Treasury and Resources
Ministerial Decision Report
SOJ CYBER SECURITY strategy AND DATA PROTECTION CAPABILITIES
- Purpose of Report
To enable the Minister for Treasury and Resources to approve a non-recurring allocation of up to £1,845,000 in total from Central Contingencies over the years 2017, 2018 and 2019 to the Chief Minister’s Department (CMD) revenue head of expenditure to support the States of Jersey Cyber Security Strategy and Data Protection Capabilities project plus a temporary increase in staffing levels of 3.0 FTEs over the life of the implementation of the project.
- Background
In 2016 the Corporate Management Board and the Council of Ministers agreed and allocated funding to support the development and implementation of a Jersey Cyber Security Strategy and to investigate commercial opportunities arising from the implementation of the new EU GDPR in Jersey.
The Channel Islands ‘adequacy’ ruling under the current EU Directive will be re-assessed against the GDPR. CI governments have made the decision that the GDPR will be incorporated into local law with the aim to be ready in May 2018 and the States of Jersey must now create and deploy capabilities that support our Cyber Security Strategy and ensure compliance with GDPR and local regulations in 2018. The Information Service Department (ISD) developed a model to implement these capabilities within the government and this model was discussed and approved by the Corporate Management Board (CMB) on 10th January 2017 and by the Information Security Governance Board (ISGB) on 19th January 2017. The feedback received was very positive and both boards strongly support it.
At their meeting on the 8th February 2017 the Council of Ministers, considered a report which set out the capability model required to support the States of Jersey Cyber Security Strategy and the new EU Regulation (GDPR) which would enter into application on 25th May 2018. It was noted that the Corporate Management Board had approved the proposed model on 10th January 2017, and the Information Security Governance Board had approved it on 19th January 2017.
THE MODEL
The capability model was created using best practices developed by the Data Management Association (DAMA) and the Enterprise Information Management Institute (EIMI) and draws on extensive research.
The model is informed by a wide range of reviews and material; these include:
- Jersey’s Cyber Security Strategy - 2016
- The States of Jersey Information Security Roadmap - 2015
- SoJ Information Security Review conducted by the Comptroller and Auditor General - 2015
- Jersey’s Draft Digital Policy Framework - 2016
- The ISD and eGov IM capability maturity model assessment - 2015
- Data Protection Guidance and GDPR papers published by the Jersey Office of the Information Commissioner – 2015/2016
- DAMA Guide to the Data Management Body of Knowledge – 2013
- IRM UK Data Governance Conference Europe 2016
- Government ICT 2.0 Conference 2016
In developing the model, officers engaged with senior personnel from governmental departments and agencies, Gartner, Inc. (a world's leading information technology research and advisory company), the Office of the Information Commissioner, and experts from technology companies.
The overarching vision of the capability model is to ensure that the Government protects the data and the privacy of the information it holds about its citizens. A cyber-attack, large scale privacy breach on the States information systems; or noncompliance to the new GDPR; would have a devastating effect on the island’s reputation and would have a direct impact on Jersey’s attractiveness as a jurisdiction; other potential impacts are huge fines and risks of political turmoil.
The model is built on existing Information Service capabilities (tools and resources) with the addition of these elements that we do not support yet or that require new advanced skills: specific cyber security software, data protection and data quality profiles.
The Model follows these principles:
- It encompasses all domains of Information Management (i.e. security, privacy, governance, quality).
- It supports the States and the Island digital strategy.
- It is flexible enough so that it can be adapted to any organizational or operational models.
- It can be easily expended beyond the States to include Parishes or local organizations interacting with the government.
- It covers all aspects of an effective and efficient framework: people, processes and technology.
- It is flexible enough so that it can evolve with changes in digital and communication technologies.
FINANCIAL & STAFFING IMPLICATIONS
The successful delivery of this capability model requires investment; given the nature of the proposed model it is likely that contingencies are an appropriate source of funding. The implementation of the model is an additional government function that must continue to be resourced into the future.
