Information Security manuals

The request was partially successful.

Dear Lancashire County Council,

Please supply under the Freedom of Information Act:

1/ The Full LCC Information Security manual.
2/ The Full LCC Information Security policy.
3/ The LCC ISMS Manual Single Volume.
4/ The Full Statement of Applicability re: the above.
5/ A full copy of ISO/IEC 27001: 2005 standard because LCC claims full compliance with this standard.

If LCC requires any clarification under section 1(3) please let me know as quickly as possible. Further I would welcome LCC using the requirements of section 16 FOI if there is any doubt.

Yours faithfully,

Tony Wise

Freedom of Information, Lancashire County Council

2 Attachments

Dear Mr Wise,

 

Further to your email of 1 July, in which you request the disclosure of
documentation regarding Information Security, I am now in a position to
respond.

 

Please find attached a copy of the ISMS Manual Single Volume, as requested
at point 3 of your request.  Please note that this document contains the
Information Security Policy (requested at point 2) and the Statement of
Applicability (requested at point 4).  I have, however, included a
separate standalone copy of the Information Security Policy.

 

Lancashire County Council does not have an Information Security Manual,
though Information Governance is based on a policy framework, comprising a
number of different policies covering all aspects of Information
Governance (such as data protection, web filtering, acceptable use,
records management, information classification, personnel policy, business
continuity, etc.).

 

In terms of point 5, this information is absolutely exempt by virtue of
section 21(1) of the Act, insofar as this information is accessible by
other means.  Copies of International Organization for Standardization
standards can be obtained from their website at:

 

[1]http://www.iso.org/iso/store.htm

 

I trust you find this useful, but in the event that you wish to complain
about the manner in which your enquiry has been handled, you should write
in the first instance to The Freedom of Information Officer, Lancashire
County Council, PO Box 78, County Hall, Preston PR1 8XJ, or email
[2][Lancashire County Council request email] and the matter will be referred
to the Deputy County Secretary & Solicitor for review and reconsideration.

 

If, after this stage, you remain dissatisfied, you have the right to refer
the matter to the Information Commissioner, whose contact details are as
follows:

 

The Information Commissioner

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

Tel: 0303 123 1113

Email: [3][email address]

Website: [4]http://www.ico.gov.uk

 

If you have any queries regarding my response, or you require any
additional information, please do not hesitate to contact me.

 

Yours sincerely,

 

Mr M Sayles

 

Access to Information Manager

Access to Information Team

Lancashire County Council

Tel. 01772 531117

[5]www.lancashire.gov.uk

 

 

show quoted sections

Dear Mr Sayles,

Thank you for your very, very prompt and comprehensive response. It was very impressive. But at the same time it is very, very worrying in the context of what is claimed was "detected" in my email manually at LCC in relation to malware that contained life threatening, fairly obvious, over whelmingly rubbish and malicious links to dodgy sites. It is also claimed that the malware contained all of the above but still circumvented your comprehensive electronic security systems which constitutes a very, very worrying and risky set of circumstances for your systems and the wider internet.

As the FOI Act is essentially an iterative process I am forced to use the Act again to attempt to cast light on my serious suspicions as to the conduct of LCC.

Yours sincerely,

Tony Wise

Dear Lancashire County Council,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Lancashire County Council's handling of my FOI request 'Information Security manuals'.

There are some vital omissions from your response. Please supply:

1/ The Risk Treatment plan as mentioned throughout the ISMS manual.

AND:

2/ All detail and information pursuant to "Part 4 ISMS records".

The overall response to the statutory section is effectively meaningless if there is no information as to how LCC treats risks or collates ISMS records as at part 4.

A full history of my FOI request and all correspondence is available on the Internet at this address:
http://www.whatdotheyknow.com/request/in...

Yours faithfully,

Tony Wise

Dear Mr Sayles,

The response to this request for a review is quite late. Can I remind you that the ICO states that a response to a request for review should be delivered within 20 working days? That is unless there are exceptional circumstances and the requestor has been informed. Then 40 working days can be allowed. However in this case I have not been informed of anything and over 30 working days have elapsed.

Please respond promptly or I will be forced to complain to the regulatory authorities.

Yours sincerely,

Tony Wise

Young, Ian, Lancashire County Council

Dear Mr Wise,

 

I am writing in response to your e-mail of 12 July in which you request an
internal review of the response that you received to your request
regarding information security manuals.  Please accept my apologies for
the delay in responding.

 

I have considered carefully your original request made on 1 July 2012, the
response provided to you on 3 July and your e-mail of 12 July.

 

In my view the response provided on the 3 July was appropriate as it
satisfied your request for a copy of the County Council's ISMS Manual
Single Volume and other documents.  The Risk Treatment Plan is in fact
contained within the documentation previously supplied (see pages 25 – 27
of the ISMS Manual Single Volume).  In relation to the Part 4 ISMS records
I am informed that this material was never in fact produced, therefore
this information is not held.

 

As previously advised, if you remain dissatisfied you may refer this
matter to the Information Commissioner whose contact details have already
been provided. 

 

Yours sincerely

Ian Young
Deputy County Secretary & Solicitor
Lancashire County Council
Tel 01772 533531
Fax 01772 534702
Email [1][email address]

 

DISCLAIMER

The information in this message including any files transmitted with it is
confidential and may be legally privileged. It is intended solely for the
addressee. Access to this message by anyone else is unauthorised. If you
are not the intended recipient, any disclosure, copying, or distribution
of the message, or any action or omission taken by you in reliance on it,
is prohibited and may be unlawful. As a public body, Lancashire County
Council may be required to disclose this email [or any response to it]
under the Freedom of Information Act 2000, unless the information in it is
covered by one of the exemptions in the Act. Please immediately contact
the sender if you have received this message in error.

 

show quoted sections

Dear Young, Ian,

I cannot and never will rely on anything that you or you colleagues say. Consequently I will complain to the ICO. I don't accept your apology because apologies have to be meant. Lancashire County Council regards apologies as an occupational hazard and always carry on making the same "mistakes" no matter how often apologies are offered.

The disgraceful abdication of responsibiity in relation to the internal review and the Code of Practice will also be raised.

Yours sincerely,

Tony Wise