Information Technology Request

The request was refused by East Dunbartonshire Council.

Dear East Dunbartonshire Council,

I am writing to make an open government request for all the information to which I am entitled under the Freedom of Information Act 2000.

Please forward responses to the attached questions below.

I would like the above information to be provided to me as an electronic document.
If this request is too wide or unclear, I would be grateful if you could contact me as I understand that under the Act, you are required to advise and assist requesters. If any of this information is already in the public domain, please can you direct me to it, with page references and URLs if necessary.

If the release of any of this information is prohibited on the grounds of breach of confidence, I ask that you supply me with copies of the confidentiality agreement and remind you that information should not be treated as confidential if such an agreement has not been signed.
I understand that you are required to respond to my request within the 20 working days after you receive this letter. I would be grateful if you could confirm in writing that you have received this request.

I look forward to hearing from you.

Yours faithfully,

Gloria Zimba.

1. Do you have a formal IT security strategy? (Please provide a link to the strategy)

A) Yes
B) No

2. Does this strategy specifically address the monitoring of network attached device configurations to identify any malicious or non-malicious change to the device configuration?

A) Yes
B) No
C) Don’t know

3. If yes to Question 2, how do you manage this identification process – is it:

A) Totally automated – all configuration changes are identified and flagged without manual intervention.
B) Semi-automated – it’s a mixture of manual processes and tools that help track and identify configuration changes.
C) Mainly manual – most elements of the identification of configuration changes are manual.

4. Have you ever encountered a situation where user services have been disrupted due to an accidental/non malicious change that had been made to a device configuration?

A) Yes
B) No
C) Don’t know

5. If a piece of malware was maliciously uploaded to a device on your network, how quickly do you think it would be identified and isolated?

A) Immediately
B) Within days
C) Within weeks
D) Not sure

6. How many devices do you have attached to your network that require monitoring?

A) Physical Servers: record number
B) PC’s & Notebooks: record number

7. Have you ever discovered devices attached to the network that you weren’t previously aware of?

A) Yes
B) No

If yes, how do you manage this identification process – is it:

A) Totally automated – all device configuration changes are identified and flagged without manual intervention.
B) Semi-automated – it’s a mixture of manual processes and tools that help track and identify unplanned device configuration changes.
C) Mainly manual – most elements of the identification of unexpected device configuration changes are manual.

8. How many physical devices (IP’s) do you have attached to your network that require monitoring for configuration vulnerabilities?

Record Number:

9. Have you suffered any external security attacks that have used malware on a network attached device to help breach your security measures?

A) Never
B) Not in the last 1-12 months
C) Not in the last 12-36 months

10. Have you ever experienced service disruption to users due to an accidental, non-malicious change being made to device configurations?

A) Never
B) Not in the last 1-12 months
C) Not in the last 12-36 months

11. When a scheduled audit takes place for the likes of PSN or Cyber Essentials, how likely are you to get significant numbers of audit fails relating to the status of the IT infrastructure?

A) Never
B) Occasionally
C) Frequently
D) Always

East Dunbartonshire Council

Thank you for you Freedom of Information request.

This is an automated response. Your message has been received by East
Dunbartonshire Council.

Your request will be dealt with promptly and a full response will be issued
within 20 working days.

Should you not receive a response within this period, or you have any other
queries about your request please contact: [East Dunbartonshire Council request email] or 0141
578 8057.

DISCLAIMER:
This email and any files transmitted with it are intended for the use of the individual or entity to whom they are addressed. It may contain information of a confidential or privileged nature.

If you have received this email in error please notify the originator of the message and destroy the e-mail.

East Dunbartonshire Council can not be held responsible for viruses, therefore please scan all attachments.

Any personal data contained in email communications with East Dunbartonshire Council will be processed in accordance with the General Data Protection Regulations 2016/679 ("GDPR") and all other relevant national data protection laws.

Further information detailing how East Dunbartonshire holds and uses personal information and copies of privacy notices used throughout the Council are available on our website at:
https://www.eastdunbarton.gov.uk/council...

The Council?s Data Protection Officer can be contacted at [email address] or on Tel: 0300 123 4510.

The views expressed in this message are those of the sender and do not necessarily reflect those of East Dunbartonshire Council who will not necessarily be bound by its contents.

East Dunbartonshire Council

East Dunbartonshire Council
Request for Information

Dear Ms Zimba,

FOI/14881:  Freedom of Information request - Information Technology
Request

Thank you for your request for information. In answer to your enquiry I
can provide the following response on behalf of East Dunbartonshire
Council

Dear East Dunbartonshire Council,
 
I am writing to make an open government request for all the information to
which I am entitled under the Freedom of Information Act 2000.
 
Please forward responses to the attached questions below.
 
I would like the above information to be provided to me as an electronic
document.
 
If this request is too wide or unclear, I would be grateful if you could
contact me as I understand that under the Act, you are required to advise
and assist requesters. If any of this information is already in the public
domain, please can you direct me to it, with page references and URLs if
necessary.
 
If the release of any of this information is prohibited on the grounds of
breach of confidence, I ask that you supply me with copies of the
confidentiality agreement and remind you that information should not be
treated as confidential if such an agreement has not been signed.
 
I understand that you are required to respond to my request within the 20
working days after you receive this letter. I would be grateful if you
could confirm in writing that you have received this request.
 
I look forward to hearing from you.
 
Yours faithfully,
 
Gloria Zimba.
 
