FOI Request

Dear Enquirer,

Your message has been received and will be dealt with as soon as possible.
Our standard is to reply within ten working days.
Should you need to make contact with us again on this matter, it helps us
if you quote reference number: 96361

Kind Regards
Dan at HertsDirect
Click here: http://www.hertsdirect.org/interactive/h... to
subscribe to the council's new email alert service. Help us by forwarding
this email to friends who may also want to subscribe.

Dave Schneider To FOI requests at
<[FOI #45078 email]> Hertfordshire County Council
<[Hertfordshire County Council request email]>
18/08/2010 11:36 cc
Subject Freedom of Information
request - FOI Request

Sir/Madam,

I wish to make a request under the Freedom of Information Act. The
following questions and information I wish to have sent to me are
as follows:

Provide, name, address and telephone number for the following
people:
o Senior Information Risk Owner
o Governance Manager
o Information Security Officer/Manager
o Information Technology Security Officer/Manager
o Caldecott Guardian

PCI-DSS
Does your organisation process electronic payment cards?
How much money is processed from electronic payment cards per
annum?
How many electronic payment card transactions are processed per
annum?
Are you PCI-DSS compliant?

ISO 27001
Are you or have you considered becoming ISO 27001 compliant or
certified?

Government Connect
Are you connected and operationally utilising the Government
Connect network? If not have you considered connecting to
Government Connect and why was the decision made not to connect?
Do you meet the Government Connect version three requirements?
Please supply your latest CLAS consultant annual Government Connect
assessment/audit report, blanking out any statements which could
contravene a security concern from a third party reading it.
Do you meet the Government Connect version four requirements?
Please supply the latest internal report for the Government Connect
version four Audit/Assessment, blanking out any statements which
could contravene a security concern from a third party reading it.

Criminal Justice Network
Are you connected to and operationally utilising the Criminal
Justice Network? If not have you considered connecting to the
Criminal Justice Network and why was the decision made not to
connect?
Please supply your latest annual assessment/audit report, blanking
out any statements which could contravene a security concern from a
third party reading it.

NHS N3 Network
Are you connected to and operationally utilising the NHS N3
Network? If not have you considered connecting to the NHS N3
network and why was the decision made not to connect?
Please supply your latest N3 Connection assessment/audit report,
blanking out any statements which could contravene a security
concern from a third party reading it.
Do both schools and the Council share the same physical network
responsible for voice and data communications?

Yours faithfully,

Dave Schneider

show quoted sections

Reference number: FOI/RAP/08/10/2385

Dear Dave Schneider,

Thank you for your correspondence of 18th August 2010 requesting the
following information:

'I wish to make a request under the Freedom of Information Act. The
following questions and information I wish to have sent to me are
as follows:

Provide, name, address and telephone number for the following
people:
o Senior Information Risk Owner
o Governance Manager
o Information Security Officer/Manager
o Information Technology Security Officer/Manager
o Caldecott Guardian

PCI-DSS
Does your organisation process electronic payment cards?
How much money is processed from electronic payment cards per
annum?
How many electronic payment card transactions are processed per
annum?
Are you PCI-DSS compliant?

ISO 27001
Are you or have you considered becoming ISO 27001 compliant or
certified?

Government Connect
Are you connected and operationally utilising the Government
Connect network? If not have you considered connecting to
Government Connect and why was the decision made not to connect?
Do you meet the Government Connect version three requirements?
Please supply your latest CLAS consultant annual Government Connect
assessment/audit report, blanking out any statements which could
contravene a security concern from a third party reading it.
Do you meet the Government Connect version four requirements?
Please supply the latest internal report for the Government Connect
version four Audit/Assessment, blanking out any statements which
could contravene a security concern from a third party reading it.

Criminal Justice Network
Are you connected to and operationally utilising the Criminal
Justice Network? If not have you considered connecting to the
Criminal Justice Network and why was the decision made not to
connect?
Please supply your latest annual assessment/audit report, blanking
out any statements which could contravene a security concern from a
third party reading it.

NHS N3 Network
Are you connected to and operationally utilising the NHS N3
Network? If not have you considered connecting to the NHS N3
network and why was the decision made not to connect?
Please supply your latest N3 Connection assessment/audit report,
blanking out any statements which could contravene a security
concern from a third party reading it.
Do both schools and the Council share the same physical network
responsible for voice and data communications?'

Your request for information is being considered under the Freedom of
Information Act 2000. We will respond to your request as quickly as
possible, and by 16th September 2010 at the latest.

If you have any questions, please do not hesitate to contact me, quoting
the reference number on this email.

Yours sincerely,
________________________________________
Information Governance Unit
Hertfordshire County Council
Telephone: 01992 555848
Fax: 01992 588117
Email: [email address]

show quoted sections

Dear Mr. Schneider,

Reference number: FOI/RAP/08/10/2385

On 18th August 2010 we received the following request for information
from you:

' I wish to make a request under the Freedom of Information Act. The
following questions and information I wish to have sent to me are
as follows:

Provide, name, address and telephone number for the following people:
o Senior Information Risk Owner
o Governance Manager

o Information Security Officer/Manager

o Information Technology Security Officer/Manager
o Caldecott Guardian

PCI-DSS
Does your organisation process electronic payment cards?

How much money is processed from electronic payment cards per annum?

How many electronic payment card transactions are processed per annum?

Are you PCI-DSS compliant?

ISO 27001
Are you or have you considered becoming ISO 27001 compliant or
certified?

Government Connect
Are you connected and operationally utilising the Government Connect
network?
If not have you considered connecting to Government Connect and why
was the decision made not to connect?
Do you meet the Government Connect version three requirements?
Please supply your latest CLAS consultant annual Government Connect
assessment/audit report, blanking out any statements which could
contravene a security concern from a third party reading it.

Do you meet the Government Connect version four requirements?
Please supply the latest internal report for the Government Connect
version four Audit/Assessment, blanking out any statements which
could contravene a security concern from a third party reading it.

Criminal Justice Network
Are you connected to and operationally utilising the Criminal Justice
Network?
If not have you considered connecting to the Criminal Justice Network
and why was the decision made not to
connect?
Please supply your latest annual assessment/audit report, blanking out
any statements which could contravene a security concern from a
third party reading it.

NHS N3 Network
Are you connected to and operationally utilising the NHS N3 Network?
If not have you considered connecting to the NHS N3 network and why
was the decision made not to connect?
Please supply your latest N3 Connection assessment/audit report,
blanking out any statements which could contravene a security
concern from a third party reading it.

Do both schools and the Council share the same physical network
responsible for voice and data communications? '

Your request for information has been considered under the Freedom of
Information Act 2000. I can confirm that Hertfordshire County Council does
hold the information you have requested, and can respond as follows:

'1. Provide, name, address and telephone number for the following people:
o Senior Information Risk Owner
Mike Parsons - Director of Resources and Performance
0300 123 4040
o Governance Manager
Martin Aust - Head of Intelligence
0300 123 4040
o Information Security Officer/Manager
Dave Mansfield - Technical Infrastructure Manager 0300
123 4040
o Information Technology Security Officer/Manager
Jaswant Golan - Technical Security Officer
0300 123 4040
o Caldecott Guardian
Ian McBeath Assistant Director Performance and Support 0300 123
4040

Address for all of the above:
County Hall
Pegs Lane
Hertford
Herts
SG13 8DQ

2. PCI-DSS
Does your organisation process electronic payment cards?

Hertfordshire County Council organisation does not process electronic
payment cards, we have 3rd party suppliers that do this on our behalf.
We have purchasing cards which are used for Council expenditure, where
processing is done by the Royal Bank of Scotland. For payments received
from our website we use Netbanx. If you require further information in
relation to either of the above please contact us.

How much money is processed from electronic payment cards per annum?

N/A

How many electronic payment card transactions are processed per annum?

N/A

Are you PCI-DSS compliant?

The 3rd party suppliers are PCI-DSS compliant.

3. ISO 27001
Are you or have you considered becoming ISO 27001 compliant or
certified?
HCC is not ISO27001 certified. Currently there are no plans for ISO 27001
certification. However we design our ICT security around ISO2700x
principles.
4. Government Connect
Are you connected and operationally utilising the Government Connect
network?
YES
If not have you considered connecting to Government Connect and why was
the decision made not to connect?
N/A
Do you meet the Government Connect version three requirements?
YES

Please supply your latest CLAS consultant annual Government Connect
assessment/audit report, blanking out any statements which could
contravene a security concern from a third party reading it.

