Information Technology Request

The request was partially successful.

Dear Durham County Council,

I am writing to make an open government request for all the information to which I am entitled under the Freedom of Information Act 2000.

Please forward responses to the attached questions below.

I would like the above information to be provided to me as an electronic document.
If this request is too wide or unclear, I would be grateful if you could contact me as I understand that under the Act, you are required to advise and assist requesters. If any of this information is already in the public domain, please can you direct me to it, with page references and URLs if necessary.

If the release of any of this information is prohibited on the grounds of breach of confidence, I ask that you supply me with copies of the confidentiality agreement and remind you that information should not be treated as confidential if such an agreement has not been signed.
I understand that you are required to respond to my request within the 20 working days after you receive this letter. I would be grateful if you could confirm in writing that you have received this request.

I look forward to hearing from you.

Yours faithfully,

Gloria Zimba.

1. Do you have a formal IT security strategy? (Please provide a link to the strategy)

A) Yes
B) No

2. Does this strategy specifically address the monitoring of network attached device configurations to identify any malicious or non-malicious change to the device configuration?

A) Yes
B) No
C) Don’t know

3. If yes to Question 2, how do you manage this identification process – is it:

A) Totally automated – all configuration changes are identified and flagged without manual intervention.
B) Semi-automated – it’s a mixture of manual processes and tools that help track and identify configuration changes.
C) Mainly manual – most elements of the identification of configuration changes are manual.

4. Have you ever encountered a situation where user services have been disrupted due to an accidental/non malicious change that had been made to a device configuration?

A) Yes
B) No
C) Don’t know

5. If a piece of malware was maliciously uploaded to a device on your network, how quickly do you think it would be identified and isolated?

A) Immediately
B) Within days
C) Within weeks
D) Not sure

6. How many devices do you have attached to your network that require monitoring?

A) Physical Servers: record number
B) PC’s & Notebooks: record number

7. Have you ever discovered devices attached to the network that you weren’t previously aware of?

A) Yes
B) No

If yes, how do you manage this identification process – is it:

A) Totally automated – all device configuration changes are identified and flagged without manual intervention.
B) Semi-automated – it’s a mixture of manual processes and tools that help track and identify unplanned device configuration changes.
C) Mainly manual – most elements of the identification of unexpected device configuration changes are manual.

8. How many physical devices (IP’s) do you have attached to your network that require monitoring for configuration vulnerabilities?

Record Number:

9. Have you suffered any external security attacks that have used malware on a network attached device to help breach your security measures?

A) Never
B) Not in the last 1-12 months
C) Not in the last 12-36 months

10. Have you ever experienced service disruption to users due to an accidental, non-malicious change being made to device configurations?

A) Never
B) Not in the last 1-12 months
C) Not in the last 12-36 months

11. When a scheduled audit takes place for the likes of PSN or Cyber Essentials, how likely are you to get significant numbers of audit fails relating to the status of the IT infrastructure?

A) Never
B) Occasionally
C) Frequently
D) Always

Dear Gloria Zimba
 
Request for Information
 

**Coronavirus update** During the pandemic, please be aware that our
response times for information requests might be longer as the
organisation responds to the changed situation. Please bear with us at
this critical time as we work to meet your request.

 
Thank you for your request received on 15 December 2021. This
correspondence is our acknowledgement of your request. Please note the
reference number and refer to it in any future correspondence.

Depending on the type of request, it will be handled under the Freedom of
Information Act 2000, the Environmental Information Regulations 2004, or
the Data Protection Act (DPA).

For Freedom of Information Act 2000 or Environmental Information
Regulations 2004, the statutory deadline is 20 working days. However, in
some cases, for Environmental Information Regulations 2004 the deadline
may be extended to 40 working days. If this is the case, we will write to
explain that to you.

For the DPA, the statutory deadline is one month. However, in some cases
the deadline can be extended. If this is the case, we will write to you
and explain why we are extending the deadline.

