Suppliers and Vendors (Cyber)

Roedd y cais yn rhannol lwyddiannus.

Dear Heriot-Watt University,

Under the freedom of information act 2000. I write to obtain the following details:

1) Name and role for IT Manager(s) / Officer(s) primarily responsible for cyber security

2) Names of all cyber security providers you work with and buy from

3) Names of all cyber security vendor(s) you use

3b) Renewal date for the above vendor(s)

3c) Cost and duration for the above contract(s)/license(s)

3d) For what purpose do you use the vendor
(E.g. Firewalls E.g.2 Anti-virus E.g.3 Vulnerability scanning)

4) Number of websites owned by the University

Many thanks,
Harry Jones

Freedom Of Information,, Heriot-Watt University

Dear applicant


Thank you for your company’s information request dated the 4th September
2017 regarding our cyber security arrangements.  Please note that we are a
Scottish University and so comply with Scottish legislation: the Freedom
of Information (Scotland) Act 2002 and the Procurement (Scotland) Act


We operate a centralised, procurement function and details about how to
undertake business with our University can be viewed on our [1]Procurement
pages. In addition. Cyber security matters fall within the roles and
responsibilities of the Director of Information Services: Kathy McCabe and
contact details can be viewed on [2]our website.


You then ask information about our cyber security measures. As your
company may appreciate, this is a very sensitive area and we feel the
release of this information could significantly place our University’s IT
systems, and any associated personal/financial information we hold at risk
– particularly placing details of the software, and software providers, on
a public website.  We are therefore exempting the release of the
information under both Section 30(c) would otherwise prejudice
substantially, or be likely to prejudice substantially, the effective
conduct of public affairs; and Section 35 Law enforcement (2)(g) to
protect the property of a charity from loss or mismanagement.


We operate one major website which covers all our international
activities. Our website is easily accessible and is therefore exempt from
release under section 25(1) Accessible other than by request. In addition
there are approximately 70 associated Research-related Group sites.  These
can also be viewed by accessing the research pages on our website.


Please also note that Organisations/companies should consider their
obligations under The [3]Privacy and Electronic Communications (EC
Directive) Regulations 2003 (PECR) if considering using the information
provided for marketing purposes.

Your right to seek review of our decision


If you are not satisfied with our response or our reasoning set-out above,
you have forty working days from today in which to request a review of our
decision. Any request should be put in writing and should be sent to Ann
Jones, Head of Heritage and Information Governance, at the address
detailed at the bottom of this email. The request should:


(a) detail your request for a review of our decision to be undertaken;


(b) describe the nature of your original request; and


(c) explain the reasons why you are dissatisfied with our response.


If you remain dissatisfied with how your request for information has been
dealt with, you also have the right to apply to the Scottish Information
Commissioner for a decision as to whether we have handled your request


Information relating to your right to seek review is available from the
Scottish Information Commissioner's web page at:




or by contacting the Scottish Information Commissioner's Office at the
following address:


Scottish Information Commissioner,

Kinburn Castle,

Doubledykes Road,

St Andrews,

Fife KY16 9DS

Telephone: 01334 464610

Fax: 01334 464611

E-mail: [5][email address]  



Finally, should you wish to discuss the contents of this email, please do
not hesitate to contact me


Kind regards





Heriot-Watt University

Governance and Legal Services

Edinburgh Campus


Edinburgh EH14 4AS