Supply chain

The request was partially successful.

Dear Northumberland County Council,

Has your organisation ever suffered a cyber security incident through a third-party provider; that is, an attack which infiltrated your IT systems through an outside partner, provider or vendor?
- Yes
- No

If yes, did this occur within the last 12 months?
- Yes
- No

Do you have a list of all the third parties that your organisation shares sensitive data with?
- Yes
- No

In terms of cyber security governance processes, do you have clear criteria that third parties - suppliers or those in which there are dependencies within the supply chain - must comply with in order to do business with them?
- Yes
- No

If Yes, please indicate all that apply:
- Suppliers must assure their cyber security against the HMG Cyber Security Standard
- Suppliers must demonstrate that they hold a valid Cyber Essentials Certificate.
- Suppliers must demonstrate compliance with the Payment Card Industry (PCI) DSS standard
- Other: please indicate:

How often do you reassess third party or suppliers’ security measures to ensure they still meet the minimum criteria?
- At least every 12 months
- At least every 2 years
- More than every 2 years.
- We don’t reassess

Have you revisited these requirements to ensure compliance with the General Data Protection Regulation (GDPR)?
- Yes
- No

Do you have policies in place for privileged access management?
- Yes
- No

Thank you for your time.

Yours faithfully,

Gabby Dunne

Northumberland County Council

1 Attachment

Our Ref: 5192  

Dear Enquirer,

INFORMATION REQUEST

Thank you for your request for information which will be dealt with under
the terms of the Freedom of Information Act 2000 / Environmental
Information Regulations 2004.

In some circumstances a fee may be payable and if that is the case, we
will let you know the likely charges before proceeding.

If you have any queries about this matter please contact us. Please
remember to quote the reference number above in any future communications.

Kind regards

Information Governance Office
Northumberland County Council
County Hall
Morpeth
Northumberland
NE61 2EF

Tel: 0345 600 6400
Email: [Northumberland County Council request email]
Web: http://www.northumberland.gov.uk

Northumberland County Council

1 Attachment

Our Ref: 5192   

Dear Enquirer,

FREEDOM OF INFORMATION ACT REQUEST 

I refer to your Freedom of Information request in relation to cyber
security incidents through third-party providers.

Right of Access 

Section 1(1) of the Act provides any person making a request for
information to a public authority is entitled. 

(a) to be informed in writing by the public authority whether it holds
information of the description specified in the request (which Section
1(6) of the Act designates as the "duty to confirm or deny"), and 

(b) if that is the case, to have that information communicated to him. 

The right is to obtain access to the information itself and not to the
document or record which contains it. 

The Act creates a general right of access to information held by public
authorities subject to various exemptions. 

Northumberland County Council confirms that it holds the information you
have requested, please see the following information in response. 

1. Has your organisation ever suffered a cyber security incident through a
third-party provider; that is, an attack which infiltrated your IT systems
through an outside partner, provider or vendor? 

The above information is not provided pursuant to to Section 31(1)(a) of
the Freedom of Information Act 2000.

 

2. Do you have a list of all the third parties that your organisation
shares sensitive data with? 
Suppliers only have access to our systems via a secure virtual login
(SSLVPN).  

All suppliers are asked to sign our 'Code of Connection' document before
any access is provided.  

Main 3rd parties (suppliers):
Liquid Logic
Capita
Northgate
Tribal

3. In terms of cyber security governance processes, do you have clear
criteria that third parties - suppliers or those in which there are
dependencies within the supply chain - must comply with in order to do
business with them? 
We require suppliers to adhere to the Industry standards appropriate to
the field in question. eg: ISO 27001.  

Suppliers of payment systems must adhere to PCI standards.

 

4. How often do you reassess third party or suppliers’ security measures
to ensure they still meet the minimum criteria? 
Reassessment is done at contract renewal so times can vary.

5. Have you revisited these requirements to ensure compliance with the
General Data Protection Regulation (GDPR)? 
- Yes 

6. Do you have policies in place for privileged access management? 
- Yes - Provided on the link below.

Please note: This is the current approved policy. However we are aware
this is outdated in places and will be publishing the updated version in
the new year.

[1]https://www.northumberland.gov.uk/Northu...

 

 

Duty to confirm or deny 

We hold the information you requested. However we are withholding that
information since we consider that the exemption under Section 31(1)(a)
applies. 

