Security and Compliance Software

The request was refused by De Montfort University.

Dear De Montfort University,

Can you confirm the SAP ERP version you are currently using?

Who provides your SAP Security, Authorisations and Role Design support?

Can you please confirm if you currently use SAP Access Control?

If you do use Access Control, what version is installed (options are v5.3, v10.0, v10.1 or v12.0)?

Do you have a support contract with an external provider to support SAP Access Control install?

Can you please confirm if you currently use SAP Process Control?

If you do use Process Control, what version is installed (options are v5.3, v10.0, v10.1 or v12.0)?

Do you have a support contract with an external provider to support SAP Process Control install?

Can you please confirm if you currently use SAP Risk Management?

If you do use Risk Management, what version is installed (options are v5.3, v10.0, v10.1 or v12.0)?

Do you have a support contract with an external provider to support SAP Risk Management install?

Can you confirm if you currently have any other SAP GRC software installed?

List of SAP GRC software includes, but not exclusive to:
i. Business Integrity Screening
ii. Single Sign-On
iii. Identity Management
iv. Audit Management
v. UI Masking
vi. UI Logging
vii. Read Access Logging
viii. BusinessObjects Access Control
ix. Versa GRC

If you do not have any SAP GRC installed/utilised, are there any plans to purchase and install the GRC software?

If you have implemented any of the aforementioned software and have a support contract what is the renewal date of that contract?

Where is your SAP infrastructure located and in what format?

When is the contract for third party support of your SAP infrastructure due for renewal?

Where do you advertise any SAP related procurement opportunities?

Yours faithfully,

Thomas

Freedom of Information, De Montfort University

Dear Thomas,

Thank you for your request under the Freedom of Information Act. Unfortunately we cannot currently process this as a Freedom of Information request as you are not providing us with enough information. Specifically with regard to your name. The Information Commissioner's Office guidance states the following;

"21. For a request to be valid, the requester must provide enough of their real name to give anyone reading that request a reasonable indication of their identity."

" 25. Any variation of the requester’s title or first name combined with their surname (e.g. Mr Smith or John Smith) will be sufficient to meet this requirement. However, a first name or surname provided in isolation, or a set of initials, will not."

Given that you are only providing us with a first name I'm afraid we cannot currently treat this as a valid request. If you would like to supply your surname we would be more than happy to process your request and supply any information to which you are entitled under the Freedom of Information Act 2000. In this instance the 20 working day timeframe will start from the receipt of your full name.

A copy of the ICO guidance can be found here; https://ico.org.uk/media/for-organisatio...

Regards

Paul Starkey
Information Governance Manager, ITMS

DE MONTFORT UNIVERSITY
T: +44 (0)116 2577655
E [email address]
E: W: dmu.ac.uk

show quoted sections

Dear Freedom of Information,

Hi, my full name is Derek Thomas.

Yours sincerely,

Thomas

Freedom of Information, De Montfort University

1 Attachment

Dear Sir,

 

FREEDOM OF INFORMATION ACT 2000

 

Thank you for your email request below.  

 

Your request is being considered and if the information is held you will
receive the information requested within the statutory timescale of 20
working days as defined by the Freedom of Information Act 2000, subject to
the information not being exempt.

 

If the time taken to meet your request is likely to exceed 18 hours, we
will contact you and ask you amend your request to bring it below this
time limit. We will assist you with suggestions of how this might be
achieved.

 

I may also contact you if the request needs to be clarified; this is to
ensure that we provide you with the information you require.

 

Please note that some information you have requested may not be provided
to you; this will only be information that can be withheld by law.  In
most cases the reasons will be explained to you along with your copy of
any information that can be released to you.

In order to ensure a prompt response to any communication, please ensure
that any further emails are copied to [1][De Montfort University request email].

 

Yours sincerely,

 

Paul Starkey

Information Governance Manager, ITMS

DE MONTFORT UNIVERSITY

T: +44 (0)116 2577655

E: [2][email address]

W: dmu.ac.uk

 

Responsible for: Freedom of Information, Data Protection Act compliance
and Records Management

 

 

[3]TEF email signature footer

 

 

 

Dear Freedom of Information,

 

Hi, my full name is Derek Thomas.

 

Yours sincerely,

 

Thomas

 

show quoted sections

Freedom of Information, De Montfort University

1 Attachment

Dear Mr Thomas,

 

FREEDOM OF INFORMATION ACT 2000-INFORMATION REQUEST

 

Your request for information has now been considered. Whilst we are able
to answer some questions, for the majority of this request we are refusing
under Section 31(1a) of the Freedom of Information Act as we believe the
disclosure of  this information would, or would be likely to, prejudice
the prevention or detection of crime. The majority of the information
requested would allow a determined person to identify the optimum methods
of cyber-attacks on our systems, incurring substantial reputational and
financial harm for the University.