1.                 Do you have a formal IT security strategy? (Please
provide a link to the strategy)
 
A)                 Yes
B)                 No
I regret to advise, under Section 35 of the Freedom of Information
(Scotland) Act 2002 'law enforcement,' that the Council is unable to
provide you with the information you have requested.
 
Section 35(1)(a) of the Freedom of Information (Scotland) Act 2002,
exempts from release information that would prejudice substantially the
prevention or detection of crime. It is the Council's view that the
release of information in respect of the Council's ability to counter
criminal attacks on our network is likely to increase the volume of such
attacks. This is on the basis that releasing this information could aid
malicious parties by encouraging further attacks.
 
In considering this exemption, the Council must consider where the public
interest lies in releasing the information. While accepting that there is
an interest in quantifying the volume of such illegal activities, the
risks to the Council outweigh that benefit. I therefore regret to advise
that the Council is unable to provide you with the information you have
requested.
 
 
2.                 Does this strategy specifically address the monitoring
of network attached device configurations to identify any malicious or
non-malicious change to the device configuration?
 
A)                 Yes
B)                 No
C)                  Don’t know
 
3.                 If yes to Question 2, how do you manage this
identification process – is it:
 
A)                 Totally automated – all configuration changes are
identified and flagged without manual intervention.
B)                 Semi-automated – it’s a mixture of manual processes and
tools that help track and identify configuration changes.
C)                 Mainly manual – most elements of the identification of
configuration changes are manual.
 
4.                 Have you ever encountered a situation where user
services have been disrupted due to an accidental/non malicious change
that had been made to a device configuration?
 
A)                 Yes
B)                 No
C)                  Don’t know
 
5.                 If a piece of malware was maliciously uploaded to a
device on your network, how quickly do you think it would be identified
and isolated?
 
A)                 Immediately
B)                 Within days
C)                 Within weeks
D)                 Not sure
 
6.                 How many devices do you have attached to your network
that require monitoring?
 
A)                 Physical Servers: record number
Total 58 servers
 
B)                 PC’s & Notebooks: record number
Total 9247
 
7.                 Have you ever discovered devices attached to the
network that you weren’t previously aware of?
 
A)                 Yes
B)                 No
 
 
If yes, how do you manage this identification process – is it:
 
A)                Totally automated – all device configuration changes are
identified and flagged without manual intervention.
B)                Semi-automated – it’s a mixture of manual processes and
tools that help track and identify unplanned device configuration changes.
C)                Mainly manual – most elements of the identification of
unexpected device configuration changes are manual.
Not applicable
 
8.                 How many physical devices (IP’s) do you have attached
to your network that require monitoring for configuration vulnerabilities?
 
        Record Number:  
We use private IP ranges 172,10, 195 and 194.111, 192.168.1, 192.168.20  
same as Q6.
???? Chat with James re switches
 
9.                 Have you suffered any external security attacks that
have used malware on a network attached device to help breach your
security measures?
 
A)                 Never
B)                 Not in the last 1-12 months
C)                 Not in the last 12-36 months
 
 
10.                 Have you ever experienced service disruption to users
due to an accidental, non-malicious change being made to device
configurations?
 
A)                 Never
B)                 Not in the last 1-12 months
C)                 Not in the last 12-36 months
 
11.                 When a scheduled audit takes place for the likes of
PSN or Cyber Essentials, how likely are you to get significant numbers of
audit fails relating to the status of the IT infrastructure?
 
A)                 Never
B)                 Occasionally
C)                 Frequently
D)                 Always

Should you have any questions on the content of the response and would
like the Local Authority to clarify or explain, please do feel free to get
in contact, citing the enquiry reference number above.
 
If you are dissatisfied with the way in which East Dunbartonshire Council
responded to your request, you are entitled to require the Council to
review its decision. The review will be handled by staff who were not
involved in the original decision. Please note that in order for a review
to take place you must:
·        Lodge a written requirement for a review within 40 working days
of the date of this letter
·        Include a correspondence address and a description of the
original request and the reason why you are dissatisfied.
·        Address your request to the Freedom of Information Officer:

Stephen Armstrong
Freedom of Information/Data Protection Officer,
East Dunbartonshire Council,
Telephone No. 0141-578 8057
[East Dunbartonshire Council request email]

The review will be handled by staff who were not involved in the original
decision.  You will receive notice of the results of the review within 20
working days of receipt of your request.  The notice will state the
findings of the review as well as details of how to appeal to the Scottish
Information Commissioner if you are still dissatisfied with the Council’s
response. You must request an internal review by the Council before a
complaint can be directed to the Scottish Information Commissioner.

 

══════════════════════════════════════════════════════════════════════════

DISCLAIMER:
This email and any files transmitted with it are intended for the use
of the individual or entity to whom they are addressed. It may
contain information of a confidential or privileged nature.

If you have received this email in error please notify the originator
of the message and destroy the e-mail.

East Dunbartonshire Council can not be held responsible for
viruses, therefore please scan all attachments.

Any personal data contained in email communications with
East Dunbartonshire Council will be processed in accordance with the
General Data Protection Regulations 2016/679 ("GDPR") and all other
relevant national data protection laws.

Further information detailing how East Dunbartonshire holds and
uses personal information and copies of privacy notices used throughout
the Council are available on our website
at: [1]https://www.eastdunbarton.gov.uk/council...

The Council's Data Protection Officer can be contacted
at [2][email address] or on Tel: 0300 123 4510.

The views expressed in this message are those of the sender and do
not necessarily reflect those of East Dunbartonshire Council who will
not necessarily be bound by its contents.

References

Visible links
1. https://www.eastdunbarton.gov.uk/council...
2. mailto:[email address]