IT Network and Security 2020

The request was partially successful.

Francois Charles

Dear University of Warwick,

Under the Freedom of Information Act 2000 may I kindly request the following information about the Universities IT Infrastructure Information. The information needed is as follows:

IT COMPLIANT ROUTE TO PURCHASE - NETWORKING AND SECURITY:
What Frameworks are currently used for any IT Supply/Services/Support Procurement? (ie. SSSNA, NEUPC, Janet, CCS, CPC etc)?
What framework will the University be using for any future Storage, Network/Security supply/support/services renewal contract?
Does the University carry out any form of pre-market engagement with different technology partners in order to determine that the University (and the Tax payer) is getting “Value for Money” ?

NETWORK:
Who is current Network vendor?
Who is the current network support supplier? Were they assigned via any market engagement / framework tender?
If you use Cisco, do you currently use Smart Collector which is registered with Cisco?
How many switches, routers on network?
How many wireless controllers/ AP’s?
Network contract start date?
Date current Network Support ends / is refreshed (for switches, routers, core etc)
What framework will the University be using for any new/renewal network support contract?
Value of existing Network support contract ?

SECURITY / CYBERSECURITY:
IT Security vendors used?
IT Security Support renewal date?
Do you use 2FA?
What web and email filtering is used?
What DLP is in place?
What SIEM solution is used?
Current firewall vendor / When is current support contract renewal due?
Current Endpoint security vendor? When is Endpoint security support contract renewal?
What Intrusion prevention is used?
When is Intrusion support contract renewal?
Does the University do regular Penetration Testing across the University network ?
How many man days does this Penetration Test cycle take?

ICO - breaches:
How many cyber security breaches has the University had over the past 3 yrs?
Were they reported to the ICO?

CAMPUS SAFETY - EMERGENCY MASS NOTIFICATION
Does the University have a Mass Emergency Notification system in place? (for both staff and students)
What system is used?
When does the current support expire/renew?

Thank you and I look forward to receiving your reply within the allotted timescales detailed in the Act.
Regards
Francois Charles

infocompliance, Resource, University of Warwick

Thank you for your email which has been received by the University's
Information and Data Compliance Team. 
The University undertakes to respond to Freedom of Information Requests
within 20 working days and to Data Subject Rights Requests within one
month.*

If your query is not related to a Freedom of Information Request or Data
Subject Rights Request, but is related to a data protection
matter, please redirect it to [1][email address].

Kind regards

Information and Data Compliance Team.

 

*Please note that due to the global Covid-19 pandemic, the University of
Warwick is following the advice of the UK Government and where possible
staff are working from home. New working arrangements coupled with the
prioritisation of university resources may impact upon the University’s
ability to respond to your request within the statutory timescales and you
may experience delays when making information rights requests during the
pandemic. Thank you for your patience during these unprecedented times.

References

Visible links
1. mailto:[email address]

infocompliance, Resource, University of Warwick

Dear Francois,

Thank you for submitting an FOI request, requesting information from the University of Warwick. In order to comply with your request, we would be grateful if you could please clarify the following:

• Please could you provide a more detailed definition, of what would constitute ‘cyber security breach’

Once we have received clarification on the above, we can then proceed further with your request.

Please be advised that the University will be unable to proceed with your request until you have provided the requested clarifications and the 20 working day statutory time limit does not begin

Kind Regards,

Legal and Compliance Services

This message is sent in confidence for the addressee only.  It may contain privileged information.  The contents are not to be disclosed to anyone other than the addressee.  Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately of the error in transmission.

show quoted sections

Francois Charles

Dear info compliance, Resource,
Thank you for your reply and your request for more information on my definition of a Cyber Security Breach.

A cybersecurity incident is a breach of the University system's security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems.

In general, types of activity that are commonly recognised as being breaches of typical security policy are:

1. Attempts to gain unauthorised access to a system and/or to data within the University

2. The unauthorised use of systems for the processing or storing of data within the University

3. Changes to a systems firmware, software or hardware without the consent of the University.

4. Malicious disruption and/or denial of service.

5. Unintentional information disclosure, data leak, information leakage or data spill.

I trust this explains my term "Cyber Security Breach" a bit more clearly?

