Dear Mr Johnston

With reference to your email dated 6 May 2017.

The Information Rights Team is in the process of dealing with your request and a response will be sent as soon as possible.

Yours sincerely

Mrs J Lumsden
Information Rights Team

This message and any attachments are intended for the persons named as addressees only and may contain confidential information. In addition they may be protected by copyright. If you receive it in error, notify us, delete it and do not make use of or copy it. You must not copy, disseminate or otherwise distribute or publish this message, except for the purposes for which this message is intended, without our consent. Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. We advise that you understand and accept this lack of security when e-mailing us. For company information, guidance and how to file documents online, please see our website www.companieshouse.gov.uk.

Dear Mr Johnson

I refer to your email dated 6 May 2017 in which you have requested the following information:

1. Screenshots/copy of your internal company Intranet (or the closet thing you have to an Intranet - may be classed as a staff portal)

2. Screenshots/copy of where you store your internal company document templates (i.e. letters to customers, forms, emails, internal memos, staff trackers, call notes, etc stored on a shared drive, server or Intranet)

3. Supply copies of the document templates (examples as above)

4. Screenshots/copy of the software package(s) you use for inbound queries (i.e. telephony system, email system, call note logging - wherever you log notes essentially for the company in question etc)

Information that falls within the scope of your request is held, but I consider that this information is exempt from disclosure by virtue of section 31(1)(a) of the Freedom of Information Act 2000 (FOIA) which states that information is exempt if its disclosure would or would be likely to prejudice the prevention or detection of a crime.

I am of the view that to provide this information would identify applications and systems used by Companies House which could enable individuals to deduce how vulnerable or otherwise Companies House is to criminal cyber-attacks.

I have considered the public interest in this matter but am of the view that the balance is in favour of withholding this information. Disclosure of this information could provide information useful to those wishing to harm the Companies House’s IT systems or may damage any attempt to identify them via law enforcement agencies. In addition, I consider that the fact that disclosure under the FOIA is disclosure to the public at large that this adds weight to the decision to withhold the disclosure of this information.

If you are dissatisfied with the result of your request for information you may request an internal review within two calendar months of the date of this email. The case will be reviewed by a senior member of staff who has had no previous involvement in this case. Please remember to quote the reference number above in any future communications.

If you are then not content with the outcome of the internal review, you have the right to apply directly to the Information Commissioner for a decision. Further information can be found at www.ico.org.uk

Yours sincerely

Information Rights Team

This message and any attachments are intended for the persons named as addressees only and may contain confidential information. In addition they may be protected by copyright. If you receive it in error, notify us, delete it and do not make use of or copy it. You must not copy, disseminate or otherwise distribute or publish this message, except for the purposes for which this message is intended, without our consent. Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. We advise that you understand and accept this lack of security when e-mailing us. For company information, guidance and how to file documents online, please see our website www.companieshouse.gov.uk.

Our Ref: FOI 153/05/17

Dear Mr Johnston

I refer to your of 18 May 2017 in which you have requested an internal review.

This matter will be passed to a senior manager within Companies House who will undertake the review.

Yours sincerely

Information Rights Team

show quoted sections

Our Ref: FOI 153/05/17

Your Ref: [1][FOI #405100 email]

Date: 16 June 2017

Dear Mr Johnston

Your request for an internal review of the FOI case referenced above
(Internal company intranet and document template) was passed to me to
resolve.

On reviewing the case, I have concluded that, whilst I sympathise with the
security concerns raised, I believe we have been a little over-cautious in
our approach and should be able to supply you some of the requested
screenshots, albeit with any sensitive information redacted.

To address your specific points:

 1. No FOI request reference has been given to myself – even though you
request myself to include this reference on all communication.

The FOI reference 153/07/17 was included in the subject box in the
Information rights team’s email reply of 18/05/17 – although I note this
information was not published as part of the response on the
‘whatdotheyknow’ website. The FOI reference number was subsequently
included in the body of the email acknowledging receipt of your request
for an internal review. Furthermore, I have included that reference above,
as well as the relevant reference from the ‘whatdotheyknow’ website.

I hope that clears up any confusion

 2. You have explained that releasing this information would allow people
to identify the specific systems that you use – however I disagree
based on:

o You can redact information as you see fit (system logos maybe?)
o The requested information, when released, will not allow people to
identify your systems (ie template letters / emails, staff trackers,
call notes etc. – these will not identify software packages, maybe
other than Microsoft Excel or Word)
o I have requested this information with good faith to allow myself and
others to have an insight on how CH administration works, no criminal
intent is here.

The security concerns are understandable as one of the basic tenets of
system security is not to provide information that may be useful in
identifying underlying technologies, as that may inform attacks. However,
as stated above, I believe we can supply some of the items you have
requested, as long as we are careful to redact any personal or system
information.

 3. In very simple terms, I cannot see how releasing the requested
information could “deduce how vulnerable […] Companies House is to
criminal cyber-attacks” or “harm the Companies House’s IT systems”. I
do fully appreciate the recent attacks towards public bodies but in no
way shape or form by requesting copies of document templates or a
screenshot of how you store these documents will allow an individual
to possibly attack your systems. No weblinks or server number will be
released, surely?

As long as it is appropriately redacted, I tend to agree.

 4. Very simply again, are you worried about the security level of your
systems? As to be totally honest, an individual could interpret your
response in a bad manner.

I am not sure what ‘bad manner’ interpretation you are suggesting, but I
can assure you that we take security very seriously at Companies House and
the appropriate systems and measures are in place. You can never totally
eliminate risk however and no-one should be blasé and overconfident nor
invite attack by providing information that could potentially be used to
inform attack vectors. As I have said, I believe we can supply the
information you requested, in suitably redacted form but I totally
understand the initial reaction from my security team who will, and
should, always take a safety-first approach.

In line with my statements above, and your original FOI request, please
find attached:

 1. A screenshot of our internal company intranet (with personal and
system information redacted, unless that information is already in the
public domain).
 2. A representative sample of templates of the letters we send to our
customers. You also mentioned ‘forms’ in your request – all our forms
are already publicly available at
[2]https://www.gov.uk/topic/company-registr...
 3. A screenshot of the software package we use for logging contact about
a company, which I hope will satisfy your second and fourth requests,
both of which mention call notes, emails, letters etc.
 4.  

I hope that satisfies your request, at least as far as we are able,
however, if you are not content with the outcome of this internal review,
you do have the right to apply directly to the Information Commissioner
for a decision.  Further information can be found at [3]www.ico.org.uk

Yours sincerely

Robert McNeil

Director of Digital

Companies House

This message and any attachments are intended for the persons named as
addressees only and may contain confidential information. In addition they
may be protected by copyright. If you receive it in error, notify us,
delete it and do not make use of or copy it. You must not copy,
disseminate or otherwise distribute or publish this message, except for
the purposes for which this message is intended, without our consent.
Please note that this e-mail has been created in the knowledge that
Internet e-mail is not a 100% secure communications medium. We advise that
you understand and accept this lack of security when e-mailing us. For
company information, guidance and how to file documents online, please see
our website www.companieshouse.gov.uk.

References

Visible links
1. mailto:[FOI #405100 email]
2. https://www.gov.uk/topic/company-registr...
3. http://www.ico.org.uk/