FOI Request

Dear Mr. Schneider

FREEDOM OF INFORMATION REQUEST REF: 2010-579

I am writing to confirm that we received your information request on 18
August 2010. For your information and future communications your request
has been allocated the reference number FOI2010-579. Please quote this
reference in any future correspondence.

We will consider your request and respond in accordance with the
requirements of the Freedom of Information Act 2000. Our duty is to
respond promptly or at least within 20 working days.

Yours sincerely

Robin Yu

Information Protection Assistant

FOIA Team, Business Protection Unit

Information Systems Division (ISD)

The Royal Borough of Kensington and Chelsea

The Town Hall, Hornton Street, London W8 7NX

Tel: 020 7938 8226

Web: [1]http://www.rbkc.gov.uk

show quoted sections

Dear Mr. Schneider

FREEDOM OF INFORMATION REQUEST REF: 2010-579

I am responding to your request under the Freedom of Information Act 2000,
which we received on 18 August 2010, for information held by the Council.
You requested:

I wish to make a request under the Freedom of Information Act. The
following questions and information I wish to have sent to me are as
follows:

Provide, name, address and telephone number for the following people:

o Senior Information Risk Owner

o Governance Manager

o Information Security Officer/Manager

o Information Technology Security Officer/Manager

o Caldecott Guardian

Please contact Barry Holloway, Head of Information Systems Division:

Room N111

Kensington Town Hall

Hornton Street

LONDON

W8 7NX

[1][email address]

020 7361 3252

PCI-DSS

Does your organisation process electronic payment cards?

Yes

How much money is processed from electronic payment cards per annum? How
many electronic payment card transactions are processed per annum?

In 2008/9 the Council processed 239,769 transactions with a total value of
£30,894,670.57.

Are you PCI-DSS compliant?

The Council are in the process of achieving full PCI-DSS accreditation,
and currently meet the requirements of the scheme through the schemes self
assessment questionnaire.

ISO 27001

Are you or have you considered becoming ISO 27001 compliant or certified?

Yes (have considered certification)

Government Connect

Are you connected and operationally utilising the Government Connect
network? If not have you considered connecting to Government Connect and
why was the decision made not to connect?

Yes (connected and utilising)

Do you meet the Government Connect version three requirements?

Yes

Please supply your latest CLAS consultant annual Government Connect
assessment/audit report, blanking out any statements which could
contravene a security concern from a third party reading it.

I confirm that we hold this information.

The publication of our completed Code of Connection would serve to
identify those areas within the Authority where there may be security
weaknesses and thereby assist foreign intelligence agencies and malicious
parties.

Under section 31(1)(a) of FOIA, we are permitted to withhold information
if its disclosure would prejudice the prevention and detection of crime.
We believe that disclosure of this information would leave the Council
vulnerable to terrorist or other criminal attack. ICT systems are critical
to Council business and any loss of key systems could have a detrimental
effect on meeting our customers' expectations and our ability to fulfil
our statutory obligations.

The Act also requires us to consider whether the public interest in
disclosure outweighs the public interest in maintaining the exemption.
Whilst there may be arguments for disclosure for reasons of transparency
and accountability, we believe that the necessity of ensuring security of
ICT systems is more important. There would be an adverse and prejudicial
impact on Council business, its staff and residents if ICT systems were
compromised. The Information Commissioner has advised all authorities to
take security of electronic data seriously and to put in place appropriate
safeguards to protect clients and operations. It is for these reasons that
we have decided that the public interest in withholding the information
outweighs the public interests in disclosure.

Disclosure of the information requested would also reveal the underlying
Code of Connection and its controls for which CESG are the primary author.
CESG is the Information Assurance arm of GCHQ and under section 23(1) of
FOIA, information is exempt if it was directly or indirectly supplied to
the Council by one of the listed bodies with security functions. GCHQ is
listed under section 23(3)(c), thus this information is exempt from
disclosure. This exemption is a class-based, absolute exemption therefore
a public interest test is not required.

Do you meet the Government Connect version four requirements?

We are currently being reassessed

Please supply the latest internal report for the Government Connect
version four Audit/Assessment, blanking out any statements which could
contravene a security concern from a third party reading it.

Please see response 2 questions above.

Criminal Justice Network

Are you connected to and operationally utilising the Criminal Justice
Network?

No

If not have you considered connecting to the Criminal Justice Network and
why was the decision made not to connect?

N/A (there is no Criminal Justice Network)

Please supply your latest annual assessment/audit report, blanking out any
statements which could contravene a security concern from a third party
reading it.

N/A

NHS N3 Network

Are you connected to and operationally utilising the NHS N3 Network? If
not have you considered connecting to the NHS N3 network and why was the
decision made not to connect?

Yes (connected and utilising)

Please supply your latest N3 Connection assessment/audit report, blanking
out any statements which could contravene a security concern from a third
party reading it.

We do not hold this information. The IGSoc Report is a public document -
once the process has been completed, the report for this Authority will be
available on the NHS Connecting for Health website.

Do both schools and the Council share the same physical network
responsible for voice and data communications?

No

Copyright

Please note, all material provided by the Royal Borough of Kensington and
Chelsea in response to your request for information is for your personal,
non-commercial use. The Royal Borough of Kensington and Chelsea reserves
all rights in the copyright of the information provided. Any unauthorised
copying or adaptation of the information without express written
confirmation from the Royal Borough of Kensington and Chelsea will
constitute an infringement of copyright. Any intention to re-use this
information commercially will require consent. Please forward any requests
for re-use of information to the FOI officer ([2][RBKC request email]).

Complaints

I trust this has satisfied your request. Should you be unhappy with the
handling of your request, the Council has an internal complaints process
for handling FOI Act complaints. Complaints are reviewed by the Town Clerk
and Chief Executive or his nominee. A form is available from our website
to lodge your complaint
[3]http://www.rbkc.gov.uk/councilanddemocra...
Please contact us if you do not have website access and we can provide you
with a copy of the form.

Following this review, should you still be unhappy with how your
information request has been handled, you have a further right to appeal
to the Information Commissioner who is responsible for ensuring compliance
with the FOI Act.

Yours sincerely

Robin Yu

Information Protection Assistant

FOIA Team, Business Protection Unit

Information Systems Division (ISD)

The Royal Borough of Kensington and Chelsea

The Town Hall, Hornton Street, London W8 7NX

Tel: 020 7938 8226

Web: [4]http://www.rbkc.gov.uk

show quoted sections

References

Visible links
1. mailto:[email address]
2. mailto:[RBKC request email]
mailto:[RBKC request email]
3. http://www.rbkc.gov.uk/councilanddemocra...
http://www.rbkc.gov.uk/councilanddemocra...
4. http://www.rbkc.gov.uk/
http://www.rbkc.gov.uk/