principles-led approach to cyber information governance for local authorities (LAs) in England and Wales, while linking it to a corporate information governance regime to support cyber security and resilience. Over the past 15 years the author has worked with several LA regional cyber security groups known as WARPs (Warning, Advice and Reporting Points). The paper goes on to propose an approach to cyber maturity, offering a novel way to think about the issues, while exploring a number of tools and techniques. This work has used a practice-based approach to help develop usable artefacts for policy readers as well as technical ones. We especially explore the contention between policies and principle-based approaches to information risk management (IRM). The National Cyber Security Centre (NCSC) has recently blogged about a principles-led approach to cyber security. We will consider the move from a policy (rules)-based approach to a principles-based approach around information assurance and risk management, all of which ultimately supports strategic decision making around IRM, information assurance and cyber resilience.
Keywords: cyber security; resilience; information assurance; agile; principles; policy; cyber maturity; information governance; local government; audit; compliance; information risk management; cyber strategy
The full article is available to subscribers to the journal.
Author's Biography
Mark Brett is a Chartered Manager and Chartered IT professional. He is a CCP Lead SIRA, having an outstanding track record as a senior manager and consultant in local and central government. He is actively engaged in the Local Government Cyber Resilience Programme with Ministry of Housing, Communities & Local Government (MHCLG). Mark worked for three years with the Public Services Network (PSN) programme in GDS Lead IA Adviser and PSN SOC/Security Manager. As lead security analyst in MOJ Digital, he developed an agile approach to information risk management and assurance, which he has implemented in MHCLG. Mark was CIO of London Connects. As a deputy director in the London Resilience Team, he designed and implemented a pan-London emergency management extranet and was instrumental in setting up the WARP programme for CPNI. While Information Assurance Adviser to the Local Government Association, he authored the ‘Local Public Services Data Handling’ guidelines. He continues to lead the local government IA work as a special adviser to the Local CIO Council and through the Local Government Cyber Security Stakeholder Group and the Local Government PSN Board. Mark is currently Cyber Technical Adviser to MHCLG, working on the National Cyber Security Programme — Local. Mark’s work in the cyber and resilience world involves developing cyber resilience exercises and response capability training, which is being used within local resilience forums (LRFs) in England and leading the cyber resilience programme in Wales for the Welsh Government, working with the four Welsh LRFs. He has recently authored the emergency management exercise that is being run across the English LRFs. Mark is a fellow of the Institute of Civil Protection and Emergency Management and a member of the Emergency Planning Society. He is an honorary visiting fellow in cyber security at De Montfort University and lectures at Warwick and London Metropolitan universities. Mark completed a doctoral training programme at De Montfort University.
