Dear University of Leeds,

Under the Freedom of Information Act 2000, I write to obtain the following information about the organisation’s information technology infrastructure:

1. What is your annual IT Budget for 2021, 2022 & 2023?

2. Storage:

a. What storage vendor(s) and models do you currently use?

b. What is the capacity of the storage data in TB & How much of this is utilised?

c. What were the installation dates of the above storage vendor(s)? (Month/Year)

d. When is your planned (or estimated) storage refresh date? (Month/Year)?

e. Do you have any extended warranties, if so, with which supplier?

f. What is your estimated budget for the storage refresh?

3. Server/Compute:

a. What server vendor(s) and models do you currently use?

b. What were the installation dates of the above server vendor(s)? (Month/Year)

c. When is your planned (or estimated) server refresh date? (Month/Year)

d. What is your estimated budget for the server refresh?

e. Do you have any extended warranties, if so, with which supplier?

f. Which operating systems are used?

4. Backup, DR and BC:

a. What device/system do you use for your daily backups (e.g tape or disk)

b. What backup software do you use?

c. How much data do you backup, in TB?

d. Do you use a third party to provide a Business Continuity service (e.g. office workplace recovery or infrastructure ship-to-site solutions)?

e. Does your current recovery solution meet your stakeholder’s RTO/RPO expectations?

f. Do you already backup into the cloud?

g. Do you have a documented disaster recovery & business continuity plan in place?

5. Number of Physical servers?

6. Number of virtualised servers? & Which Virtualisation platform do you use?

7. Security:

a. What security solutions are being utilised?

b. Do you have a SIEM?

c. Do you have a SOC? If so, is it in house or outsourced?

d. Is it 24/7?

e. Name and role for IT Manager(s) / Officer(s) primarily responsible for cybersecurity

f. Names of all cyber security vendor(s) you us

g. Cost, duration and end date for the above contract(s)/license(s)

8. How far are you in your cloud strategy?

A. Not considering Cloud for the foreseeable future

B. Interested in Cloud, but have not started looking into it

C. Research Stage

D. Meeting with Suppliers

E. Consultancy

F. Started to integrate

G. Fully integrated

9. Which public cloud provider do you use?

10. Which IT services do you outsource? When do the contracts end?

11. Please also name all of the IT re-sellers that you work with and buy from, as well as the frameworks utilised.

12. Are you actively moving any applications/infrastructure into a cloud environment? If so who is responsible for this?

13. Do you normally purchase equipment and services as a capital investment (Cap-Ex) or ongoing operational charges (Opex)?

Yours faithfully,

Emily Blundell

Freedom of Information, University of Leeds

Dear Emily Blundell,

Freedom of Information request reference K/21/383

Thank you for your Freedom of Information (FOI) request dated 5 August 2021. Your request has been allocated the reference number K/21/383. Please include this number in all further correspondence related to your enquiry.

The University of Leeds aims to respond to all FOI requests within 20-working days of receipt. If there is any change to the expected timeframe for response, I will write to provide you with an update.

If you have any questions about your request, please contact us at [University of Leeds request email]

Yours sincerely
 
Chloe Wilkins
Freedom of Information Officer
 
Secretariat
University of Leeds

dangos adrannau a ddyfynnir

Freedom of Information, University of Leeds

Dear Emily Blundell, 

 

Freedom of Information Response (Our Ref: K/21/383)

 

Thank you for your Freedom of Information (FOI) request dated 5 August
2021, reference K/21/383.

 

Your request read:

 

1.            “What is your annual IT Budget for 2021, 2022 & 2023?

 

2.            Storage:

 a. What storage vendor(s) and models do you currently use?
 b. What is the capacity of the storage data in TB & How much of this is
utilised?
 c. What were the installation dates of the above storage vendor(s)?
(Month/Year)
 d. When is your planned (or estimated) storage refresh date?
(Month/Year)?
 e. Do you have any extended warranties, if so, with which supplier?
 f. What is your estimated budget for the storage refresh?

 

 

3.            Server/Compute:

a.         What server vendor(s) and models do you currently use?

b.         What were the installation dates of the above server vendor(s)?
(Month/Year)

c.         When is your planned (or estimated) server refresh date?
(Month/Year)

d.         What is your estimated budget for the server refresh?

e.         Do you have any extended warranties, if so, with which
supplier?

f.          Which operating systems are used?