Thanks
Francois Charles

Dear infocompliance, Resource,

Please can you advise as to whether you have received this additional information that was required?

Yours sincerely,

Francois Charles

infocompliance, Resource, University of Warwick

Francois Charles

 

Thank you for your email.

 

We can confirm that the University can confirm that it received your
response to the clarification it previously requested, namely your
definition of Cyber Security Breaches and the University had been working
on responding to your request.

 

However, it has come to light that this request is likely to exceed the
appropriate costs limit under section 12(1) of the Freedom of Information
Act 2000. Section 12(1) of the Freedom of Information Act states that a
public authority is not obliged to comply with a request for information
if the authority estimates that the cost of complying with the request
would exceed the appropriate limit.  This is currently £450, which equates
to 18 hours of staff time calculated at £25 an hour as set out in the
Freedom of Information and Data Protection (Appropriate Limit and Fees)
Regulations 2004. Referring to your part of the request titled ‘ICO
breaches’, the University can confirm that it does hold a central log of
‘incidents’ which have been reported to the University’s Information and
Data compliance team to assess and review for further advice and action.
However these incidents are not necessarily either Cyber Security Breaches
(using the definition provided by you) or personal data breaches. Over the
three year period requested there have been 421 reported incidents
recorded but in order to determine how many of these incidents involved a
cyber-security breach (using the definition provided by you) the
University would have to manually review the folder for each incident and
read through the documentation to assess whether it fell within your
definition. It is highly likely that the majority of these incidents would
not involve cyber security breaches however without reviewing the folders
in greater detail, the University cannot confirm for certain. To locate
and review each of the 421 incident files would take well in excess of the
18 hour costs limit permitted under FOIA.

 

The University is obliged to offer guidance as to what would be manageable
under the costs limit so with that in mind, the University could review
the number of these incidents which were subsequently reported to the ICO,
as this number is far smaller than 421 and therefore manageable within the
appropriate costs limit, to determine how many could be categorised as
Cyber Security Breaches. If this information would interest you then
please submit a refined request.

 

If you do submit a refined request, the University will treat it as a
substitute request to your original request and the 20 working day time
period will start again. In the absence of a refined request, the
University will send an official response to your original request,
engaging the costs limit exemption under section 12(1) of the Freedom of
Information Act 2000 within the original 20 working day timer period from
the date your clarification was received.

 

Kind regards,

 

Legal and Compliance Services

 

show quoted sections

Dear info compliance, Resource,

Thank you for your reply.

In that case please discard the "Cybersecurity Breach" question" and please submit the answers to all the other questions in my FOI.

It does seem quite strange though - as all the other Universities easily replied to this particular Cybersecurity breach question.

I look forward to receiving the rest of the information in due course.

Many thanks
Francois Charles

infocompliance, Resource, University of Warwick

Francois Charles

 

Thank you for your email dated 13 July 2020 requesting information from
the University of Warwick under the Freedom of Information Act 2000.
Please find below your request and our response.

Under the Freedom of Information Act 2000 may I kindly request the
following information about the Universities IT Infrastructure
Information. The information needed is as follows:

IT COMPLIANT ROUTE TO PURCHASE - NETWORKING AND SECURITY:

o What Frameworks are currently used for any IT Supply/Services/Support
Procurement? (ie. SSSNA, NEUPC, Janet, CCS, CPC etc)?
o What framework will the University be using for any future Storage,
Network/Security supply/support/services renewal contract?
o Does the University carry out any form of pre-market engagement with
different technology partners in order to determine that the
University (and the Tax payer) is getting “Value for Money” ?

NETWORK:

o Who is current Network vendor?
o Who is the current network support supplier? Were they assigned via
any market engagement / framework tender?
o If you use Cisco, do you currently use Smart Collector which is
registered with Cisco?
o How many switches, routers on network?
o How many wireless controllers/ AP’s?
o Network contract start date?
o Date current Network Support ends / is refreshed (for switches,
routers, core etc) What framework will the University be using for any
new/renewal network support contract?
o Value of existing Network support contract ?

