Technical update - guidance and publications

17 November 2017

Cyber security and information risk guidance for audit committees

The National Audit Office (NAO) has published a guidance document containing high level questions and detailed areas for audit committees to consider when scrutinising cyber security arrangements.

The 16-page document complements other government advice and features three ‘high-level questions' audit committee may want to initially consider.

  • ‘Has the organisation implemented a formal regime or structured approach to cyber security which guides its activities and expenditure?’
  • ‘How has management decided what risk it will tolerate and how does it manage that risk?’
  • ‘Has the organisation identified and deployed the capability it needs in this area?’

The NAO also lists the 10 steps for cyber security as identified by the National Cyber Security Centre, which include: secure configuration; network security; managing user privileges; and incident management. This is supplemented by additional questions on cloud services and developing new technology/services.

Our campaign ‘The Icarus effect: tackling cybercrime complacency’ highlights that 40 per cent of organisations say they have suffered a cyberattack, with organisations often lacking the proper controls to identify breaches. Organisations are failing to embed core security measures. Few have an up-to-date or board-approved cybersecurity strategy, while staff training is often overlooked, and complacency leaves organisations hugely vulnerable.

A guide to fire and rescue services 

In seeking to assist police and crime panel members in particular, the Local Government Association has published a guide to ‘Fire and rescue services in England.’ It has been developed in light of the Policing and Crime Act 2017 which seeks to create greater collaboration within the emergency services sector in the aim of improving efficiency and effectiveness. In providing an overview of the fire and rescue sector, the guide provides information regarding: the legislative landscape; funding and governance; organisational structures; performance and improvement; and ‘the evolving fire and rescue service delivery model.’ 


2017/18 police inspection programme and framework

Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS) has published information on its police inspection programme for 2017/18. HMICFRS confirms that its PEEL inspection programme will continue focusing on effectiveness, efficiency and legitimacy and police forces will, as in previous years, be given graded judgements. In a break from previous inspections however, leadership will be considered ‘as a theme in the efficiency, effectiveness and legitimacy inspections, rather than as an inspection in its own right.’ This takes into account the view that leadership does not take place in isolation, but rather ‘leadership is identified, developed and displayed across every element of policing.’

HMICFRS also confirms that vulnerability will be an important element within its inspections, as demonstrated by the recent publication of the outcomes of initial inspections on how the police approach human trafficking and modern slavery offences (further discussed below). In addition, the inspectorate will develop a specific ‘thematic inspection on fraud’ which will include cyber-enabled fraud, whilst other thematic inspections will cover: child protection; counter-terrorism; hate crime; and crime data integrity. 

Modern slavery and human trafficking 

Whilst HMICFRS found ‘signs of progress’, a recent thematic inspection found that in many cases the policing response to modern slavery and human trafficking was ‘reactive and showed little understanding of the nature and scale’ of this exploitive practice. In reviewing several cases, HMICFRS found ‘substantial problems’ with the way investigations were managed, whilst there was ‘variable commitment amongst police leaders to tackling this area of offending.’ It was also found that the provisions contained within the Modern Slavery Act 2015 were not being fully utilised.

Police pay award 

The Home Office has confirmed that, following recommendations from the Police Remuneration Review Body and the Senior Salaries review body, police officers are to receive a 2 per cent pay award during 2017 to 2018. Home Secretary, Amber Rudd, has stated the ‘award strikes a fair balance for police forces, officers and taxpayers.’ With the increase below UK inflation levels and growing pressures on the service and officers, the 43 Police Federations have published a strongly worded open letter to the government in which the pay award is regarded as ‘insulting’. The outcome is nevertheless a shift in government public sector pay policy, which has capped increases at 1 per cent. 

Routine arming survey results

The results of a recent survey highlight that 34 per cent of officers are in support of being routinely armed, an increase from 23 per cent in 2016. The outcome is a key finding from the Police Federation’s routine arming survey undertaken earlier this year. It was found that 42.5 per cent of respondents were not in support of routine arming for all police officers but 55.2 per cent confirmed they were prepared to carry a firearm if required to do so. 

