CNES – Cloud IT systems and the CRM System Final Audit Report 28 Oct 2015 – action tracked Sept

2016

ACTION PLAN
The Action Plan contains 8 recommendations as follows:

Description Priority Number

Major issues that managers need to address as a matter of urgency. High 0
Important issues that managers should address and will benefit the Organisation if implemented. Medium 8
Minor issues that are not critical but managers should address. Low 0
Total recommendations 8

IMPLEMENTATION
TARGET
REPORT RESPONSIBLE DATES &
REFS. GRADES FINDINGS RECOMMENDATIONS MANAGEMENT AGREED ACTIONS OFFICERS ACTIONS
4.1.1 Medium Cloud – Hosted CNES Systems
1) 1)
There is not a specific CNES cloud The IT Unit should produce a checklist, Agreed. A checklist for cloud suppliers IT Manager 1)
checklist based on either the ICO or based on the ICO and CESG guidance to will be produced in accordance with 31/07/16
CESG guidance in place to ensure ensure that all security aspects of CESG guidelines. Extension
that all security aspects of cloud systems to be hosted in the cloud are of time
systems have been properly considered and evaluated. required to
considered and are either in place, or complete
are known not to be. this

2) 2)
This checklist should be used by existing Agreed. The status of our cloud IT Manager 2)
CNES cloud system owners and IT Unit suppliers and their ISO certifications will 31/07/16
staff to ensure they are fully aware of be checked and we will bring to their
the current security arrangements. If attention any risks we encounter. Extension
they find any deficiencies they should of time
seek to have them addressed. For required to
example if a supplier stores CNES complete
personal data and is not ISO 27001, this
CNES staff should try to address this
risk, e.g. by raising this fact at the
relevant supplier user group.

1
CNES – Cloud IT systems and the CRM System Final Audit Report 28 Oct 2015 – action tracked Sept 2016

IMPLEMENTATION
TARGET
REPORT RESPONSIBLE DATES &
REFS. GRADES FINDINGS RECOMMENDATIONS MANAGEMENT AGREED ACTIONS OFFICERS ACTIONS
4.2.1 Medium CRM - Access Control
1) 1) 1)
There is no access control policy and An access control policy should be Agreed. User Access Control Form has Business Analyst Complete
there is not a complete set of produced and documentary evidence of been set up and requires a signature
documentary evidence to prove that all further user access requests retained. from Authorising Manager.
all the requests for access have An annual review of user access settings
properly authorised. should be carried out and evidence that
existing user access levels have been
verified as correct should be retained

2) 2) 2) 2) 2)
Generic usernames are shared by Unique usernames should be used where Limited licences for the uniform and Business Analyst Complete
customer services staff to access possible to protect staff from IDOX systems currently prevent unique
Street Lighting System and the IDOX investigation in the event of computer usernames for each officer accessing
System. misuse these systems. Raised with System
Administrators of these systems.

3) 3) 3) 3) 3)
Forced password complexity is weak. The supplier should be asked whether Agreed. Password complexity changed Business Analyst Complete
forced password complexity can be to 7 characters 3 of which must be
brought up to the current expected either upper, lower case or numbers
practice.

4) 4) 4) 4) 4)
System administration procedures All system administration procedures Agreed. Cross Training and IT Manager/ 31/07/16 –
are all not documented meaning should be documented. documenting procedures to be Business Analyst In
there is an over reliance on one key addressed. progress.
member of staff. Extension
of time
required to
complete
this

2
CNES – Cloud IT systems and the CRM System Final Audit Report 28 Oct 2015 – action tracked Sept 2016

IMPLEMENTATION
TARGET
REPORT RESPONSIBLE DATES &
REFS. GRADES FINDINGS RECOMMENDATIONS MANAGEMENT AGREED ACTIONS OFFICERS ACTIONS
4.2.2 Medium CRM - Data Input
1) 1) 1) 1)
In every example checked the client The record of client not being verified Agreed. Verified check box on a case Customer Services Complete
case history search shows under the should be queried with the supplier. The form needs to be marked as Manager
interactions tab that the client is not aim should be to get the system to confirmation that the client has been
verified even although the Customer record what is actually taking place with verified – all staff have been informed
Services Team Leader stated the regard to client verification. of this.
client is always verified in the case of
council tax queries. Therefore the
system is not recording correctly
what is actually happening.

2) 2) 2) 2)
There is a section for recording notes Staff should be reminded of the Agreed. Customer Service Manager Customer Services 31/10/15 –
relating to conversations with guidance when entering notes. In receives an email of all cases so is able Manager Complete
customers or members of staff. One addition a report of notes should be to monitor notes; reminder will be
example of these notes recorded produced so that it can be reviewed issued to all staff to follow guidance
details a dispute between staff which easily and quickly by management to previously issued when entering notes.
is not in accordance with the check it is correct.
guidance issued by the Customer
Services Manager. As the data for
the notes field can be very varied it
can be difficult for staff to enter the
correct balance of information,
therefore it should be monitored by
management.