SECURITY / CYBERSECURITY:

o IT Security vendors used?
o IT Security Support renewal date?
o Do you use 2FA?
o What web and email filtering is used?
o What DLP is in place?
o What SIEM solution is used?
o Current firewall vendor / When is current support contract renewal
due?
o Current Endpoint security vendor? When is Endpoint security support
contract renewal?
o What Intrusion prevention is used?
o When is Intrusion support contract renewal?
o Does the University do regular Penetration Testing across the
University network ?
o How many man days does this Penetration Test cycle take?

ICO - breaches:

o How many cyber security breaches has the University had over the past
3 yrs?
o Were they reported to the ICO?

CAMPUS SAFETY - EMERGENCY MASS NOTIFICATION

o Does the University have a Mass Emergency Notification system in
place? (for both staff and students) What system is used?
o When does the current support expire/renew?

After the University sought clarification from you on 13 July 2020, you
provided the following further information:

Thank you for your reply and your request for more information on my
definition of a Cyber Security Breach. A cybersecurity incident is a
breach of the University system's security policy in order to affect its
integrity or availability and/or the unauthorised access or attempted
access to a system or systems.

In general, types of activity that are commonly recognised as being
breaches of typical security policy are:

 1. Attempts to gain unauthorised access to a system and/or to data within
the University
 2. The unauthorised use of systems for the processing or storing of data
within the University
 3. Changes to a systems firmware, software or hardware without the
consent of the University.
 4. Malicious disruption and/or denial of service.
 5. Unintentional information disclosure, data leak, information leakage
or data spill.

After the University sought a refinement from you on 12 August 2020, you
provided the following further information:

In that case please discard the "Cybersecurity Breach" question" and
please submit the answers to all the other questions in my FOI.

Please find the University‘s response below:

IT COMPLIANT ROUTE TO PURCHASE - NETWORKING AND SECURITY:

o What Frameworks are currently used for any IT Supply/Services/Support
Procurement? (ie. SSSNA, NEUPC, Janet, CCS, CPC etc)?

The University utilises a number of consortia agreements in this category;
recent competitive processes have included SSSNA and SLRA.

o What framework will the University be using for any future Storage,
Network/Security supply/support/services renewal contract?

The University will assess suitability of all available frameworks as part
of the category/contract strategy in order to determine the most
appropriate route to market.

o Does the University carry out any form of pre-market engagement with
different technology partners in order to determine that the
University (and the Tax payer) is getting “Value for Money” ?

The University consistently seeks to deliver best value through its
procurement activities. Engagement with new technology partners is
undertaken as part of strategy development and, where existing
partnerships are renewed these are challenged in line with requirement to
demonstrate value for money.

NETWORK:

o Who is current Network vendor?

Cisco.

o Who is the current network support supplier?

Cisco.

o Were they assigned via any market engagement / framework tender?

Yes.

o If you use Cisco, do you currently use Smart Collector which is
registered with Cisco?

No.

o How many switches, routers on network?

1500+ / 2

o How many wireless controllers/ AP’s?

10 / 4000+

o Network contract start date?

1 August 2019.

o Date current Network Support ends / is refreshed (for switches,
routers, core etc)

5 years from start date.

o What framework will the University be using for any new/renewal
network support contract?

As directed by the university’s procurement department.

o Value of existing Network support contract?

The University declines to provide information in relation to contract
value as it considers that the release of this information would prejudice
the University and the supplier’s commercial interests. This information
is withheld under the exemption at section 43(2) of the Freedom of
Information Act 2000. Section 43(2) states that “information is exempt
information if its disclosure under this Act would, or would be likely to,
prejudice the commercial interests of any person (including the public
authority holding it)”. The University considers that the release of
contract value information would prejudice the University and the
supplier’s commercial interests by revealing such information to
competitors, which would provide them with an advantage when the contract
is retendered or new quotes are sought.