 

4.            Backup, DR and BC:

a.         What device/system do you use for your daily backups (e.g tape
or disk)

b.         What backup software do you use?

c.         How much data do you backup, in TB?

d.         Do you use a third party to provide a Business Continuity
service (e.g. office workplace recovery or infrastructure ship-to-site
solutions)?

e.         Does your current recovery solution meet your stakeholder’s
RTO/RPO expectations?

f.          Do you already backup into the cloud?

g.         Do you have a documented disaster recovery & business
continuity plan in place?

 

5.            Number of Physical servers?

 

6.            Number of virtualised servers? & Which Virtualisation
platform do you use?

 

7.            Security:

a.         What security solutions are being utilised?

 

 

 

b.         Do you have a SIEM?

c.         Do you have a SOC? If so, is it in house or outsourced?

d.         Is it 24/7?

e.         Name and role for IT Manager(s) / Officer(s) primarily
responsible for cybersecurity

f.          Names of all cyber security vendor(s) you us

g.         Cost, duration and end date for the above
contract(s)/license(s)

 

8.            How far are you in your cloud strategy?

 

A.        Not considering Cloud for the foreseeable future

B.        Interested in Cloud, but have not started looking into it

C.        Research Stage

D.        Meeting with Suppliers

E.        Consultancy

F.        Started to integrate

G.       Fully integrated

 

9.            Which public cloud provider do you use? 

 

10.         Which IT services do you outsource? When do the contracts end?

 

11.         Please also name all of the IT re-sellers that you work with
and buy from, as well as the frameworks utilised.

 

12.         Are you actively moving any applications/infrastructure into a
cloud environment? If so who is responsible for this?

 

13.         Do you normally purchase equipment and services as a capital
investment (Cap-Ex) or ongoing operational charges (Opex)?”

 

The University of Leeds holds some of this information. For your
convenience we have responded to each of your questions in turn below.

 

What is your annual IT Budget for 2021, 2022 & 2023?

 

+------------------------------------------------------------------------+
| |2021/22 |2022/21 |2023/24 |
|-----------------------+------------------------------------------------|
| | (£k) |
|-----------------------+------------------------------------------------|
|Total expenditure |£35,782.63 |39,538.79 |41,328.41 |
+------------------------------------------------------------------------+

 

What storage vendor(s) and models do you currently use?

Primary vendors are Dell (Isilon/Powerscale) and NetApp (FAS and AFF
series)

 

What is the capacity of the storage data in TB & How much of this is
utilised?

Not completely known owing to fragmented estate, circa 12Pb in use.

 

What were the installation dates of the above storage vendor(s)?
(Month/Year)

o Dell - ongoing/commissioning
o NetApp - August 2018; April 2019; May 2020; November 2020 and
September 2021

 

When is your planned (or estimated) storage refresh date? (Month/Year)?

Ongoing staggered rollover rather than bulk refreshes

 

Do you have any extended warranties, if so, with which supplier?

Yes, with Dell and with Trustmarque

 

What is your estimated budget for the storage refresh?

We do not have an estimated budget for the storage refresh.

 

What server vendor(s) and models do you currently use?

Dell, Cisco UCS, Oracle

 

What were the installation dates of the above server vendor(s)?
(Month/Year)

More than 4 years ago

 

When is your planned (or estimated) server refresh date? (Month/Year)

None; we are moving to cloud-based provision

 

What is your estimated budget for the server refresh?

Not applicable

 

Do you have any extended warranties, if so, with which supplier?

Dell and Oracle

 

Which operating systems are used?

Windows 2008 up to 2019, Red Hat and Centos, some Solaris

 

What device/system do you use for your daily backups (e.g tape or disk)

Disk

 

What backup software do you use?

Commvault Simpana

 

How much data do you backup, in TB?

~200TB

 

Do you use a third party to provide a Business Continuity service (e.g.
office workplace recovery or infrastructure ship-to-site solutions)?

Yes

 

Does your current recovery solution meet your stakeholder’s RTO/RPO
expectations?

At present stakeholder RTO/RPO expectations have not been clearly
identified, work is underway to rectify this situation.

 

Do you already backup into the cloud?

Yes

 

Do you have a documented disaster recovery & business continuity plan in
place?

While critical incident management plans are in place they do not fully
articulate the disaster recovery and business continuity plan

 

Number of Physical servers?

1300

 

Number of virtualised servers? & Which Virtualisation platform do you use?

700. HyperV, Solaris Zones and VMWare

 

What security solutions are being utilised?

We are not clear what specific information you are requesting here. If you
are able to be more specific about the information you are seeking, we may
be able to provide further information.

 

Do you have a SIEM?

