Information Technology Request

The request was refused by Horsham District Council.

Dear Horsham District Council,

I am writing to make an open government request for all the information to which I am entitled under the Freedom of Information Act 2000.

Please forward responses to the attached questions below.

I would like the above information to be provided to me as an electronic document.
If this request is too wide or unclear, I would be grateful if you could contact me as I understand that under the Act, you are required to advise and assist requesters. If any of this information is already in the public domain, please can you direct me to it, with page references and URLs if necessary.

If the release of any of this information is prohibited on the grounds of breach of confidence, I ask that you supply me with copies of the confidentiality agreement and remind you that information should not be treated as confidential if such an agreement has not been signed.
I understand that you are required to respond to my request within the 20 working days after you receive this letter. I would be grateful if you could confirm in writing that you have received this request.

I look forward to hearing from you.

Yours faithfully,

Gloria Zimba.

1. Do you have a formal IT security strategy? (Please provide a link to the strategy)

A) Yes
B) No

2. Does this strategy specifically address the monitoring of network attached device configurations to identify any malicious or non-malicious change to the device configuration?

A) Yes
B) No
C) Don’t know

3. If yes to Question 2, how do you manage this identification process – is it:

A) Totally automated – all configuration changes are identified and flagged without manual intervention.
B) Semi-automated – it’s a mixture of manual processes and tools that help track and identify configuration changes.
C) Mainly manual – most elements of the identification of configuration changes are manual.

4. Have you ever encountered a situation where user services have been disrupted due to an accidental/non malicious change that had been made to a device configuration?

A) Yes
B) No
C) Don’t know

5. If a piece of malware was maliciously uploaded to a device on your network, how quickly do you think it would be identified and isolated?

A) Immediately
B) Within days
C) Within weeks
D) Not sure

6. How many devices do you have attached to your network that require monitoring?

A) Physical Servers: record number
B) PC’s & Notebooks: record number

7. Have you ever discovered devices attached to the network that you weren’t previously aware of?

A) Yes
B) No

If yes, how do you manage this identification process – is it:

A) Totally automated – all device configuration changes are identified and flagged without manual intervention.
B) Semi-automated – it’s a mixture of manual processes and tools that help track and identify unplanned device configuration changes.
C) Mainly manual – most elements of the identification of unexpected device configuration changes are manual.

8. How many physical devices (IP’s) do you have attached to your network that require monitoring for configuration vulnerabilities?

Record Number:

9. Have you suffered any external security attacks that have used malware on a network attached device to help breach your security measures?

A) Never
B) Not in the last 1-12 months
C) Not in the last 12-36 months

10. Have you ever experienced service disruption to users due to an accidental, non-malicious change being made to device configurations?

A) Never
B) Not in the last 1-12 months
C) Not in the last 12-36 months

11. When a scheduled audit takes place for the likes of PSN or Cyber Essentials, how likely are you to get significant numbers of audit fails relating to the status of the IT infrastructure?

A) Never
B) Occasionally
C) Frequently
D) Always

Freedom of Information Act (FOI) 2000 / Environmental Information
Regulations (EIR) 2004 / Data Protection Act (DPA) 2018

Thank you for your information request which is being dealt with under the
terms of the relevant legislation.

FOI and EIR requests will be answered within twenty working days. EIR
requests may require an extension of time to 40 working days where the
complexity and volume of the information requested means that it is
impracticable either to comply with the request within the earlier period
or to make a decision to refuse to do so.

GDPR and Data Protection Act - Subject Access Requests will be answered
within 1 month, unless the request is a complex one requiring the Council
to extend the deadline for up to 3 months. Other requests under the DPA
will be answered within 10 working days.

If you have any queries about this request please contact us via
[Horsham District Council request email] quoting the reference number in the subject line of
this email.

Yours sincerely,

Information Governance Team

FOI, Horsham District Council

1 Attachment

Dear Gloria Zimba

 

Freedom of Information Act (FOIA) 2000

 

Further to our acknowledgement, at this stage, we can confirm that we do
hold information covered by your request. However we require further time
in which to provide a full response to you.

We consider that the exemption at 31(1)(a) of the FOIA regarding the
prevention or detection of crime may apply to some/ all of the
information within scope of your request. We need further time in which to
consider the public interest in whether to disclose or withhold the
information. We will reach a decision within the next 20 working days, by
10 February 2022, and will advise you of the decision as soon as it has
been made.