The University considers that the commercial aspects of a successful
contract are specific to those parties to the contract. Should such
information be made available to the public at large, this would result in
the University losing credibility with its supply base, provide a
disincentive to suppliers to bid for future University contracts and
ultimately have a detrimental impact on competition and the ability of the
University to achieve value for money. The disclosure of costings could
seriously affect the competitiveness of the market and to distort any
future tender process which is not in the public interest. As well as
potentially prejudicing the University’s commercial interests, releasing
the information requested would be likely to prejudice the supplier’s
commercial interests by weakening its position in a competitive
environment and by revealing information of potential usefulness to its
competitors. The disclosure of spend would provide a significant advantage
to competitors by providing an insight into the supplier’s pricing
structure and damage the supplier’s ability to compete effectively in
future tender processes.

 

The exemption at section 43(2) is a qualified exemption which means that
the University must consider whether the public interest in maintaining
the exemption outweighs the public interest in disclosure. The University
considers there is no overriding public interest in the circumstances that
would warrant prejudicing the University’s or the supplier’s commercial
interests. It is important to note that disclosure under the Freedom of
Information Act is effectively disclosure to the general public, not
solely the person who has made the request and this market is highly
competitive and therefore in order for the market to retain its
competitive nature, companies need to be able to compete fairly.  The
disclosure of the information requested, would impact the commercial
activity in this market with the potential to distort any future tender
process. Therefore, the University is of the opinion that the public
interest lies in favour of withholding the requested information.

SECURITY / CYBERSECURITY:

o IT Security vendors used?
o IT Security Support renewal date?
o Do you use 2FA?
o What web and email filtering is used?
o What DLP is in place?
o What SIEM solution is used?
o Current firewall vendor / When is current support contract renewal
due?
o Current Endpoint security vendor? When is Endpoint security support
contract renewal?
o What Intrusion prevention is used?
o When is Intrusion support contract renewal?
o Does the University do regular Penetration Testing across the
University network ?
o How many man days does this Penetration Test cycle take?

The University confirms that it holds the requested information but
declines to provide the information as it believes it is exempt from
disclosure under section 31(1)(a) of the Freedom of Information Act.

The University is not obliged to provide information if its release would
prejudice the prevention or detection of crime and the University believes
that releasing detailed information regarding its cyber security services
creates a security risk. Disclosure would make the University more
vulnerable to crime, including cyber-attacks, from an external hacker. By
divulging the requested information the University would be likely to
unnecessarily expose itself to the risk of harm and potentially huge
financial cost.

The University and its IT Services must consider whether the public
interest in maintaining the exemption outweighs the public interest in
disclosure. The University recognises that there is legitimate public
interest in providing information as this encourages openness,
accountability and informed public debate. However, the University also
believes that there is a strong public interest in maintaining the
exemption, if disclosure would be likely to prejudice the University’s
ability to perform its functions effectively in that the University would
be diverted from its day to day work in order to deal with the
consequences of cyber-attacks, phishing attacks, spear phishing attacks,
ransomware attacks, SQL injection attacks and rootkit attacks. In addition
to the delay and disruption to the University, the consequences of such
attacks would incur a huge financial cost in repairing infected devices
and/or purchasing and installing new equipment.

Therefore, the University is of the opinion that the public interest lies
in favour of withholding the requested information.

CAMPUS SAFETY - EMERGENCY MASS NOTIFICATION

o Does the University have a Mass Emergency Notification system in
place? (for both staff and students)

Yes.

o What system is used?

In-house developed application system

o When does the current support expire/renew?

N/A.

I trust that this information will be helpful to you, but if you are
dissatisfied with the way in which your request has been handled you can
request an internal review within one month of our response and, in the
first instance, you are advised to follow the procedure outlined here:
[1]http://www2.warwick.ac.uk/services/legal...

If you remain dissatisfied with how your request has been handled, you
have a right to appeal to the Information Commissioner at: The Information
Commissioner’s Office, Wycliffe House, Walter Lane, Wilmslow, and
Cheshire, SK9 5AF (0303 123 1113) ([2]https://ico.org.uk/) There is no
charge for making an appeal.

Yours sincerely,

Ian Rowley
Ian Rowley | Director of Reputation and Culture Change
University House | University of Warwick | Coventry | CV4 8UW

 

 

 

References

Visible links
1. http://www2.warwick.ac.uk/services/legal...
2. https://ico.org.uk/

Dear Ian
Thank you for supplying the information pertaining to my FOI request.
Have a great day and stay safe.
Yours sincerely,
Francois Charles