Information Technology Request

The request was successful.

Dear Argyll and Bute Council,

I am writing to make an open government request for all the information to which I am entitled under the Freedom of Information Act 2000.

Please forward responses to the attached questions below.

I would like the above information to be provided to me as an electronic document.
If this request is too wide or unclear, I would be grateful if you could contact me as I understand that under the Act, you are required to advise and assist requesters. If any of this information is already in the public domain, please can you direct me to it, with page references and URLs if necessary.

If the release of any of this information is prohibited on the grounds of breach of confidence, I ask that you supply me with copies of the confidentiality agreement and remind you that information should not be treated as confidential if such an agreement has not been signed.
I understand that you are required to respond to my request within the 20 working days after you receive this letter. I would be grateful if you could confirm in writing that you have received this request.

I look forward to hearing from you.

Yours faithfully,

Gloria Zimba.

1. Do you have a formal IT security strategy? (Please provide a link to the strategy)

A) Yes
B) No

2. Does this strategy specifically address the monitoring of network attached device configurations to identify any malicious or non-malicious change to the device configuration?

A) Yes
B) No
C) Don’t know

3. If yes to Question 2, how do you manage this identification process – is it:

A) Totally automated – all configuration changes are identified and flagged without manual intervention.
B) Semi-automated – it’s a mixture of manual processes and tools that help track and identify configuration changes.
C) Mainly manual – most elements of the identification of configuration changes are manual.

4. Have you ever encountered a situation where user services have been disrupted due to an accidental/non malicious change that had been made to a device configuration?

A) Yes
B) No
C) Don’t know

5. If a piece of malware was maliciously uploaded to a device on your network, how quickly do you think it would be identified and isolated?

A) Immediately
B) Within days
C) Within weeks
D) Not sure

6. How many devices do you have attached to your network that require monitoring?

A) Physical Servers: record number
B) PC’s & Notebooks: record number

7. Have you ever discovered devices attached to the network that you weren’t previously aware of?

A) Yes
B) No

If yes, how do you manage this identification process – is it:

A) Totally automated – all device configuration changes are identified and flagged without manual intervention.
B) Semi-automated – it’s a mixture of manual processes and tools that help track and identify unplanned device configuration changes.
C) Mainly manual – most elements of the identification of unexpected device configuration changes are manual.

8. How many physical devices (IP’s) do you have attached to your network that require monitoring for configuration vulnerabilities?

Record Number:

9. Have you suffered any external security attacks that have used malware on a network attached device to help breach your security measures?

A) Never
B) Not in the last 1-12 months
C) Not in the last 12-36 months

10. Have you ever experienced service disruption to users due to an accidental, non-malicious change being made to device configurations?

A) Never
B) Not in the last 1-12 months
C) Not in the last 12-36 months

11. When a scheduled audit takes place for the likes of PSN or Cyber Essentials, how likely are you to get significant numbers of audit fails relating to the status of the IT infrastructure?

A) Never
B) Occasionally
C) Frequently
D) Always

foi, Argyll and Bute Council

Thank you for your email to Argyll and Bute Council in relation to Freedom
of Information Requests. We will endeavour to respond to your email as
soon as possible.
Many Thanks

══════════════════════════════════════════════════════════════════════════

Argyll and Bute Council classify the sensitivity of emails according to
the Government Security Classifications.

Privileged/Confidential Information may be contained in this message. If
you are not the addressee indicated in this message (or responsible for
delivery of the message to such person), you may not disclose, copy or
deliver this message to anyone and any action taken or omitted to be taken
in reliance on it, is prohibited and may be unlawful.

In such case, you should destroy this message and kindly notify the sender
by reply email. Opinions, conclusions and other information in this
message that do not relate to the official business of Argyll and Bute
Council shall be understood as neither given nor endorsed by it.

All communications sent to or from Argyll and Bute Council may be subject
to recording and/or monitoring in accordance with relevant legislation.

This email has been scanned for viruses, vandals and malicious content.

Administrator,


Dear Gloria Zimba

Request for information: IT Security

Thank you for your information request which we have logged as reference
argyllbuteir:13538.

It has been passed to the relevant service(s) for attention and you should
receive a response under either the Freedom of Information (Scot) Act 2002
or the Environmental Information (Scotland) Regulations 2004 by 2021-12-24
00:00:00. We hope to respond within this timescale but, due to the
staffing/capacity issues with COVID-19, some requests may take little
longer.

Please quote the reference number above in any correspondence you may have
with the Council in regard to this request.

Regards

FOI Officer

Privacy information: Any personal information you have provided in
relation to this request will be used only for the intended purpose -
please read the full privacy notice to find out more about how your
personal information will be handled, and your rights under data
protection legislation.

MacVicar, Rachel, Argyll and Bute Council

1 Attachment

Classification: OFFICIAL

Dear Gloria Zimba

 

Request for information: IT Security

Reference: argyllbuteir:13538.

 

I refer to your request for information which was dealt with in terms of
the Freedom of Information (Scotland) Act 2002 (FOISA).

