When was SAP last formally security assessed?

Roedd y cais yn rhannol lwyddiannus.

Dear Avon and Somerset Constabulary,

"I can confirm that this information is not held by the Home Office.

The UK police forces are subject to local assessment in accordance with the ACPO Community Security Police and HMG Security Policy (see links below)"

http://www.acpo.police.uk/documents/info...

https://www.gov.uk/government/uploads/sy...

Q1a. When was SAP last formally security assessed?

Q1b. What policy standards or frameworks were utilised for the last security assessment for SAP? If either or both of the above ACPO and HMG security standards were not utilised, then what security standard was used and who authorised the alternative security assessment used?

Q1c. Was SAP independently security assessed? If so, who carried out the formal SAP security assessment (name of audit body/organisation/consultant etc)? If not, what internal security assessment arrangements were used and how were IBM/SW1 security responses assured.

Q1d. What was the outcome of the last SAP security assessment (i.e. full assurance, partial assurance, no assurance/fail etc)? Please disclose a copy of the last SAP security assurance report[s].

Q1e. Which Constabulary and/or Police and Crime Commissioner and/or Police and Crime Panel committee had oversight of the SAP security assessment[s]? Please disclose the relevant committee reports and meeting outcomes.

Yours faithfully,

Dave Orr

#Freedom of Information Requests, Avon and Somerset Constabulary

 

 

 

Corporate Information Management Department

Force Headquarters, PO Box 37, Valley Road,

Portishead, Bristol, BS20 8QJ

Facsimile 01275 814667

    

 

Private Our Reference 1105/13

Mr Dave Orr Your reference  
Date 12 December
[1][FOI #189008 email] 2013

 

Dear Mr Orr

 

I write in connection with your request for information dated 11^th
December relating to security assessments. This request will be dealt with
under the terms of the Freedom of Information Act 2000.

 

Your request will now be considered and you will receive a response within
the statutory timescale of 20 working days as defined by the Act, In some
circumstances Avon and Somerset Constabulary may be unable to achieve this
deadline if consideration needs to be given to the public interest test.
If this is likely you will be informed and given a revised time-scale at
the earliest opportunity.

 

Yours sincerely,

 

C Quartey

 

Freedom of Information Officer

Corporate Information Management Department

 

Please note;

1.     Requests and responses may be published on Avon and Somerset
Constabulary’s website (within 24 hours), some of which may contain a link
to additional information, which may provide you with further
clarification.

2.     Whilst we may verbally discuss your request with you in order to
seek clarification, all other communication should be made in writing.

3.     Avon and Somerset Constabulary provides you with the right to
request a re-examination of your case under its review procedure.

 

 

 

 

 

dangos adrannau a ddyfynnir

#Freedom of Information Requests, Avon and Somerset Constabulary

Corporate Information Management Department

Force Headquarters, PO Box 37, Valley Road,

Portishead, Bristol, BS20 8QJ

Facsimile 01275 814667

   

 

Private Our Reference 1105/13

Mr Dave Orr Your reference  
Date 13^th January
[1][FOI #189008 email] 2014

  

Dear Mr Orr

 

I write in connection with your request for information dated 11^th
December concerning SAP security assessments. 

 

Currently the 20 day period has not passed as our initial 20 day deadline
to respond is 14^th January; however I regret to inform you that Avon and
Somerset Constabulary will not be able to complete its response to your
request by this date. 

 

I now advise you that the amended date for a response is 11^th February. 
This is due to consideration being given to the application of a qualified
exemption, concerning law enforcement, and as such will require further
consideration regarding the public interest test.  I can assure you that
every effort will be made to ensure an appropriate response will be made
within this new timescale.

 

May I apologise for any inconvenience caused.

 

Yours sincerely

 

Freedom of Information Officer

 

Freedom of Information Officer

Corporate Information Management Department

 

 

Please note;

1.     Requests and responses may be published on Avon and Somerset
Constabulary’s website (within 24 hours), some of which may contain a link
to additional information, which may provide you with further
clarification.

2.     Whilst we may verbally discuss your request with you in order to
seek clarification, all other communication should be made in writing.

3.     Avon and Somerset Constabulary provides you with the right to
request a re-examination of your case under its review procedure.

 

 

 

 

dangos adrannau a ddyfynnir

Gadawodd Tom Hodder anodiad ()

Given what SAP is used for inside A&S, I'd struggle to see how they'll apply the exemptions they suggest....

Gadawodd Dave Orr anodiad ()

Tom - I agree.

The original (un-redacted) shared SAP security report is here:

http://www.liddellgrainger.org.uk/images...

