Introduction
This guidance provides councils with information on organising a LGA Cyber 360. It sets out:
- The organisation process with milestones.
- The roles and responsibilities of the council and LGA at each stage of the planning process.
Alongside this document, there are three other key documents participating councils will need to agree and return to us. These are:
- A statement of expectations – this is intended to ensure that participating councils acknowledge key milestones, the contribution needed from the council, and the contribution to be expected from the LGA.
- An information confidentiality agreement – this sets out how we will manage confidential information.
- A draft schedule – this sets out suggested conversations which will be held between the Cyber 360 team and individuals at the council.
These documents are included as appendices to this manual and are referenced throughout this guidance.
We have also included a briefing for senior colleagues within the council. The briefing gives a high-level overview of the Cyber 360 approach and process.
Organising a Cyber 360
This section sets out the planning phases and associated milestones for organising a Cyber 360. It details the roles of the participating council and the LGA at each stage.
The guidance is not intended to be prescriptive, but a guide to help contextualise the planning process and offer advice on key decisions throughout the process. The steps set out provide a minimum approach for ensuring that each Cyber 360 provides maximum benefit to participating councils.
Step one: Initial interest
| Participating councils should: | The LGA will: |
|---|---|
|
Express an interest in taking part in a Cyber 360. This can be done via the LGA’s website by filling in the expression of interest form, or by contacting [email protected]. |
Offer the council an introductory meeting to outline the Cyber 360 approach and process. |
|
Send an interested council this guidance, a statement of expectations, an information confidentiality agreement, and an editable illustrative schedule for the Cyber 360. |
Step two: up to 10 weeks before the Cyber 360
| Participating councils should: | The LGA will: |
|---|---|
|
Identify a lead organiser from within the council. Lead organisers will act as a “single point of contact” for the Cyber 360, ensure that logistics are in place, steer the schedule, and be available regularly during the Cyber 360. |
Assign a Cyber 360 manager to the council, who will act as the key point of contact for the remainder of the process.
Offer the lead organiser a volunteering opportunity on a different council’s Cyber 360, to aid their understanding of the process. |
|
Identify a senior sponsor from within the council who can provide a senior-level commitment to the process. |
Offer further introductory meetings as desired with the participating council’s senior sponsor and other key staff members. |
|
Liaise with and brief colleagues to ensure that there is broad agreement to the process from senior staff and political leadership. |
Offer further introductory meetings as desired with the participating council’s senior sponsor and other key staff members.
Provide a briefing (included as an appendix within this delivery guidance) for the lead organiser to circulate to colleagues. |
|
Identify a week when they would provisionally like their Cyber 360 to take place. This should be a week when colleagues across the council are likely to have sufficient capacity to take part in conversations with the Cyber 360 team. Ask the LGA to hold this week, with at least 10 weeks' notice of the intended start date. |
Reserve the participating council’s chosen week. |
| Identify an individual within the council who can assist with diary management and booking conversations. |
Step three: up to 6 weeks before the Cyber 360
| Participating councils should: | The LGA will: |
|---|---|
|
Confirm their chosen week with their Cyber 360 manager, and their selection of days within this week. |
Offer an interim check-in meeting with the lead organiser.
Be available to respond to any queries from the participating council.
Offer further meetings as needed with the participating council. |
|
Return a signed statement of expectations. |
|
|
Return a signed information confidentiality agreement. |
|
|
Return a draft Cyber 360 schedule, which is populated with the names of intended participants. Ensure that intended participants have had this time blocked out in their calendars. |
|
|
Indicate any preferences with regards to the skills, knowledge or experience of Cyber 360 team members. |
|
|
Indicate any specific focus areas for the Cyber 360. |
Step four: up to one week before the Cyber 360
| Participating councils should: | The LGA will: |
|---|---|
|
Confirm they are content with the make-up of the 360 team. |
Assemble a Cyber 360 team of volunteers from other councils and an external expert. Team members will have skills and experience which add value to the council’s experience. |
|
Finalise the Cyber 360 schedule, ensuring that the schedule is updated with the name and role of each colleague. |
Offer an interim check-in meeting with the lead organiser. |
|
Finalise participants’ diary holds and update these with a LGA-provided MS Teams link for their conversation. |
Send lead organisers diary holds with MS Teams meeting links to circulate to participants. |
|
Ensure that council participants are aware of the Cyber 360 approach and process, using the briefing provided by the LGA if required. |
Offer further introductory meetings as needed with the participating council’s senior sponsor and other senior managers or leaders.
Provide a detailed briefing for circulation to council participants, outlining the approach and process. |
|
Provide the LGA with any pre-reading for the team. These should not be sensitive documents but help with context, such as the council’s cyber/ IT/ digital strategy/ roadmap or plan. |
Ensure that any information shared by the council is stored and shared with volunteer team members securely, as per the information confidentiality agreement. |
Step five: the week before the 360
| Participating councils should: | The LGA will: |
|---|---|
| Participate in a pre-meeting with the LGA where they will meet the team, share a high-level context and articulate what they are looking to get out of the exercise |
Host a pre-meeting with the council’s lead organiser and sponsor, to discuss the council’s expectations, key background information, and focus areas. Host a separate training session for the team members. |
|
Ensure that a finalised version of the schedule (including names and specific job roles) has been shared with the LGA. |
Step six: During the Cyber 360
| Participating councils should: | The LGA will: |
|---|---|
|
As per the schedule, ensure that the council’s chief executive, sponsor and lead organiser are available for an introductory session on the morning of day one. |
Host an introductory session with the Cyber 360 team and the council’s chief executive, sponsor, and lead organiser on the morning day one. |
|
As per the schedule, ensure that the council’s sponsor and lead organiser are available for feedback sessions at the end of each Cyber 360 day. |
Host a feedback session with the council and 360 team at the end of each day. |
|
Ensure that the lead organiser is available to respond to queries or issues during the Cyber 360. |
Be available to respond to any queries or issues. |
|
Ensure that the LGA are kept up to date with any changes to the schedule. |
Offer flexibility to accommodate any necessary changes to the schedule. |
Step seven: After the cyber 360
| Participating councils should: | The LGA will: |
|---|---|
|
Work with the LGA to ensure that they are comfortable with the final Cyber 360 report. |
Ensure that councils receive a draft Cyber 360 report no more than three weeks after the final 360 day. (In some rare occasions this may stretch to four weeks due to illness or leave.)
