Cyber Security

The request was successful.

Dear University of York,

Under the freedom of information act 2000. I write to obtain the following details:

1) Name and role for IT Manager(s) / Officer(s) primarily responsible for cyber security

2) Names of all cyber security providers you work with and buy from

3) Names of all cyber security vendor(s) you use

3b) Renewal date for the above vendor(s)

3c) Cost and duration for the above contract(s)/license(s)

3d) For what purpose do you use the vendor
(E.g. Firewalls E.g.2 Anti-virus E.g.3 Vulnerability scanning E.g.4 PCI)

4) Number of websites & IPs you provide for cyber security testing

Yours faithfully,

Michael Smith

Freedom of Information, University of York

Dear Mr Smith
Freedom of Information Request 
I acknowledge receipt of your email dated 20 September 2017 requesting
information from the University of York.
Please be advised that the University will respond as soon as possible and
in any event by 18 October 2017. 
Yours sincerely, 
Graham Hughes
Information Governance 
Information Services
University of York
Heslington
York YO10 5DD
Web: [1]www.york.ac.uk/records-management/
Email disclaimer: [2]http://www.york.ac.uk/docs/disclaimer/em...

Freedom of Information, University of York

Dear Mr Smith, 
Colleagues have asked me to get in touch with you to request clarification
in relation to your enquiry below. Specifically, they would be grateful if
you could explain what you mean by question 4, Number of websites & IPs
you provide for cyber security testing. 
Please note we will freeze the 20-day timeframe for compliance
until we are in receipt of the clarification needed to process your
request.
I look forward to hearing from you.
Yours sincerely,
Durham Burt
Information Governance Officer 
Information Governance 
Information Services
University of York
Heslington
York YO10 5DD
Web: [1]www.york.ac.uk/records-management/
Email disclaimer: [2]http://www.york.ac.uk/docs/disclaimer/em...
... 

Dear Freedom of Information,

By Number of Websites and IPs it is meant the number of web targets and infrastructure targets which are currently tested during any current testing methods.

Yours sincerely,

Michael Smith

Freedom of Information, University of York

Dear Mr Smith, 
Thank you for providing clarification. The University will re-open your
request and respond to you as soon as possible and in any event by 17
January 2018. 
Yours sincerely,
Durham Burt
Information Governance Officer 
Information Governance 
Information Services
University of York
Heslington
York YO10 5DD
Web: [1]www.york.ac.uk/records-management/
Email disclaimer: [2]http://www.york.ac.uk/docs/disclaimer/em...
... 

show quoted sections

Freedom of Information, University of York

Dear Mr Smith, 
Thank you for your request for information from the University of York.
Please see our response below.
1. Name and role for IT Manager(s) / Officer(s) primarily responsible for
cyber security
Arthur Clune, Assistant Director of Information Services & Head of IT
Infrastructure. Email: [1][email address]. Telephone: 01904
328470.
2. Names of all cyber security providers you work with and buy from. 
We do not use any managed security providers. 
3. Names of all cyber security vendor(s) you use

* Bytes-SP. Contract for support of our main campus firewall. Contract
is for five years expiring 16/06/2020

* XYOne. Cyber Security Essentials certification. Next certification
date Dec 2018

* McAfee, AntiVirus Feb 2019

* Tenable. Nessus security scanning. 07/01/2021

* Full Control Networks, network tap. Renews on 22/05/2018

3b. Renewal date for the above vendor(s)

See response provided to 3 above.

3c. Cost and duration for the above contract(s)/license(s)

The University confirms that it holds the spend data requested. However,
the University considers this information to be commercially sensitive and
exempt from disclosure under section 43 (2) of the Freedom of Information
Act, 2000 (FoIA). Section 43 (2) of the FoIA provides an exemption where
disclosure under the Act would, or would be likely to, prejudice the
commercial interests of any person. As section 43 (2) is a qualified
exemption, the University has performed a public interest test and has, on
balance, concluded that release of spend data would prejudice the
commercial interests of the University and the system providers identified
above.

 

The University recognises that release of the requested information would
serve the public interest by allowing individuals to better understand how
decisions are made and money is spent. In addition, the University
recognises that disclosure would demonstrate a commitment to openness and
accountability and would further understanding of, and participation in,
the debate of current issues such as public authorities behaving in a fair
and impartial way. However, release of the information requested would
significantly weaken our current position by undermining the University’s
ability to compete for resources fairly, negotiate best possible price for
contracts and promote lawful and open competition. There is a strong
public interest in allowing organisations to compete for resources fairly,
without undue advantage or prejudice. For example, if one supplier
acquires information:

* which is not in the public domain, and
* concerns the parameters of competition, and
* reduces or removes uncertainties inherent in the process of
competition,

then that supplier would be likely to have an advantage over potential
competitors, and be able to adjust their own behaviours and commercial
strategies accordingly, to the disadvantage of others and the detriment of
free and fair competition. Such knowledge could, for example, lead to
suppliers’ divorcing current pricing strategies where cost is a principle
driver towards customers’ perceived abilities to pay as the primary
driver. This in turn would, over time, be likely to make it harder for
customers to take advantage of lower supplier costs. Conversely, knowledge
of actual spend would be likely to increase the temptation for suppliers
to attempt to undercut rivals in an unsustainable manner, thus leading to
a fractured and unhealthy market. Consequently, the integrity of the
procurement process would be undermined and the University’s ability to
negotiate best possible price weakened.

3d. For what purpose do you use the vendor (E.g. Firewalls E.g.2
Anti-virus E.g.3 Vulnerability scanning E.g.4 PCI)

See response provided to 3 above.

4. Number of websites & IPs you provide for cyber security testing

The University has a /16 netblock, which is fairly full and uses private
IP addresses for wireless and some parts of the wired network. We have
~20,000 devices on the network at any one time and all may be scanned for
security testing.

If you are dissatisfied with the handling of your request, you have the
right to ask for an internal review. Internal review requests should be
submitted in writing to the Information Governance Officer
at [2][University of York request email], detailing your grounds for appeal/complaint. A full
copy of our review procedure can be found
at [3]http://www.york.ac.uk/records-management...
If you are not content with the outcome of the internal review, you have
the right to apply directly to the Information Commissioner for a
decision. The Information Commissioner can be contacted at: Information
Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9
5AF.
Yours sincerely,
Durham Burt
Information Governance Officer
Information Governance 
Information Services
University of York
Heslington
York YO10 5DD
Web: [4]www.york.ac.uk/records-management/
Email disclaimer: [5]http://www.york.ac.uk/docs/disclaimer/em...
... 

show quoted sections