We consider that the public interest in maintaining the exemption
outweighs the public interest in disclosing the information. 

Exemptions 

The Freedom of Information Act sets out various exemptions to the right of
access. 

In the present case the County Council takes the view that the information
relating to your request is exempt under the following provisions; 

31 Law enforcement. 

(1) Information which is not exempt information by virtue of section 30 is
exempt information if its disclosure under this Act would, or would be
likely to, prejudice— 

(a) the prevention or detection of crime, 
(b) the apprehension or prosecution of offenders, 
(c) the administration of justice, 
(d) the assessment or collection of any tax or duty or of any imposition
of a similar nature, 
(e) the operation of the immigration controls, 
(f) the maintenance of security and good order in prisons or in other
institutions where persons are lawfully detained, 
(g) the exercise by any public authority of its functions for any of the
purposes specified in subsection (2), 
(h) any civil proceedings which are brought by or on behalf of a public
authority and arise out of an investigation conducted, for any of the
purposes specified 
in subsection (2), by or on behalf of the authority by virtue of Her
Majesty’s prerogative or by virtue of powers conferred by or under an
enactment, or 
(i) any inquiry held under the Fatal Accidents and Sudden Deaths Inquiries
(Scotland) Act 1976 to the extent that the inquiry arises out of an
investigation conducted, for any of the purposes specified in subsection
(2), by or on behalf of the authority by virtue of Her Majesty’s
prerogative or by virtue of powers conferred by or under an enactment. 

(2) The purposes referred to in subsection (1)(g) to (i) are— 

(a) the purpose of ascertaining whether any person has failed to comply
with the law, 
(b) the purpose of ascertaining whether any person is responsible for any
conduct which is improper, 
(c) the purpose of ascertaining whether circumstances which would justify
regulatory action in pursuance of any enactment exist or may arise, 
(d) the purpose of ascertaining a person’s fitness or competence in
relation to the management of bodies corporate or in relation to any
profession or other activity which he is, or seeks to become, authorised
to carry on, 
(e) the purpose of ascertaining the cause of an accident, 
(f) the purpose of protecting charities against misconduct or
mismanagement (whether by trustees or other persons) in their
administration, 
(g) the purpose of protecting the property of charities from loss or
misapplication, 
(h) the purpose of recovering the property of charities, 
(i) the purpose of securing the health, safety and welfare of persons at
work, and 
(j) the purpose of protecting persons other than persons at work against
risk to health or safety arising out of or in connection with the actions
of persons at work. 

(3) The duty to confirm or deny does not arise if, or to the extent that,
compliance with section 1(1)(a) would, or would be likely to, prejudice
any of the matters mentioned in subsection (1). 

Notice of Refusal 

Please treat this letter as a Notice of Refusal as regards the information
covered by the Section 31 Exemption. 

Advice and Assistance 

The County Council recognises its statutory duty to provide advice and
assistance under Section 16 of the Act. 

Subject to the provisions of the Freedom of Information Act, the Council
is seeking to be transparent and open in its response. 

Complaints 

If you are unhappy with the way your request for information has been
handled, you can request an internal review by writing within 2 months
from the date of this response to the Information Governance Office: 

Information Governance Office
Northumberland County Council
County Hall
Morpeth
NE61 2EF 

Email: [2][Northumberland County Council request email] 

Information Commissioner 

If you remain dissatisfied with the handling of your request, you have a
right by Section 50 of the Act to apply to the Information Commissioner
for a decision as to whether your request has been dealt with in
accordance with the requirements of the Act at: 

The Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire 
SK9 5AF 

Tel: 01625 545 745
Email: [3][email address

There is no charge for making an appeal. 

Yours sincerely 

FOI Coordinator - Corporate Resources
Information Governance Office
Northumberland County Council
County Hall
Morpeth
Northumberland
NE61 2EF

Tel: 0345 600 6400
Email: [4][Northumberland County Council request email] 
Web: [5]http://www.northumberland.gov.uk 

References

Visible links
1. http://track.vuelio.uk.com/z.z?l=aHR0cHM...
2. mailto:[Northumberland County Council request email]
3. mailto:[email address]
4. mailto:[Northumberland County Council request email]
5. http://track.vuelio.uk.com/z.z?l=aHR0cDo...