Auditors uncover security flaws in departure of staff

Gwynedd council needs to tighten up its procedures for departing employees returning IT equipment and security passes, a new report has found.
These issues pose a “security risk”, council chiefs were told.
A meeting on Thursday heard that internal auditors could only offer “limited assurance” of Gwynedd’s arrangements after adjudging one ‘high’ and one ‘medium’ risk in its current procedures.
Among the report’s finding was that while departing staff’s ID cards were being deactivated and could not be used to access council buildings, records were not being kept if the physical cards were being returned and destroyed or not.
This, according to the internal auditors, would mean that while the cards would not work to access the council’s electronic locks, it still posed “physical security risks.”
It went on to note, “An individual who is not a member of staff but has an official ID card could impersonate a member of staff to gain access to council buildings, receive staff benefits, or gain access to residents’ homes.”
Meanwhile, a separate finding reported that over a three month period only a third of IT equipment had been returned and logged on the authority’s TOPdesk system, with officers acknowledging a “lack of communication” in regards to the electronic equipment of employees leaving the council.
“The TOPdesk system is used to record IT assets. A report, dated 16/09/2019 of a sample of staff who had left between 01/06/2019 and 01/09/2019 was sourced. It showed that only 33% of IT Equipment was ‘returned’,” said the report.
“The IT Support Service Manager stated that there was a lack of communication, regarding IT assets, from managers when staff left.
“It is possible to change the member of staff responsible for different assets within the TOPdesk system. Managers could change this if they were given the appropriate rights and instructions.”
A spokesman for Gwynedd council said that whilst the report noted that 33% of a sample of staff who had left the council had returned equipment to the central IT Department, it was expected that the equipment has been returned to the various departments and remain in council use.
With auditors also finding there was no policy in place to return staff parking passes, despite it being possible to cross reference each pass’ unique code with an online spreadsheet, it was recommended that tightening up was needed across the board.
Their recommendation noted: “A policy containing instructions for managers and other employees regarding employment termination arrangements would benefit the council to achieve stronger controls.
“Relevant officers and the policy centre was checked for appropriate instructions or a policy regarding employment termination arrangements.
“The Recruitment and Appointment policy covers relevant issues when a member of staff commences their employment but did not have information about employment termination arrangements.”
In response to the findings of the audit, it was confirmed that regulations were now in place to specity the equipment/property that should be returned when staff terminate their employment, and to inform business unit managers of these new requirements.
A council spokesman added, “Whilst the report noted that controls are in place, more work is required to strengthen arrangements.

“The committee heard that work is being carried out to remind managers of their duty to ensure that all equipment is returned, and that improvements are made to the process of maintaining records of the items that are in use by council staff, and that have been returned when individuals leave the council’s employment.”

By Gareth Williams – Local Democracy Reporter