4.2.3 Medium CRM - Interface Processing

1) 1) 1) 1) 1)
The CRM System receives data from The system administrator should check The process is currently run Business Support Complete
the Corporate Address Gazetteer with the supplier whether there is a automatically on the first Friday of each Team
(CAG) on a monthly basis via a facility within the CRM system to verify month and there is no success/fail
partially automated interface. The whether a data load has been carried out feedback from this automatic process.
data is extracted manually from CAG successfully. To remedy this situation the following
by a member of staff and loaded change to the Gazetteer upload process
automatically via Windows Scheduler has been implemented. All console
into the CRM System. A member of output from the Lagan upload
the IT Unit checks that no error application is captured and emailed to
message appears in the Windows the Gazetteer and CRM
Scheduler after the load program has Administrators. If for any reason this
run. However there is no check process fails then it will be clearly

3
CNES – Cloud IT systems and the CRM System Final Audit Report 28 Oct 2015 – action tracked Sept 2016

IMPLEMENTATION
TARGET
REPORT RESPONSIBLE DATES &
REFS. GRADES FINDINGS RECOMMENDATIONS MANAGEMENT AGREED ACTIONS OFFICERS ACTIONS
within the CRM System to verify the visible in this email. If for any reason
data has loaded correctly. there isn’t a DFT Gazetteer extract in
place for the Gazetteer sync/upload
then the admins will be notified so that
a DFT extract can be manually extracted
and processed.

2) 2) 2) 2) 2)
The CRM System is also integrated The Council Tax Access Control Policy Review with Council Tax System Business Analyst 30/11/15
with the Council Tax System such should include consideration of access Administrator Review
that some customer services staff control via the CRM System. completed
members who are CRM System users
can log directly into the Council Tax
System without entering a separate
username and password. This
means that user access control for
the Council Tax System being correct
depends directly on user access
control for the CRM System being
correct and the Council Tax System
Access Control Policy should take this
type of access into account

4.2.4 Medium CRM - Reports

Only one report was provided for A complete list of the required Agreed. The executive report that has Business Support 31/07/16 –
review which shows types of management and data quality reports been produced covers the high level Team this action
interaction and the number of each should be identified and the reporting needs currently. Additional is in
type of interaction. It was reported corresponding Jaspersoft reports should reports will be developed using a progress;
that the CRM System reporting be developed to provide this information centralised reporting service, namely an
module has not been purchased and and assurance. Jaspersoft extension
there is an intention to develop of time is
reports using Jaspersoft reporting required
software which can take data from
one or more data sources and
provide easy to read and interactive
reports.

4
CNES – Cloud IT systems and the CRM System Final Audit Report 28 Oct 2015 – action tracked Sept 2016

IMPLEMENTATION
TARGET
REPORT RESPONSIBLE DATES &
REFS. GRADES FINDINGS RECOMMENDATIONS MANAGEMENT AGREED ACTIONS OFFICERS ACTIONS
4.2.5 Medium CRM - Audit Trail

User activities should be clearly The system administrator should contact Agreed. Flguest appears because all the Business Analyst Complete
identifiable in the audit trail. the supplier to obtain an explanation as council tax cases have been submitted
However, the user “flguest” to why ‘flguest’ appears on the audit using webservices. The user that the
sometimes appears on the audit trail trail. webservices has been authenticated
for starting and closing customer against to create the case is flguest
cases and staff do not know who this which is why it appears in the audit
user is. They think it maybe a trail.
system user, but this needs to be
clarified with the system supplier

4.2.6 Medium CRM – License Agreement

The CRM supplier’s Master Software If it has not already been done, the Agreed. Will be discussed in annual Customer Services 31/03/16 –
License, Service and Support supplier should be asked whether this review Manager complete
Agreement is governed by and Agreement can be amended to be in
construed in accordance with the accordance with the laws of Scotland.
laws of England and Wales as
opposed to Scotland. This means
that it will be more costly to go to
court in the event of a serious
dispute.

4.2.7 Medium CRM - Efficiency

The CRM System has made The CNES should consider recording the Will raise with departmental Customer Services 31/07/16
significant improvements and savings successful outcomes of customer representatives and Customer Service Manager Complete.
with regard to CNES customer interactions within the CRM system. Steering Group. Departments currently This was
services. This would enable it then to report on report KPI’s separately and use considered
performance and provide a complete and corporate satisfaction surveys. ; after
Part of the vision recorded in the documented assurance to both the CNES discussion
2008 Customer Service Strategy was management and the public that the it was
that the Comhairle would have the complete customer services function was agreed
ability to measure the effectiveness operating successfully. there will
of service delivery given that all be no
interactions were being recorded in change
one place. However the successful
results of these interactions are not
being recorded in the system.