If you combine a FOI/EIR request with a DPA request, we will log each as a
separate request.

If we hold this information, we will let you know and in most cases supply
it to you.  You may request a particular format for receiving the
information and we will do our best to accommodate. In most cases, we will
respond by email or letter in 12 point Arial font.  If you have a
particular need to receive the material in a different format, please let
us know.

If you make a DPA request electronically, we will respond electronically.

In some cases, the information you request will be exempt from disclosure.
What this means is that the legislation allows the Council to refuse to
provide the information. Where this occurs, we will tell you the reasons
why and we will explain how to appeal that decision.

If your request refers to a third party, then they may be consulted about
disclosing the information before we decide whether to release the
information to you.  For example, if someone asks about a contract with a
supplier, we will contact the supplier to consider their views about
disclosing the information.

In some cases, we may require a payment to cover photocopying, postage, or
other production costs on requests that require large amounts of
photocopying. However, we will discuss this with you and look for ways to
provide the information in electronic formats if possible.  If a payment
is required, it must be provided before we can send you the information. 
If a payment is required, the 20 working day time limit for responses is
suspended until the payment is received.

We may also need to contact you to clarify your request. We are obliged to
do this under s.16 of the FOIA, which refers to the duty to provide advice
and assistance to applicants. When we ask to clarify your request, the 20
working day countdown stops until we hear back from you. If you have not
contacted us about the request within 30 calendar days, we will close it.

Please note that your request and our response may be put on the Council’s
disclosure log. What this means is that we keep a log of all the requests
and responses if anyone wants to look at them. When we put the request and
response on the log, we remove the applicant’s name and any personal
references. In any case, where personal information remains, it will be
done in accordance with the Data Protection Act (DPA).

Please note that DPA request do not have a disclosure log. They are never
placed in the public domain.

If you have any questions or need further information, then please
contact:
 
The Information Management Team
Durham County Council
Assistant Chief Executive’s Office
Room 4/140
County Hall
Durham
DH1 5UF
Email: [email address]
 
 

Further information is also available from the Information Commissioner
at:
 
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
 
Telephone: 0303 123 1113 
Fax: 01625 524 510
Email: [email address]
www.informationcommissioner.gov.uk
 
Yours faithfully
The Information Management Team
 
NOTE: Please do not edit the subject line when replying to this email.
 
Durham County Council
This email contains proprietary confidential information some or all of
which may be legally privileged and/or subject to the provisions of
privacy legislation. It is intended solely for the addressee.
If you are not the intended recipient, an addressing or transmission error
has misdirected this e-mail; you must not use, disclose, copy, print or
disseminate the information contained within this e-mail. Please notify
the author immediately by replying to this email.
Any views expressed in this email are those of the individual sender,
except where the sender specifically states these to be the views of
Durham County Council
This email has been scanned for all viruses and all reasonable precautions
have been taken to ensure that no viruses are present. Durham County
Council cannot accept responsibility for any loss or damage arising from
the use of this email or attachments.

1 Attachment

Dear Gloria Zimba
 
Thank you for your request for information received on 15 December 2021.
 
Please find attached our response to your request.
 
Yours faithfully
 
 
Julie Johnson
FOI & DP Officer
 
NOTE: Please do not edit the subject line when replying to this email.
 
Durham County Council
This email contains proprietary confidential information some or all of
which may be legally privileged and/or subject to the provisions of
privacy legislation. It is intended solely for the addressee.
If you are not the intended recipient, an addressing or transmission error
has misdirected this e-mail; you must not use, disclose, copy, print or
disseminate the information contained within this e-mail. Please notify
the author immediately by replying to this email.
Any views expressed in this email are those of the individual sender,
except where the sender specifically states these to be the views of
Durham County Council
This email has been scanned for all viruses and all reasonable precautions
have been taken to ensure that no viruses are present. Durham County
Council cannot accept responsibility for any loss or damage arising from
the use of this email or attachments.