Dear Gloria,

I acknowledge receipt of your email received by this office on 25 November 2021.

Your request will now be dealt with under the Freedom of Information Act 2000 and has been allocated reference FOI21-464 which should be quoted in all correspondence. We will respond to your request within 20 working days starting the next working day after receipt, therefore you can expect to receive a response no later than 23 December 2021.

In some circumstances a fee may be payable and, if that is the case, we will let you know. A fees notice will be issued to you, and you will be required to pay before we will proceed to deal with your request.

Yours sincerely

Swyddfa Ysgrifenydd y Brifysgol
Prifysgol Caerdydd
Ebost : [email address]  

Mae'r Brifysgol yn croesawu gohebiaeth yn Gymraeg neu'n Saesneg.  Ni fydd gohebu yn Gymraeg yn creu unrhwy oedi.
University Secretary's Office
Cardiff University
Email: [email address] 

The University welcomes correspondence in Welsh or English.  Corresponding in Welsh will not lead to any delay.

show quoted sections

Please note: The University will be closed for the Christmas break from
17:00 on Thursday 23rd December 2021 until 09:00 Tuesday 4th January 2022
and we will not be responding to emails during this time.

Dear Gloria Zimba

I acknowledge receipt of your email received by this office on 25 November
2021.

Your request will now be dealt with under the Freedom of Information Act
2000 and has been allocated reference FOI21-464 which should be quoted in
all correspondence. We will respond to your request within 20 working days
starting the next working day after receipt, therefore you can expect to
receive a response no later than 24 December 2021.

In some circumstances a fee may be payable and, if that is the case, we
will let you know. A fees notice will be issued to you, and you will be
required to pay before we will proceed to deal with your request.

Yours sincerely

Swyddfa Ysgrifenydd y Brifysgol University Secretary’s Office

Prifysgol Caerdydd Cardiff University

Ebost : [1][email address] Email: [2][email address] 
 
 
 
The University welcomes
Mae'r Brifysgol yn croesawu correspondence in Welsh or English. 
gohebiaeth yn Gymraeg neu'n Saesneg.  Corresponding in Welsh will not lead
Ni fydd gohebu yn Gymraeg yn creu to any delay.
unrhwy oedi.

References

Visible links
1. mailto:[email address]
2. mailto:[email address]

Dear Gloria,

I am writing in response to your Freedom of Information request dated 25th
November 2021.

For ease of reference, I have reproduced your questions below and set out
our corresponding responses.

1.      Do you have a formal IT security strategy? (Please provide a link
to the strategy)

A)      Yes

Please see Cardiff University Information Security Policies
[1]https://www.cardiff.ac.uk/public-informa....
Accordingly this information is reasonably accessible to you by other
means and is exempt from disclosure under section 21 of the Freedom of
Information Act 2000. 

2.      Does this strategy specifically address the monitoring of network
attached device configurations to identify any malicious or non-malicious
change to the device configuration?

A)      Yes

3.         If yes to Question 2, how do you manage this identification
process- is it:

B)        Semi-automated- it’s a mixture of manual processes and tools
that help track and identify configuration changes.

4.      Have you ever encountered a situation where user services have
been disrupted due to an accidental/non malicious change that had been
made to a device configuration?

A)      Yes

B)      No

C)      Don’t know

We would consider that to supply the information held would provide those
who are attempting to conduct cyber security attacks against universities
with useful information on the level of security within the University IT
systems. Those who have carried out attacks, including through malware
emails on the University systems would be able to determine the
effectiveness of such attacks and this could encourage further attacks or
different types of attacks. It is likely that these details could be used
in addition to other information already in the public domain which would
assist them to gain a wider understanding of the University systems.

Therefore we consider that the information which we hold in regards to any
attacks and testing is exempt on the basis of Section 31(1)(a) of the
Freedom of Information Act 2000.  A response to an FOI request has to be
treated as a release of information into the public domain. The release of
such information may provide information which may prompt a change in
behaviour in an effort to avoid detection or give confidence to
individuals to continue the activity.  Providing this information to the
level requested would have a detrimental and prejudicial effect on the
prevention and detection of crime and the apprehension and prosecution of
offenders.

