Security Audit of coi.gov.uk

Richard Jackson made this Freedom of Information request to Central Office of Information

Response to this request is long overdue. By law, under all circumstances, Central Office of Information should have responded by now (details). You can complain by requesting an internal review.

From: Richard Jackson

13 August 2008

Dear Sir or Madam,

In the .gov.uk Naming and Approvals Committee Minutes of 26th
September 2007 reference is made to a security audit of coi.gov.uk

Can you please provide a copy of that audit (and, should it not be
obvious from the audit report, details of who conducted it), and
details of any decisions made by COI in response to it.

If there have been any further audits commissioned or conducted
since then, please also provide similar information in relation to
them.

Yours faithfully,

Richard

Link to this

From: FOI Officer
Central Office of Information

11 September 2008

Attachment Provide informationRJackson10485428.doc
84K Download View as HTML

Good afternoon Richard

Please see the attached.

Regards
Glynn

Glynn Morgan
FOI Officer
Central Office of Information
Hercules House
Hercules Road
London
SE1 7DU
Tel 020 7928-2345
Fax 020 7928 5037

"This communication is confidential and copyright. Anyone coming into
unauthorised possession of it should disregard its content and erase it
from their records."
This communication is confidential and copyright.
Anyone coming into unauthorised possession of it should disregard its
content and erase it from their records.

The original of this email was scanned for viruses by Government Secure
Intranet (GSi) virus scanning service supplied exclusively by Cable &
Wireless in partnership with MessageLabs.
On leaving the GSI this email was certified virus free.
The MessageLabs Anti Virus Service is the first managed service to achieve
the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK
Government quality mark initiative for information security products and
services. For more information about this please visit www.cctmark.gov.uk

Link to this

Public Sector Forums left an annotation (16 September 2008)

Could they not provide at least a redacted version?

Link to this

From: Richard Jackson

21 September 2008

Dear Glynn,

Please take this as a request for an internal review of this
decision. You say in your response that I should contact Emma
Lochhead in that regard, but you have provided no details on how to
do that, so I would be grateful if you could forward this on.

I would note that the security audit in question is almost a year
old now, and that there would be a reasonable expectation that any
problems identified by it should be fixed by now. If, for some
reason, a decision was made to ignore some potential problems and
rely on security through obscurity, then it would be slightly more
understandable for those portions to be withheld or redacted, but I
do not believe it is appropriate to refuse to release _all_
information requested (including details of by whom the audit was
carried out).

Yours sincerely,

Richard

Link to this

From: Richard Jackson

8 November 2008

Dear Sir or Madam,

My request for internal review made on 21nd September in relation
to my FOI request 'Security Audit of coi.gov.uk' has still received
no response. I would note that ICO guidance states that such
requests should normally be handled in 20 working days, and should
never take more than 40.

Please advise on the expected date when I should receive a
response.

A full history of my original request and all correspondence is
available on the Internet at this address:
http://www.whatdotheyknow.com/request/se...

Yours sincerely,

Richard Jackson

Link to this

From: Richard Jackson

5 December 2008

Dear Sir or Madam,

It is now well over two months since I requested an internal review
of my request relating to the Security Audit of coi.gov.uk and I
have still heard nothing. Unless I receive an update in the next
week I will have little option but to direct this matter to the
ICO.

A full history of my FOI request and all correspondence is
available on the Internet at this address:
http://www.whatdotheyknow.com/request/se...

Yours sincerely,

Richard Jackson

Link to this

From: FOI Officer
Central Office of Information

11 December 2008

Attachment Internal Review RJackson10485428.doc
78K Download View as HTML

Good morning Richard

Thank you for your email. Please see the attached sent in response to your
email of 8th November.

If you have any queries please do not hesitate to contact me.

Kind regards
Glynn

Glynn Morgan
FOI Officer
Central Office of Information
Hercules House
Hercules Road
London
SE1 7DU
Tel 020 7928-2345
Fax 020 7928 5037

"This communication is confidential and copyright. Anyone coming into
unauthorised possession of it should disregard its content and erase it
from their records."
This communication is confidential and copyright.
Anyone coming into unauthorised possession of it should disregard its
content and erase it from their records.

The original of this email was scanned for viruses by Government Secure
Intranet (GSi) virus scanning service supplied exclusively by Cable &
Wireless in partnership with MessageLabs.
On leaving the GSI this email was certified virus free.
The MessageLabs Anti Virus Service is the first managed service to achieve
the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK
Government quality mark initiative for information security products and
services. For more information about this please visit www.cctmark.gov.uk

Link to this

From: Richard Jackson

11 December 2008

Dear Emma,

RE: 10485428

Thank you for this response.

I am slightly confused as to your point re: providing a redacted
copy of the audit. Are you saying that your internal review has
decided that COI were correct in withholding some material, but
mistaken in not proving a redacted copy?

I am also a little surprised that you did not just attach the
redacted copy to your response, but I would be grateful if you
would send that.

Yours sincerely,

Richard Jackson

Link to this

From: FOI Officer
Central Office of Information

11 December 2008

Richard

I will arrange for a copy to sent.

Kind regards
Glynn

Glynn Morgan
FOI Officer
Central Office of Information
Hercules House
Hercules Road
London
SE1 7DU
Tel 020 7928-2345
Fax 020 7928 5037

"This communication is confidential and copyright. Anyone coming into
unauthorised possession of it should disregard its content and erase it
from their records."
This communication is confidential and copyright.
Anyone coming into unauthorised possession of it should disregard its
content and erase it from their records.

The original of this email was scanned for viruses by Government Secure
Intranet (GSi) virus scanning service supplied exclusively by Cable &
Wireless in partnership with MessageLabs.
On leaving the GSI this email was certified virus free.
The MessageLabs Anti Virus Service is the first managed service to achieve
the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK
Government quality mark initiative for information security products and
services. For more information about this please visit www.cctmark.gov.uk

Link to this

Public Sector Forums left an annotation (12 December 2008)

I think you would have a case to take this to the ICO.

Apart from breaching the statutory timescales for review, to say that for the exemption in section 33 of the FOI Act to apply, the Department needs to demonstrate that:

(a) disclosure is likely to prejudice the authority's auditing functions; and
(b) the public interest in avoiding that prejudice is greater than the public interest in disclosing the information concerned.

I don't think simply saying 'for the reasons as previously stated and I do not believe its release would be in the public interest' satisifies that requirement. Even more strange that they didn't provide the redacted version with the response.

Link to this

Things to do with this request

Anyone:
Central Office of Information only: