Chief Minister’s Department
Ministerial Decision Report
SoJ Cyber SECURITY and DATA PROTECTION CAPABILITIES
- Purpose of Report
To enable the Chief Minister to accept budget transfers of up to £1,845,000 in total from Central Contingencies over the year’s 2017, 2018 and 2019 to support the States of Jersey Cyber Security Strategy and Data Protection Capabilities and to accept a temporary increase of 3.0 FTE’s over the life of the implementation of the project. The indicative allocation of funding over the years is £709,000 in 2017, £568,000 in 2018 and £568,000 in 2019.
- Background
In 2016 the Corporate Management Board and the Council of Ministers agreed and allocated funding to support the development and implementation of a Jersey Cyber Security Strategy and to investigate commercial opportunities arising from the implementation of the new EU GDPR in Jersey.
The Channel Islands ‘adequacy’ ruling under the current EU Directive will be re-assessed against the GDPR. CI governments have made the decision that the GDPR will be incorporated into local law with the aim to be ready in May 2018 and the States of Jersey must now create and deploy capabilities that support our Cyber Security Strategy and ensure compliance with GDPR and local regulations in 2018. The Information Service Department (ISD) developed a model to implement these capabilities within the government and this model was discussed and approved by the Corporate Management Board (CMB) on 10th January 2017 and by the Information Security Governance Board (ISGB) on 19th January 2017. The feedback received was very positive and both boards strongly support it.
At their meeting on the 8th February 2017 the Council of Ministers, considered a report which set out the capability model required to support the States of Jersey Cyber Security Strategy and the new EU Regulation (GDPR) which would enter into application on 25th May 2018. It was noted that the Corporate Management Board had approved the proposed model on 10th January 2017, and the Information Security Governance Board had approved it on 19th January 2017.
THE MODEL
The capability model was created using best practices developed by the Data Management Association (DAMA) and the Enterprise Information Management Institute (EIMI) and draws on extensive research.
The model is informed by a wide range of reviews and material; these include:
- Jersey’s Cyber Security Strategy - 2016
- The States of Jersey Information Security Roadmap - 2015
- SoJ Information Security Review conducted by the Comptroller and Auditor General - 2015
- Jersey’s Draft Digital Policy Framework - 2016
- The ISD and eGov IM capability maturity model assessment - 2015
- Data Protection Guidance and GDPR papers published by the Jersey Office of the Information Commissioner – 2015/2016
- DAMA Guide to the Data Management Body of Knowledge – 2013
- IRM UK Data Governance Conference Europe 2016
- Government ICT 2.0 Conference 2016
In developing the model, officers engaged with senior personnel from governmental departments and agencies, Gartner, Inc. (a world's leading information technology research and advisory company), the Office of the Information Commissioner, and experts from technology companies.
The overarching vision of the capability model is to ensure that the Government protects the data and the privacy of the information it holds about its citizens. A cyber-attack, large scale privacy breach on the States information systems; or noncompliance to the new GDPR; would have a devastating effect on the island’s reputation and would have a direct impact on Jersey’s attractiveness as a jurisdiction; other potential impacts are huge fines and risks of political turmoil.
The model is built on existing Information Service capabilities (tools and resources) with the addition of these elements that we do not support yet or that require new advanced skills: specific cyber security software, data protection and data quality profiles.
The Model follows these principles:
- It encompasses all domains of Information Management (i.e. security, privacy, governance, quality).
- It supports the States and the Island digital strategy.
- It is flexible enough so that it can be adapted to any organizational or operational models.
- It can be easily expended beyond the States to include Parishes or local organizations interacting with the government.
- It covers all aspects of an effective and efficient framework: people, processes and technology.
- It is flexible enough so that it can evolve with changes in digital and communication technologies.
FINANCIAL & STAFFING IMPLICATIONS
The successful delivery of this capability model requires investment; given the nature of the proposed model it is likely that contingencies are an appropriate source of funding. The implementation of the model is an additional government function that must continue to be resourced into the future.
Work with Chief Executive, Treasurer and with the Treasury Minister is been initiated to confirm the assumptions and estimates.
The business case shows that £1.845m is needed to support the model until 2019 and that it is recognised that in the future an ongoing commitment to IM capabilities will be essential and funding will be allocated as follows:
The recurring costs and the FTE requirement of the implementation will be subject to a growth bid in the 2020 MTFP. Implementation should be complete by end of 2018 and activity will become business as usual from 2019 which will be the basis for the MTFP growth bid. Ongoing costs from 2020 are estimated to be £568,000.
Having received presentations on the matter, the Council noted the background to the present position, recognising that the overarching vision of the capability model was to ensure that the Government protected the data and the privacy of the information it held about its citizens. The model had been built on existing Information Service capabilities (tools and resources) with the addition of those elements not yet supported or which required new advanced skills.
The Council, having noted the principles which the model followed, accepted that successful delivery would require investment, with contingencies considered to be an appropriate source of funding, given the nature of the proposed model.
Draft minutes detail;
The Council accordingly –
- noted the importance of sufficient and appropriate mechanisms to secure cyber security and to comply with the relevant data protection requirement; and
- endorsed the creation and deployment of the proposed capabilities model during Quarter 1 2017, subject to the identification of funding, including consideration by the Minister for Treasury and Resources of the provision of contingency funding, noting that there was an ongoing funding requirement requiring a growth bid to be made as part of the Medium Term Financial Plan 2020-2023 (MTFP3).
The officers were directed to take the necessary action.
3. Recommendation
The Chief Minister is recommended to accept budget transfers of up to £1,845,000 in total from Central Contingency over the year’s 2017, 2018 and 2019 to support the States of Jersey Cyber Security Strategy and Data Protection Capabilities and to accept a temporary increase of 3.0 FTE’s over the life of the implementation of the project.
4. Reason for Decision
The Council of Ministers acknowledged that investment will be required to support the development and implementation of a Jersey Cyber Security Strategy and approved funding of up to 1,845,000 at their meeting on 08th February 2017.
- Resource Implications
The Chief Minister’s Department revenue head of expenditure to increase by up to £1,845,000 in total over the year’s 2017, 2018 and 2019 and Central Contingences to decrease by an identical amount. The indicative allocation of funding over the years is £709,000 in 2017, £568,000 in 2018 and £568,000 in 2019.
There will also be a temporary increase of 3.0 FTE’s over the life of the implementation of the project.
The recurring costs of the implementation and the FTE requirement will be subject to a growth bid in the 2020 MTFP. Implementation should be complete by end of 2018 and activity will become business as usual from 2019 which will be the basis for the MTFP growth bid.
This decision does not change the total amount of expenditure approved by the States for 2017 – 2019 in the Medium Term Financial Plan.
Report author : Finance Manager – Corporate Group | Document date : |
Quality Assurance / Review : | File name and path: |
|