 

I have provided the following information in regard to your request:

 

1.      Do you have a formal IT security strategy? (Please provide a link
to the strategy)

 

Response: We do not publish information regarding our IT Security setup. 
We have an Acceptable Use Policy for staff containing relevant security
policy information
[1]https://www.argyll-bute.gov.uk/moderngov...

 

 

2.      Does this strategy specifically address the monitoring of network
attached device configurations to identify any malicious or non-malicious
change to the device configuration?

 

Response: Information Withheld

 

 

3.      If yes to Question 2, how do you manage this identification
process – is it:

 

Response: Information Withheld

 

4.      Have you ever encountered a situation where user services have
been disrupted due to an accidental/non malicious change that had been
made to a device configuration?

 

Response: Yes

 

5.      If a piece of malware was maliciously uploaded to a device on your
network, how quickly do you think it would be identified and isolated?

 

Response: Information Withheld

 

6.      How many devices do you have attached to your network that require
monitoring?

 

Response: Information Withheld

 

7.      Have you ever discovered devices attached to the network that you
weren’t previously aware of?

 

Response: Not Applicable

 

8.      How many physical devices (IP’s) do you have attached to your
network that require monitoring for configuration vulnerabilities?

 

Response: Information Withheld

 

9.      Have you suffered any external security attacks that have used
malware on a network attached device to help breach your security
measures?

 

Response: Information Withheld

 

10.     Have you ever experienced service disruption to users due to an
accidental, non-malicious change being made to device configurations?

 

Response: None of the above

 

11.     When a scheduled audit takes place for the likes of PSN or Cyber
Essentials, how likely are you to get significant numbers of audit fails
relating to the status of the IT infrastructure?

 

Response: Information Withheld

 

I have refused your request for questions 2,3,5,6,8,9, and 11 regarding
our IT security processes under section 30(c) of FOISA, which states that
information is exempt information if its disclosure would otherwise
prejudice substantially or be likely to prejudice substantially, the
effective conduct of public affairs. The Council’s position in regard to
these parts of your request is that the release of this information into
the public domain, would in our view be likely to compromise the Council’s
effective operation of its IT security, as it would allow a determined
individual to target attacks on our systems more precisely and effectively
and the disruption to our IT systems as a result of a successful attack,
would limit the Council’s ability to conduct its business effectively. In
terms of the Data Protection Act 1998, the Council must take measures to
ensure the integrity and security of its IT system and to release the
information you have requested to the public at large, as we would be
doing be releasing it to you, would be counteractive to the obligation
placed on the Council by the 1998 Act.

 

 

If you are dissatisfied with the way in which your request for information
has been dealt with you are entitled to request a review by writing to the
Executive Director Customer Services, Argyll and Bute Council, Kilmory,
Lochgilphead, Argyll PA31 8RT, or by email to [Argyll and Bute Council request email].

 

Your request for review must state your name and address for
correspondence, specify the request for information to which your request
for review relates and why you are dissatisfied with the response.

 

You must make your request for review not later than 40 working days after
the expiry of the 20 working day period for response to your initial
request by the Council, or not later than 40 working days after the
receipt by you of the information provided, any fees notice issued or any
notification of refusal or partial refusal.

 

If you make an application for review and remain dissatisfied with the way
in which the review has been dealt with you are entitled to make an
application to the Scottish Information Commissioner, Kinburn Castle,
Doubledykes Road, St Andrews, Fife KY16 9DS (Tel: 01334 464610) for a
further review. You can now do this online here -
www.itspublicknowledge.info/Appeal.

 

You must make representation to the Scottish Information Commissioner no
later than 6 months after the date of receipt by you of the notice or
decision you are dissatisfied with or within 6 months of the expiry of the
period of 20 working days from receipt by the Council of your request for
review.

 

 

Yours sincerely

 

Rachel MacVicar

 

Rachel MacVicar
Personal Assistant to Jane Fowler,
Head of Customer Support Service
Telephone: 01546 604036
Email: [2][email address]
Website: [3]www.argyll-bute.gov.uk

 

[4]roundel_fc_cmyk_with_initials_signature_0_0

 

══════════════════════════════════════════════════════════════════════════

Argyll and Bute Council classify the sensitivity of emails according to
the Government Security Classifications.

Privileged/Confidential Information may be contained in this message. If
you are not the addressee indicated in this message (or responsible for
delivery of the message to such person), you may not disclose, copy or
deliver this message to anyone and any action taken or omitted to be taken
in reliance on it, is prohibited and may be unlawful.

In such case, you should destroy this message and kindly notify the sender
by reply email. Opinions, conclusions and other information in this
message that do not relate to the official business of Argyll and Bute
Council shall be understood as neither given nor endorsed by it.

All communications sent to or from Argyll and Bute Council may be subject
to recording and/or monitoring in accordance with relevant legislation.

This email has been scanned for viruses, vandals and malicious content.

References

Visible links
1. https://www.argyll-bute.gov.uk/moderngov...
2. mailto:[email address]
3. http://www.argyll-bute.gov.uk/