Avon & Som Police (is that with IBM/SW1 support?) appear to have "persuaded" Somerset Country Council (SCC) into a heavy redaction of the original SAP security report - re-posted by SCC here:

http://www1.somerset.gov.uk/council/boar...

Even the Grant Thornton Report's Section 3 generic advice on strong and regularly changed passwords has been redacted! Surely, that cannot be justified - is it more to do with embarrassment rather than genuine security threat?

Is the application of a possible law enforcement exemption a delaying tactic? Are Avon & Som Police taking external legal advice during the delay??

The ICO guidance agrees too:

http://ico.org.uk/~/media/documents/libr...

http://www.justice.gov.uk/downloads/info...

#Freedom of Information Requests, Avon and Somerset Constabulary

Corporate Information Management Department

Force Headquarters, PO Box 37, Valley Road,

Portishead, Bristol, BS20 8QJ

Facsimile 01275 814667

Email [1][email address]

 

 

     

Private    

Mr David Orr Our Reference 1105/13

[2][FOI #189008 email] Your reference  
Date 11 February
  2014

 

Dear Mr Orr

 

Due to the size of the report we are unable to send it electronically.
Would you please provide a correspondence address so that we can post the
document to you. Please feel free to contact us directly to keep your
address private.  

 

Yours sincerely

 

C Quartey

 

Freedom of Information Officer

Corporate Information Management Department

 

 

 

dangos adrannau a ddyfynnir

Dear #Freedom of Information Requests,

Can I have a phone contact number please.

Yours sincerely,

Dave Orr

#Freedom of Information Requests, Avon and Somerset Constabulary

Dear Mr Orr,

Thank you for your email.

Should you require to speak to one of us, please call 101 and ask for the Freedom of Information Department.

Kind regards,

Freedom of Information Officer
Corporate Information Management

dangos adrannau a ddyfynnir

Gadawodd Tom Hodder anodiad ()

101 won't be much use if Dave isn't inside the A&S area...

Gadawodd Dave Orr anodiad ()

Hi Tom.

I do live in the ASC area, so 101 fine.

I wanted the report disclosed electronically as I have fibre hi speed broadband but was told the report is 700 pages long!

Coming by post.

Thanks for your interest and support.

Dear #Freedom of Information Requests,

Please post to this site the text from the three page covering letter which answers the specific FOI questions posed above.

The letter dated 11 Feb 2014 on Ref 1105/13 starts:

Dear Mr Orr

I write in connection with your request for information dated 11th December concerning SAP. Specifically you asked:

Q1a. When was SAP last formally security assessed?

SAP has not been assessed since it was first introduced.............

======================================================

I can also confirm receipt of a box of original IBM bid documents for the SAP implementation from 2008/09.

======================================================

Yours sincerely,

Dave Orr

Dear #Freedom of Information Requests,

POLITE REMINDER FOR OUTSTANDING ACTION:

Please post to this site the text from the three page covering letter which answers the specific FOI questions posed above.

The letter dated 11 Feb 2014 on Ref 1105/13 starts:

Dear Mr Orr

I write in connection with your request for information dated 11th December concerning SAP. Specifically you asked:

Q1a. When was SAP last formally security assessed?

SAP has not been assessed since it was first introduced.............

Yours sincerely,

Dave Orr

#Freedom of Information Requests, Avon and Somerset Constabulary

Mr Orr,

 

The letter was posted to this site on 11.02.14 although it does not appear
to be shown there. Please find the letter below.

 

Kind regards

 

FOI Officer

 

 

Corporate Information Management Department

Force Headquarters, PO Box 37, Valley Road,

Portishead, Bristol, BS20 8QJ

Facsimile 01275 814667

Email [1][email address]

 

 

     

Private    

Mr David Orr Our Reference 1105/13

[2][FOI #189008 email] Your reference  
Date 11 February
  2014

 

Dear Mr Orr

 

I write in connection with your request for information dated 11^th
December concerning SAP. Specifically you asked:

 

Q1a. When was SAP last formally security assessed?

 

SAP has not been assessed since it was first introduced. We re-accredit
internal systems on a risk basis taking in to account the content of the
system, the number of incidents concerning the system (including misuse,
wrongful disclosure and un authorised access) and where the system sits in
relation to our network and external connections.  SAP has been considered
a low risk.

 

Q1b. What policy standards or frameworks were utilised for the last
security assessment for SAP? If either or both of the above ACPO and HMG
security standards were not utilised, then what security standard was used
and who authorised the alternative security assessment used?

 

When SAP was assessed HMG Security Standards IS1 and IS2 which were
applicable at that time were used.  These standards have been
amended since then. 