Yours sincerely,

 

 

Diane Lambert
Information Governance Officer

 

 

From: Gloria Zimba <[FOI #815676 email]>
Sent: 13 December 2021 14:08
To: FOI <[email address]>
Subject: Freedom of Information request - Information Technology Request

 

Dear Horsham District Council,

I am writing to make an open government request for all the information to
which I am entitled under the Freedom of Information Act 2000.

Please forward responses to the attached questions below.

I would like the above information to be provided to me as an electronic
document.

If this request is too wide or unclear, I would be grateful if you could
contact me as I understand that under the Act, you are required to advise
and assist requesters. If any of this information is already in the public
domain, please can you direct me to it, with page references and URLs if
necessary.

If the release of any of this information is prohibited on the grounds of
breach of confidence, I ask that you supply me with copies of the
confidentiality agreement and remind you that information should not be
treated as confidential if such an agreement has not been signed.

I understand that you are required to respond to my request within the 20
working days after you receive this letter. I would be grateful if you
could confirm in writing that you have received this request.

I look forward to hearing from you.

Yours faithfully,

Gloria Zimba.

1. Do you have a formal IT security strategy? (Please provide a link to
the strategy)

A) Yes

B) No

2. Does this strategy specifically address the monitoring of network
attached device configurations to identify any malicious or non-malicious
change to the device configuration?

A) Yes

B) No

C) Don’t know

3. If yes to Question 2, how do you manage this identification process –
is it:

A) Totally automated – all configuration changes are identified and
flagged without manual intervention.

B) Semi-automated – it’s a mixture of manual processes and tools that help
track and identify configuration changes.

C) Mainly manual – most elements of the identification of configuration
changes are manual.

4. Have you ever encountered a situation where user services have been
disrupted due to an accidental/non malicious change that had been made to
a device configuration?

A) Yes

B) No

C) Don’t know

5. If a piece of malware was maliciously uploaded to a device on your
network, how quickly do you think it would be identified and isolated?

A) Immediately

B) Within days

C) Within weeks

D) Not sure

6. How many devices do you have attached to your network that require
monitoring?

A) Physical Servers: record number

B) PC’s & Notebooks: record number

7. Have you ever discovered devices attached to the network that you
weren’t previously aware of?

A) Yes

B) No

If yes, how do you manage this identification process – is it:

A) Totally automated – all device configuration changes are identified and
flagged without manual intervention.

B) Semi-automated – it’s a mixture of manual processes and tools that help
track and identify unplanned device configuration changes.

C) Mainly manual – most elements of the identification of unexpected
device configuration changes are manual.

8. How many physical devices (IP’s) do you have attached to your network
that require monitoring for configuration vulnerabilities?

Record Number:

9. Have you suffered any external security attacks that have used malware
on a network attached device to help breach your security measures?

A) Never

B) Not in the last 1-12 months

C) Not in the last 12-36 months

10. Have you ever experienced service disruption to users due to an
accidental, non-malicious change being made to device configurations?

A) Never

B) Not in the last 1-12 months

C) Not in the last 12-36 months

11. When a scheduled audit takes place for the likes of PSN or Cyber
Essentials, how likely are you to get significant numbers of audit fails
relating to the status of the IT infrastructure?

A) Never

B) Occasionally

C) Frequently

D) Always

-------------------------------------------------------------------

Please use this email address for all replies to this request:

[FOI #815676 email]

Is [Horsham District Council request email] the wrong address for Freedom of Information
requests to Horsham District Council? If so, please contact us using this
form:

[1]https://www.whatdotheyknow.com/change_re...

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:

[2]https://www.whatdotheyknow.com/help/offi...

For more detailed guidance on safely disclosing information, read the
latest advice from the ICO:

[3]https://www.whatdotheyknow.com/help/ico-...

Please note that in some cases publication of requests and responses will
be delayed.

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

show quoted sections

FOI, Horsham District Council

4 Attachments

Dear Gloria Zimba

 

Freedom of Information Act 2000 Response

 

Further to our email of 13 January 2022, in which we applied the Public
Interest Test time extension, we are now in a position to respond
substantively to your request, asking about our IT Security Strategy.

 

We have dealt with your request in accordance with ‘your right to know’
under section 1(1) of the Freedom of Information Act 2000 (FOIA), which
entitles you to be provided with a copy of any information ‘held’ by a
public authority, unless an appropriate exemption applies.