Police workforce in the digital age

Think-tank Reform has published a report examining whether the police workforce can meet the demands of the digital age. From its research and insights from police officers, Reform confirms that several changes are necessary to ensure forces are equipped to ‘fight digital crime.’ As a result, Reform makes several recommendations for policy makers and stakeholders, including:

  • calling on the Home Office to create a police digital capital grant worth approximately £450m, which would be used to invest in digital infrastructure;
  • police forces to use 'competitive procurement channels' to attain better value for money when purchasing new technology;
  • forces should try and increase secondment numbers, with Reform calling for an extra 1,500 officers and staff; and
  • calling for a monumental increase in the numbers of cyber volunteers from 40 to 12,000 in law enforcement agencies, to be achieved in part by offering 'more dynamic volunteering opportunities.’

Tackling abuse of position 

Despite some progress, HMICFRS has found that most police forces ‘have work to do in regard to their planning around preventing the abuse of position for a sexual purpose.’ In December 2016, HMICFRS requested forces to develop and submit implementation plans on this matter and following a review in May, the Inspectorate confirmed there had ‘undoubtedly been impressive work’ at the national level. 

However, in reviewing individual force plans it was found that: 11 plans had information deemed to be insufficient; 15 other forces had plans in place but had not commenced with implementation; 15 forces had developed their plans but hadn’t commenced with implementation; and only two forces had ‘all elements in place.’ HMICFRS has confirmed that it will undertake a full inspection of this area, and other police legitimacy areas, next year. 


Grenfell Tower Inquiry

The formal opening of the Grenfell Tower Inquiry took place on 14 September. A tragedy described by Inquiry Chair, Sir Martin Moore-Bick, as ‘unprecedented in modern times’ commenced with a minute’s silence as a mark of respect. In his opening statement, Sir Martin provided some details of how the Inquiry would be undertaken, noting that it would incorporate two core phases.

Phase one: ‘shall investigate the development of the fire itself, where and how it started, how it spread… and the chain of events that unfolded during the course of the hours before it was finally extinguished.’ It will also consider ‘the response of the emergency services and the evacuation of residents.’

Phase two: ‘will examine on a broad front how the building came to be so seriously exposed to the risk of a disastrous fire. That will involve an investigation into the design of the building, its modification from time to time over previous years, the decisions relating to design and construction… and whether at each stage of its development the building complied with regulations then in force.’

Document examination will be time consuming, and therefore, phase two is anticipated to be a lengthier process than phase one. Albeit, both phases will take place in parallel with one another.

Fire safety staff numbers down

A Guardian investigation has raised some concerns, with the news that fire services in England have 'lost more than a quarter of their specialist fire safety staff since 2011.' Figures obtained under the Freedom of Information Act reveal, that across 26 FRS there had been a decrease in specialist staff, from 924 to 680 between 2011 and 2017.

In addition, operational statistics for the fire service have been published by the Home Office revealing that the number of full time equivalent staff in England in 2016 was four per cent lower than the previous year, and ‘17 per cent lower than five years before.’ Firefighter strength is also reducing and in 2016 was approximately four per cent lower than in 2015.

Big data 

The National Fire Chiefs Council commissioned a research study seeking to understand the fire and rescue services’ capability and capacity to use large sets of data to effectively target resources, particularly for those most vulnerable. 

As part of the Chief Fire Officers Association’s Sustained Action for Elderly Risk (SAfER) programme, a subset of the Exeter data, which provides access to NHS patient data held on the National Health Applications and Infrastructure Services (NHAIS) systems, were utilised. The Exeter data was used to create a dataset detailing the address, birth year and gender of individuals 65 years or older, registered with a GP in England and Wales. It was intended ‘to ensure that FRSs target preventative resources more effectively, at a time where the ageing demographic means fire deaths and injuries will increase significantly for the first time in 30 years.’ 

After receiving the ‘Exeter data’ (as it is commonly known) and in considering its use, several recommendations were noted within the final report, including:

  • in order to cut down data preparation and cleansing time, it would be beneficial if data shared by other public services were ‘pre-cleansed’ before it is passed to FRS;
  • a feedback loophole exists, which should be closed through FRS ‘reviewing the value of data over the short, medium and longer term’; and
  • more work is required to ensure those that hold a data analyst role within FRS do not feel ‘isolated’. Indeed ‘more efforts could be made to bring the analysist community together and to support the development of individual competencies and the collective knowledge-base.’

Download the full report to find out more on the areas affecting the emergency services sector including key questions for your audit committee’s consideration.