 

Q1c. Was SAP independently security assessed? If so, who carried out the
formal SAP security assessment (name of audit body/organisation/consultant
etc.)? If not, what internal security assessment arrangements were used
and how were IBM/SW1 security responses assured.

 

This was an internal assessment by an IBM CLAS consultant using HMG
standards relevant at the time. 

 

Q1d. What was the outcome of the last SAP security assessment (i.e. full
assurance, partial assurance, no assurance/fail etc.)?

 

SAP was assessed as being suitable to use for the purpose it was
purchased, or amendments would have been made at the time.

 

Please disclose a copy of the last SAP security assurance report[s].

 

Some redactions have been made concerning personal details of individuals
who would not have an expectation that their information would become
public.  The exemption applicable to the information is Section 40 (2),
third party personal information, this is an Absolute exemption. Any
information to which a request relates is exempt if it constitutes
personal data of which the applicant is not the data subject and if
disclosure of that information to a member of the public would contravene
any of the principles of the 1998 Data Protection Act. In this particular
case, disclosure of this information would contravene Principles 1 and 2
of the Act, whereby personal data shall be processed fairly and lawfully
and only obtained for one or more specified purpose or purposes. Some
entries relate to other staff members for reference and do not meet the
criteria for this request therefore theses details have also been
redacted.

 

In addition some entries have been redacted as it relates to information
concerning law enforcement (section 31).  Section 31 is a qualified and
prejudice based exemption which means there is a requirement to identify
and evidence the harm that would be caused by disclosure and consideration
given to the public interest.

 

Harm

Although SAP is a back office system, information contained within the
report relates to the constabulary’s IT system as a whole. There are
concerns associated with the disclosure of sensitive information that
could adversely affect law enforcement. Certain information if released
could help facilitate a breach of security by a third party.  This
information could be used by a hacker to gain access to our information if
they were to penetrate our network. It could lead to the identification of
sensitive personal information of people that have come to police notice,
or have an adverse effect on a policing operation.  Subsequently this will
impact on our ability to effectively police the communities we serve
affecting public safety.

 

Public Interest test

Section 31 considerations

Factors favouring disclosure:

Disclosure of this information could aid public debate and awareness of
the technology we employ.

 

Factors favouring non- disclosure:

Disclosure of IP addresses and other such information could assist the
criminal fraternity to breach our systems, potentially hack into the
systems, retrieve information, damage information, or infect our systems
with a virus. Therefore, identifying specific information in respect of
the Constabulary's IT systems would enable a third party to exploit any
potential vulnerability within those systems. To police our communities
effectively we are reliant on the information and systems we use.  Should
a breach of security be successful this will impact on our ability to
enforce law.  Policing is largely intelligence led, if this information
was infected or infiltrated this would impact negatively on victims of
crime, and detection rates would decrease.

 

 

Balance test

When balancing the public interest we have to consider whether the
information should be released into the public domain.  Arguments need to
be weighed against each other.

 

Disclosure of this information, whilst acknowledged would aid public
debate, would also have a negative effect on law enforcement.  Our systems
and information are invaluable to uphold the law, and any breach could
have severe consequences especially with regard to sensitive information. 
This would have a negative impact on our service and the public.

 

After weighing up the competing interests, I believe the damage incurred
by release of this information, including information being damaged or
destroyed, would adversely affect public safety, and subsequently have
negative financial implications ultimately affecting the public. I have
determined that the disclosure of the above information would not be in
the public interest. In accordance with the Act, this letter represents a
Refusal Notice for this specific information.

 

Q1e. Which Constabulary and/or Police and Crime Commissioner and/or Police
and Crime Panel committee had oversight of the SAP security assessment[s]?
Please disclose the relevant committee reports and meeting outcomes.

 

This would have been the Police Security Management Board, which has since
become the Strategic Information Management Board. No reports or minutes
from these meetings are held.

 

Yours sincerely

 

C Quartey

 

Freedom of Information Officer

Corporate Information Management Department

 

 

Please note:

1.     Requests and responses may be published on Avon and Somerset
Constabulary’s website (within 24 hours), some of which may contain a link
to additional information, which may provide you with further
clarification.

2.     Whilst we may verbally discuss your request with you in order to
seek clarification, all other communication should be made in writing.

3.     Avon and Somerset Constabulary provides you with the right to
request a re-examination of your case under its review procedure (copy
attached).

 

 

 

 

dangos adrannau a ddyfynnir

Gadawodd Tom Hodder anodiad ()

eh.

"SAP has been considered
a low risk."

then they claim the damage to law enforcement exception......

mind boggles.