 

In your email of 13 December 2021, you asked for the following information
to which we have added our response below:

 

Request

1. Do you have a formal IT security strategy? (Please provide a link to
the strategy)
A) Yes
B) No
2. Does this strategy specifically address the monitoring of network
attached device configurations to identify any malicious or non-malicious
change to the device configuration?
A) Yes
B) No
C) Don’t know
3. If yes to Question 2, how do you manage this identification process –
is it:
A) Totally automated – all configuration changes are identified and
flagged without manual intervention.
B) Semi-automated – it’s a mixture of manual processes and tools that help
track and identify configuration changes.
C) Mainly manual – most elements of the identification of configuration
changes are manual.
4. Have you ever encountered a situation where user services have been
disrupted due to an accidental/non malicious change that had been made to
a device configuration?
A) Yes
B) No
C) Don’t know
5. If a piece of malware was maliciously uploaded to a device on your
network, how quickly do you think it would be identified and isolated?
A) Immediately
B) Within days
C) Within weeks
D) Not sure
6. How many devices do you have attached to your network that require
monitoring?
A) Physical Servers: record number
B) PC’s & Notebooks: record number
7. Have you ever discovered devices attached to the network that you
weren’t previously aware of?
A) Yes
B) No

If yes, how do you manage this identification process – is it:
A) Totally automated – all device configuration changes are identified and
flagged without manual intervention.
B) Semi-automated – it’s a mixture of manual processes and tools that help
track and identify unplanned device configuration changes.
C) Mainly manual – most elements of the identification of unexpected
device configuration changes are manual.
8. How many physical devices (IP’s) do you have attached to your network
that require monitoring for configuration vulnerabilities?
Record Number:
9. Have you suffered any external security attacks that have used malware
on a network attached device to help breach your security measures?
A) Never
B) Not in the last 1-12 months
C) Not in the last 12-36 months
10. Have you ever experienced service disruption to users due to an
accidental, non-malicious change being made to device configurations?
A) Never
B) Not in the last 1-12 months
C) Not in the last 12-36 month
11. When a scheduled audit takes place for the likes of PSN or Cyber
Essentials, how likely are you to get significant numbers of audit fails
relating to the status of the IT infrastructure?
A) Never
B) Occasionally
C) Frequently
D) Always

Response

We hold all the information you request. In response to Q1, we confirm
that we do have a formal IT security strategy. 

However, the remainder of the information is being withheld in accordance
with Section 31 (Law Enforcement) of the FOI Act. The exemption under
Section 31(1) (a) allows a public authority to withhold information where
it would, or would be likely to, prejudice the prevention or detection of
crime. The Information Commissioner’s guidance on Section 31(1)(a) states
that the exemption can be used to protect information about a public
authority’s systems which would make it more vulnerable to crime. Section
31(1)(a) is a qualified exemption, and therefore is subject to the Public
Interest Test:

Factors in favour of disclosure

It is in the public interest to be open and transparent about our IT
security systems. This can serve to reassure the public that we have
systems in place to protect all the information we hold.

 

Factors in favour of withholding

We consider that if this information was to be released into the public
domain it would be likely to reveal our information about our  cyber
security risk status for possible exploitation. We recognise that the
requested information is high level only, but it could provide an
indication of our IT infrastructure which could make us a target.  When
compiled together, the responses to each question provide a picture of
security and a steer for potential exploitation via cyber-attacks.

 

On balance we believe that the public interest in withholding the
information outweighs the public interest in disclosure.

 

Please note that the Freedom of Information Act is an open access regime
and responses under the legislation are deemed to be open to the world and
not just to the individual requester. This decision in no way implies that
you would engage in any criminal or malicious activities.

If you are dissatisfied with this response and wish to request a review of
our decision or make a complaint about how your request has been handled
you should write to The Reviewing Officer, Legal & Democratic Services,
Parkside, Chart Way, Horsham, West Sussex RH12 1RL or by email to
[1][Horsham District Council request email]

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response.  Any such request
received after this time will be considered at the discretion of the Legal
Services team.

 

If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have the right to
appeal to the Information Commissioner at Wycliffe House, Water Lane,
Wilmslow, SK9 5AF.  Further details of this process are available on the
ICO website at [2]www.ICO.org.uk

 

There is no charge for making an appeal.

 

Yours sincerely

 

Diane​   Lambert
Information Governance Officer
 
 
Horsham District Council, Parkside, Chart Way, Horsham, West Sussex RH12 1RL
Telephone: 01403 215100 (calls may be recorded)   [3]www.horsham.gov.uk   Chief Executive: Glen Chipp

 

From: FOI <[email address]>
Sent: 13 January 2022 17:46
To: '[FOI #815676 email]'
<[FOI #815676 email]>
Cc: FOI <[email address]>
Subject: HDCIR:5658: Freedom of Information request - Information
Technology Request

 

Dear Gloria Zimba

 

Freedom of Information Act (FOIA) 2000

 

Further to our acknowledgement, at this stage, we can confirm that we do
hold information covered by your request. However we require further time
in which to provide a full response to you.