There is not one audit for the Council as a whole but a series of audits
for individual applications and their infrastructure. The level of detail
in the audit is such that it would compromise the security of the data
held within the individual applications and Hertfordshire County Council
network systems.

After careful consideration the County Council has decided that this
information should be withheld under the exemption contained in Section
36(2)(c) of the Freedom of Information Act 2000. Section 36 of the Freedom
of Information Act 2000 exempts information from disclosure on the grounds
of prejudice to effective conduct of public affairs. The specific parts of
this exemption which the County Council considers relevant in this
instance is 36(2)(c), which states that:

Information to which this section applies is exempt information if, in the
reasonable opinion of a qualified person, disclosure of the information
under this Act would, or would otherwise prejudice, or would be likely
otherwise to prejudice, the effective conduct of public affairs.

36 (2) (c) is only available in cases where the disclosure would prejudice
the public authority's ability to offer an effective public service, or to
meet its wider objectives or purpose (rather than simply to function) due
to the disruption caused by the disclosure and the diversion of resources
in managing the impact of disclosure.

The County Council's Chief Legal Officer Kathryn Pettitt, who also holds
the position of Monitoring Officer, is the authorised qualified person
within the County Council. In her opinion given on 15 September 2010
disclosure of information relating to the CLAS Consultant annual
Government Connect audit reports would prejudice the effective conduct of
County Council business and should be exempt from disclosure under Section
36(2)(c) of the Act.

As this exemption is a qualified exemption, in reaching its decision, the
Council has carried out the public interest test.
The factors we have considered which are in favour of disclosure are:

* There is public interest in disclosure of information by public
authorities to promote transparency and accountability in relation to
the activities of public authorities.
* There is a public interest in local government ICT systems meeting
national data security requirements.

The factors we have considered which are against disclosure are:

* Disclosure could affect the Council's ability to maintain safe and
secure network systems, and render HCC vulnerable to criminal
activity.
* Disclosure may prejudice the security of HCC's ICT applications, the
contents of which include sensitive, personal data of individuals who
receive services from the Council.
* Any loss of IT function as a result of a breach of ICT security in
relation to individual applications or the network infrastructure
would severely restrict our ability to carry out our statutory
functions as a local authority

Balancing test - reasons why public interest favours withholding the
information:

On balance, we consider that the public interest does not favour
disclosing the information that you have requested, because release of
this information could provide enough information to breach network system
security, and disrupt council business.

Do you meet the Government Connect version four requirements?
Please supply the latest internal report for the Government Connect
version four Audit/Assessment, blanking out any statements which
could contravene a security concern from a third party reading it.

Hertfordshire County Council does not meet the version four requirements.

5. Criminal Justice Network
Are you connected to and operationally utilising the Criminal Justice
Network?
YES

If not have you considered connecting to the Criminal Justice Network
and why was the decision made not to
connect?
N/A
Please supply your latest annual assessment/audit report, blanking out
any statements which could contravene a security concern from a
third party reading it.

We do not hold such a report, Hertfordshire County Council as not been
audited yet.

6. NHS N3 Network
Are you connected to and operationally utilising the NHS N3 Network?
If not have you considered connecting to the NHS N3 network and why was
the decision made not to connect?

Yes we are connected but we are not currently utilising N3 services.

Please supply your latest N3 Connection assessment/audit report,
blanking out any statements which could contravene a security
concern from a third party reading it.
We do not hold this information, see above.
Do both schools and the Council share the same physical network
responsible for voice and data communications?
No

If you have any questions, please do not hesitate to contact me, quoting
the reference number on this letter. To find out more about Freedom of
Information, please visit www.hertsdirect.org/foi

If you are unhappy with the way the County Council has handled your
request for information, you may complain through the County Council's
complaints procedure which is available at www.hertsdirect.org/complaints

If you are unhappy with the outcome of the complaints procedure you are
entitled to ask the Information Commissioner to investigate your
complaint. You should write to: FOI/EIR Complaints Resolution, Information
Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9
5AF.

Yours sincerely,

Elaine Dunnicliffe

Information Access Manager
________________________________________
Information Governance Unit
Hertfordshire County Council
Telephone: 01992 555848
Fax: 01992 588117
Email: [email address]

show quoted sections