Work with Chief Executive, Treasurer and with the Treasury Minister is been initiated to confirm the assumptions and estimates.
The business case shows that £1.845m is needed to support the model until 2019 and that it is recognised that in the future an ongoing commitment to IM capabilities will be essential and funding will be allocated as follows:
The recurring costs and the FTE requirement of the implementation will be subject to a growth bid in the 2020 MTFP. Implementation should be complete by end of 2018 and activity will become business as usual from 2019 which will be the basis for the MTFP growth bid. Ongoing costs from 2020 are estimated to be £568,000.
Having received presentations on the matter, the Council noted the background to the present position, recognising that the overarching vision of the capability model was to ensure that the Government protected the data and the privacy of the information it held about its citizens. The model had been built on existing Information Service capabilities (tools and resources) with the addition of those elements not yet supported or which required new advanced skills.
The Council, having noted the principles which the model followed, accepted that successful delivery would require investment, with contingencies considered to be an appropriate source of funding, given the nature of the proposed model.
Draft minutes detail;
The Council accordingly –
- noted the importance of sufficient and appropriate mechanisms to secure cyber security and to comply with the relevant data protection requirement; and
- endorsed the creation and deployment of the proposed capabilities model during Quarter 1 2017, subject to the identification of funding, including consideration by the Minister for Treasury and Resources of the provision of contingency funding, noting that there was an ongoing funding requirement requiring a growth bid to be made as part of the Medium Term Financial Plan 2020-2023 (MTFP3).
The officers were directed to take the necessary action
3. Recommendation
The Minister is recommended to approve a non-recurring allocation of up to £1,845,000 in total from Central Contingencies over the years 2017, 2018 and 2019 to the Chief Minister’s Department (CMD) revenue head of expenditure to support the States of Jersey Cyber Security Strategy and Data Protection Capabilities project plus a temporary increase in staffing levels of 3.0 FTEs over the life of the implementation of the project.
4. Reason for Decision
Article 17(2) of the Public Finances (Jersey) Law 2005 states that the Minister for Treasury and Resources is authorised to approve the transfer from contingency expenditure to heads of expenditure of amounts not exceeding, in total, the amount available for contingency expenditure in a financial year.
The current Contingency Allocation Policy (published as R.10/2012) sets the requirement for all allocations from Contingency to be considered by the Council of Ministers prior to submission to the Minister for approval.
To comply with P.67/1999 which charges the Minister for Treasury and Resources to regulate the number of persons that may be employed by the States.
The Council of Ministers agreed, at their meeting of 8th February 2017, the capability model required to support the States of Jersey Cyber Security Strategy and the new EU Regulation (GDPR). An increase to the indicative funding contained in the report considered by the Council of Ministers was subsequently agreed by the Chief Executive of the States.
Decision MD-C-2017-0060 was signed by the Deputy Chief Minister on 12th May 2017.
5. Resource Implications
The Chief Minister’s Department revenue head of expenditure to increase by up to £1,845,000 in total over the year’s 2017, 2018 and 2019 and Central Contingences to decrease by an identical amount. The indicative allocation of funding over the years is £709,000 in 2017, £568,000 in 2018 and £568,000 in 2019.
There will also be a temporary increase of 3.0 FTEs over the life of the implementation of the project.
The recurring costs of the implementation and the FTE requirement will be subject to a growth bid in the 2020 MTFP. Implementation should be complete by end of 2018 and activity will become business as usual from 2019 which will be the basis for the MTFP growth bid.
This decision does not change the total amount of expenditure approved by the States for 2017 - 2019 in the Medium Term Financial Plan.
Report author : Head of Decision Support | Document date 15th May 2017 |
Quality Assurance / Review : Director of Financial Planning and Performance | File name and path: L:\Treasury\Sections\Corporate Finance\Ministerial Decisions\DS, WR and SD\2017-00xx - SoJ Cyber Security and Data Protection Capabilities |
MD sponsor : Director of Financial Planning and Performance |