Yes

 

Do you have a SOC? If so, is it in house or outsourced?

Yes, currently in house.

 

Is it 24/7?

Not currently

 

Name and role for IT Manager(s) / Officer(s) primarily responsible for
cybersecurity

Dr Philip Hobley, IT Assurance manager

 

Names of all cyber security vendor(s) you use

Cost, duration and end date for the above contract(s)/license(s)

We address these questions together.

 

We consider that these details are exempt from disclosure under section
31(1)(a) of the Freedom of Information Act.

 

Section 31(1)(a) sets out that information is exempt from disclosure if
its release would or would be likely to prejudice the prevention or
detection of crime.

 

To reveal the information regarding the cyber-security arrangements we
have in place, would provide would-be or attempted attackers with
information regarding our cyber-defence provision. Revealing the name of
the vendor and the contract value would indicate the type of protection
which is in place, and to reveal the duration and contract end date
provides those with nefarious intentions with a timeframe in which the
University may be particularly vulnerable to attack (i.e. during
transition from one provider to another). 

 

Section 31(1)(a) is a qualified exemption. This means that the University
of Leeds is required to consider whether the public interest in the
information outweighs the public interest in maintaining the exemption.

 

There is clearly a very strong public interest in protecting public
authorities from crime. To release information which increases the
University’s vulnerability to cyber-crime would jeopardise our ability to
provide services to our students (current, former and potential), and
would put at risk personal, financial and commercial sensitive
information. We therefore consider that there is a very strong public
interest in maintaining the exemption. Conversely, we do not consider
there to be any particular public interest in the disclosure of this
information. While it is important for students and the public to
understand that the University takes the threat of cyber-crime seriously,
and are taking appropriate measures to tackle it, we do not consider that
this interest would be furthered by the release of this information.

 

We therefore consider that the public interest is firmly in favour of
withholding the information in this case.

 

How far are you in your cloud strategy?

Started to integrate

 

Which public cloud provider do you use? 

MS Azure

 

Which IT services do you outsource? When do the contracts end?

We are not clear what you define as “IT services”. A wide range of
contracts relating to different IT solutions are in place, some of which
are partially outsourced. If you are able to be more specific about the
information you are requesting, we may be able to provide further
information. Please note that the broader your question, the more likely
it is that we will need to refuse the request under section 12(1) of the
FOI Act.

 

Please also name all of the IT re-sellers that you work with and buy from,
as well as the frameworks utilised.

o ITRAP Framework

o Academia
o Insight Direct
o Softcat
o XMA

o SUPC Software Resellers Framework

o Softcat
o Phoenix Software

o Apple equipment and Services Framework

o Academia
o Stone Computers
o Insight
o XMA

o National Desktop & Notebook Framework

o Stone computers

                       

Are you actively moving any applications/infrastructure into a cloud
environment? If so who is responsible for this?

Yes, a number of applications and infrastructure are being moved into the
cloud. Responsibility for the decisions on what to migrate, how to do this
and who to work with is spread across a wide range of people within both
IT and the wider University.

 

Do you normally purchase equipment and services as a capital investment
(Cap-Ex) or ongoing operational charges (Opex)

Equipment which is equal to or greater than £25k is recognised as capital
expenditure, items less than this are ongoing operational charges.

 

We hope this information is helpful. If you have any questions about this
email, however, please do not hesitate to contact us on [1][University of Leeds request email]

 

If you are unhappy with the service you have received in relation to your
request and wish to make a complaint or request a review of our decision,
you can request an Internal Review. Requests for Internal Review should be
made in writing using the following contact information:

 

Post:               Mr D Wardle

Deputy Secretary

The University of Leeds

Leeds

LS2 9JT

 

Email:             [2][University of Leeds request email]

 

Requests for Internal Review should be submitted within 40 working days of
receiving the University’s response to your request. Further information
about how the University manages Freedom of Information requests and about
our complaints procedure is also available on our website
([3]www.leeds.ac.uk).

 

If you are not content with the outcome of the internal review, you have
the right to apply directly to the Information Commissioner for a
decision.  Generally, the ICO cannot make a decision unless you have
exhausted the review/complaints procedure provided by the University.  The
Information Commissioner can be contacted at:  Information Commissioner’s
Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

 

Yours sincerely

 

Chloe Wilkins

Freedom of Information Officer

 

Secretariat

University of Leeds

 

 

 

References

Visible links
1. mailto:[University of Leeds request email]
2. mailto:[University of Leeds request email]
3. http://www.leeds.ac.uk/