To give details on the successfulness of attacks would be likely to
provide information to malicious actors, and would also give individuals
an insight into the way that the University deals with cyber security
attacks and our recording of such incidents. In coming to this conclusion
the University has taken into consideration the ICO Decision notice
FS50665770 where UK Export Finance received similar requests for the
number of attacks and details of cyber security attacks.

Public Interest Test:

Factors in favour of disclosure:

There is a general public interest in demonstrating transparency in
University activity to provide reassurance to the University community
that engagement is undertaken appropriately with law enforcement and other
bodies and action taken to reduce online crime.

Factors in favour of non-disclosure:

There is a public interest in not disclosing information that would
compromise the integrity of police investigations and police operations in
the area of online crime. There is a public interest in not disclosing
information that would undermine the University's online security.

On balance the public interest is weighted in favour of non-disclosure.

5.      If a piece of malware was maliciously uploaded to a device on your
network, how quickly do you think it would be identified and isolated?

A)      Immediately

B)      Within days

C)      Within weeks

D)      Not sure

              Please see our response to question 4.

6.      How many devices do you have attached to your network that require
monitoring?

A)      Physical Servers: record number

B)      PC’s & Notebooks: record number

            Zero for both a) and b)

7.      Have you ever discovered devices attached to the network that you
weren’t previously aware of?

A)      Yes

B)      No

            Please see our response to question 4.

If yes, how do you manage this identification process – is it:

A)      Totally automated – all device configuration changes are
identified and flagged without manual intervention.

B)      Semi-automated – it’s a mixture of manual processes and tools that
help track and identify unplanned device configuration changes.

C)      Mainly manual – most elements of the identification of unexpected
device configuration changes are manual.

8.      How many physical devices (IP’s) do you have attached to your
network that require monitoring for configuration vulnerabilities?

Record Number:

            Zero

9.      Have you suffered any external security attacks that have used
malware on a network attached device to help breach your security
measures?

A)      Never

B)      Not in the last 1-12 months

C)      Not in the last 12-36 months

            Please see our response to question 4.

10.     Have you ever experienced service disruption to users due to an
accidental, non-malicious change being made to device configurations?

A)      Never

B)      Not in the last 1-12 months

C)      Not in the last 12-36 months

            Please see our response to question 4.

11.     When a scheduled audit takes place for the likes of PSN or Cyber
Essentials, how likely are you to get significant numbers of audit fails
relating to the status of the IT infrastructure?

A)      Never

I trust this information satisfies your enquiry. Should you feel
dissatisfied with this response or the way in which your request was
handled you can request an Internal Review. This should be made in writing
within 40 working days of the date of this email. Please provide your
unique reference number of your request, information on why you are
dissatisfied and any detail you would like us to consider as part of the
Internal Review process. Email your request to
[2][email address] where it will be forwarded to the Head of
Compliance and Risk who will be responsible for overseeing the review.

If you remain dissatisfied following the outcome of your complaint, you
have the right to apply directly to the Information Commissioner for
consideration. The Information Commissioner can be contacted at the
following address: Information Commissioner's Office, Wycliffe House,
Water Lane, Wilmslow, Cheshire, SK9 5AF.

I would like to take this opportunity to thank you for your interest in
Cardiff University. If you require further assistance please feel free to
contact me.

Kind regards

Swyddfa Ysgrifenydd y Brifysgol University Secretary’s Office

Prifysgol Caerdydd Cardiff University

Ebost : [3][email address] Email: [4][email address] 
 
 
 
The University welcomes
Mae'r Brifysgol yn croesawu correspondence in Welsh or English. 
gohebiaeth yn Gymraeg neu'n Saesneg.  Corresponding in Welsh will not lead
Ni fydd gohebu yn Gymraeg yn creu to any delay.
unrhwy oedi.

References

Visible links
1. https://www.cardiff.ac.uk/public-informa...
2. mailto:[email address]
3. mailto:[email address]
4. mailto:[email address]