We consider that the exemption at 31(1)(a) of the FOIA regarding the
prevention or detection of crime may apply to some/ all of the
information within scope of your request. We need further time in which to
consider the public interest in whether to disclose or withhold the
information. We will reach a decision within the next 20 working days, by
10 February 2022, and will advise you of the decision as soon as it has
been made.

Yours sincerely,

 

 

Diane Lambert
Information Governance Officer

 

 

From: Gloria Zimba <[FOI #815676 email]>
Sent: 13 December 2021 14:08
To: FOI <[email address]>
Subject: Freedom of Information request - Information Technology Request

 

Dear Horsham District Council,

I am writing to make an open government request for all the information to
which I am entitled under the Freedom of Information Act 2000.

Please forward responses to the attached questions below.

I would like the above information to be provided to me as an electronic
document.

If this request is too wide or unclear, I would be grateful if you could
contact me as I understand that under the Act, you are required to advise
and assist requesters. If any of this information is already in the public
domain, please can you direct me to it, with page references and URLs if
necessary.

If the release of any of this information is prohibited on the grounds of
breach of confidence, I ask that you supply me with copies of the
confidentiality agreement and remind you that information should not be
treated as confidential if such an agreement has not been signed.

I understand that you are required to respond to my request within the 20
working days after you receive this letter. I would be grateful if you
could confirm in writing that you have received this request.

I look forward to hearing from you.

Yours faithfully,

Gloria Zimba.

1. Do you have a formal IT security strategy? (Please provide a link to
the strategy)

A) Yes

B) No

2. Does this strategy specifically address the monitoring of network
attached device configurations to identify any malicious or non-malicious
change to the device configuration?

A) Yes

B) No

C) Don’t know

3. If yes to Question 2, how do you manage this identification process –
is it:

A) Totally automated – all configuration changes are identified and
flagged without manual intervention.

B) Semi-automated – it’s a mixture of manual processes and tools that help
track and identify configuration changes.

C) Mainly manual – most elements of the identification of configuration
changes are manual.

4. Have you ever encountered a situation where user services have been
disrupted due to an accidental/non malicious change that had been made to
a device configuration?

A) Yes

B) No

C) Don’t know

5. If a piece of malware was maliciously uploaded to a device on your
network, how quickly do you think it would be identified and isolated?

A) Immediately

B) Within days

C) Within weeks

D) Not sure

6. How many devices do you have attached to your network that require
monitoring?

A) Physical Servers: record number

B) PC’s & Notebooks: record number

7. Have you ever discovered devices attached to the network that you
weren’t previously aware of?

A) Yes

B) No

If yes, how do you manage this identification process – is it:

A) Totally automated – all device configuration changes are identified and
flagged without manual intervention.

B) Semi-automated – it’s a mixture of manual processes and tools that help
track and identify unplanned device configuration changes.

C) Mainly manual – most elements of the identification of unexpected
device configuration changes are manual.

8. How many physical devices (IP’s) do you have attached to your network
that require monitoring for configuration vulnerabilities?

Record Number:

9. Have you suffered any external security attacks that have used malware
on a network attached device to help breach your security measures?

A) Never

B) Not in the last 1-12 months

C) Not in the last 12-36 months

10. Have you ever experienced service disruption to users due to an
accidental, non-malicious change being made to device configurations?

A) Never

B) Not in the last 1-12 months

C) Not in the last 12-36 months

11. When a scheduled audit takes place for the likes of PSN or Cyber
Essentials, how likely are you to get significant numbers of audit fails
relating to the status of the IT infrastructure?

A) Never

B) Occasionally

C) Frequently

D) Always

-------------------------------------------------------------------

Please use this email address for all replies to this request:

[FOI #815676 email]

Is [Horsham District Council request email] the wrong address for Freedom of Information
requests to Horsham District Council? If so, please contact us using this
form:

[4]https://www.whatdotheyknow.com/change_re...

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:

[5]https://www.whatdotheyknow.com/help/offi...

For more detailed guidance on safely disclosing information, read the
latest advice from the ICO:

[6]https://www.whatdotheyknow.com/help/ico-...

Please note that in some cases publication of requests and responses will
be delayed.

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

show quoted sections