Ensure that councils can provide feedback on the report.
Be available to answer any queries relating to the report or overall process.
Ensure that councils receive a redrafted report no more than one week after submitting their feedback. |
| Ensure that report findings are disseminated as appropriate within the council |
Offer a presentation-style feedback session which summarises key report findings. |
| Complete a short evaluation survey after receiving the final report. | Circulate a short survey to evaluate the Cyber 360 process and experience. |
|
Ensure that any confidential information is retained or securely deleted in line with the information confidentiality agreement. |
Key decisions for participating councils
Participating councils will need to consider and make five key decisions. They are:
- The duration of their Cyber 360
- The make-up of their Cyber 360 team
- Their key focus areas
- Pre-reading which they wish to share with the Cyber 360 team
- Participation in other elements of the LGA’s bespoke cyber support offer
Duration of the Cyber 360
Councils have the option of holding their Cyber 360 over two or three days. Your choice will depend on the number of people who deliver the roles set out in the draft schedule. For example, in smaller councils, one individual may perform roles which cover a broader scope of responsibilities. In this scenario, we will only need to speak to them once during the Cyber 360. This could mean that a full Cyber 360 can be delivered within two days.
Councils also have the option to spread their Cyber 360 days over a period of two weeks. This has been designed to give councils flexibility, so that a wide range of people can participate.
If you are unsure on whether to opt for a two or three day Cyber 360, then we would recommend the below.
- Lower tier authority - two days
- Upper tier authority – three days
- Unitary authority – three days
The Cyber 360 team
You will be assigned one of the LGA 360 managers who will support you throughout the process:
You will also receive support from Daniella Akinfenwa, the Bespoke Cyber Support Team’s Programme Support Officer.
The LGA will work with participating councils to assemble a volunteer team who will conduct the Cyber 360 conversations, guided by the 360 manager. The team will include at least one officer from a council, as well as officers from the wider public sector, and a private sector expert.
The exact make up of this team will depend on the scope of the 360 and the chosen areas of focus. The participating council will have an opportunity to express any preferences, to ensure that the team contains the right capabilities for what they want to achieve.
The Cyber 360 framework and focus areas
The conversations, discussions, and feedback report will be based on the Cyber 360 Framework. The Framework is primarily based on the National Cyber Security Centre’s Cyber Assessment Framework, but also bring together good practice from several different sources and is organised in a simple and effective way.
You may wish to prioritise several topics where you feel a more in-depth focus would be beneficial.
Cyber 360 Topics
- Leadership and Governance
- Risk Management
- Asset Management
- Supply Chain
- Service Protection Policies and Process
- Identity and Access Control
- Data Security
- System Security
- Resilient Networks and Systems
- People Management
- Security Monitoring
- Proactive Security Event Discovery
- Response and Recovery Planning
- Lessons Learned
Pre-reading
It is important that the Cyber 360 Team have a good understanding of the council’s context before the Cyber 360 process begins.
The council will have an opportunity to verbally share this context at the pre-meeting, however are also encouraged to share any useful information with the Cyber 360 team prior to the 360. Anything shared should not be highly confidential or contain particularly sensitive information. This might include the following:
- Organisation Chart
- Cyber Security Strategy
- Cyber Incident Response Plan and/or Playbooks
- Business Continuity Plan
- Other relevant policies and processes as appropriate
Further bespoke cyber support
In addition to Cyber 360s, the LGA also offers a package of Reaction Exercises. These can be delivered as a follow-up to the Cyber 360, or independently.
The Reaction exercises involve participating in two facilitated table-top cyber security response and recovery exercises. Both exercises are designed to test how well the council responds to and recovers from a cyber incident which results in complete or sustained loss of data or system access.
Technical incident response exercise
The technical incident response exercise is facilitated over the course of three hours by a suitably qualified cyber security professional. This tabletop exercise will increase confidence in the ICT team’s ability to detect, investigate, respond to and recover from information security events, whilst managing communications with senior council staff. The exercise is likely to have a focus on a security breach or ransomware and be based around existing scenarios from public sector resources such as NCSC’s Exercise in a Box (EiaB).
Cyber focused business continuity exercise
This stress test exercise is facilitated by an experienced Emergency Planning College associate. Senior managers and leaders are given specific roles to perform, either as individuals or groups, which reflect the composition of at least part of a response team.
You will be presented with a scenario, designed based on a reasonable worst case scenario, which mimics a successful ransomware or other malicious cyber incident that develops over time and often tend to become more challenging and complex as the exercise progresses. You will receive phased injects that represent this evolving series of events, giving you incidents and problems to respond to and decisions to make.
If you are interested in these exercises, please discuss with your LGA Cyber 360 manager.