 

Because Section 31 is a qualified exemption we are required to undertake
the Public Interest Test. While we accept there is a public interest in
how Universities spend money on procuring IT systems, we do not believe
this  public interest extends to placing substantial levels of information
in the public domain that would allow those  systems to be compromised. As
such we find the use of Section 31 to be fully engaged. Please see below
for a more detailed breakdown of the request.

 

Can you confirm the SAP ERP version you are currently using? Withheld
under Section 31

Who provides your SAP Security, Authorisations and Role Design support?
Withheld under Section 31

Can you please confirm if you currently use SAP Access Control? Withheld
under Section 31

If you do use Access Control, what version is installed (options are v5.3,
v10.0, v10.1 or v12.0)? Withheld under Section 31

Do you have a support contract with an external provider to support SAP
Access Control install? DMU cannot provide information  on the use of
these products due to the risk of cyber-attack, but we can confirm that
all contract renewals advertised will be published on intend or through
the established frameworks provided in accordance with approved
procurement channels

Can you please confirm if you currently use SAP Process Control? Withheld
under Section 31

If you do use Process Control, what version is installed (options are
v5.3, v10.0, v10.1 or v12.0)? Withheld under Section 31

Do you have a support contract with an external provider to support SAP
Process Control install? DMU cannot provide information  on the use of
these products due to the risk of cyber-attack, but we can confirm that
all contract renewals advertised will be published on intend or through
the established frameworks provided in accordance with approved
procurement channels

Can you please confirm if you currently use SAP Risk Management? Withheld
under Section 31

If you do use Risk Management, what version is installed (options are
v5.3, v10.0, v10.1 or v12.0)? Withheld under Section 31

Do you have a support contract with an external provider to support SAP
Risk Management install? Withheld under Section 31

Can you confirm if you currently have any other SAP GRC software
installed? Withheld under Section 31

List of SAP GRC software includes, but not exclusive to: Withheld under
Section 31

i. Business Integrity Screening

ii. Single Sign-On

iii. Identity Management

iv. Audit Management

v. UI Masking

vi. UI Logging

vii. Read Access Logging

viii. BusinessObjects Access Control

ix. Versa GRC

If you do not have any SAP GRC installed/utilised, are there any plans to
purchase and install the GRC software? Withheld under Section 31

If you have implemented any of the aforementioned software and have a
support contract what is the renewal date of that contract? DMU cannot
provide information  on the use of these products due to the risk of
cyber-attack, but we can confirm that all contract renewals advertised
will be published on intend or through the established frameworks provided
in accordance with approved procurement channels

 

Where is your SAP infrastructure located and in what format? SAP
infrastructure is located in our on premise datacentre. It is hosted on a
virtual platform.

 

When is the contract for third party support of your SAP infrastructure
due for renewal? The current infrastructure platform is being replaced.
The existing contract for support expires in February 2019 and will be
replaced by a new 3rd party support contract for 5 years that forms part
of the procurement process for the infrastructure refresh. 

 

Where do you advertise any SAP related procurement opportunities? DMU
Procurement will treat any SAP related procurements in essentially the
same manner as that of any other procurement. An options analysis will be
undertaken as to what are the various possible routes to market and an
assessment made of what is the best approach in each case. Where possible
and suitable DMU as with other local bodies will make use of OJEU
compliant public sector available frameworks and where a requirement is
required to be openly tendered in accordance with its own Financial
Regulations, then these will be electronically published for suppliers to
openly bid against via the e-tendering portal InTend. This portal is the
typical e-procurement vehicle utilised within the UK HE procurement sector
for electronically publishing tendering opportunities, backed up at the
same time by the opportunity then also appearing within Contracts Finder
or the OJEU Journal where the value dictates that the latter is required.
Other additional sources may be used from time to time such as Source
Leicestershire and DMU Financial Regulations only require that below £25K
three quotations be obtained and below £10K only a single quotation be
obtained and best value assured, but the primary vehicle for the
publishing of any tendering opportunities for DMU, including SAP related,
either completely new or as other existing agreements expire, will be that
of InTend.”

 

Yours sincerely,

 

Paul Starkey

Information Governance Manager

Information Technology & Media Services

 

DE MONTFORT UNIVERSITY

T: +44 (0) 116 257 7655

E: [1][email address]

W: dmu.ac.uk

 

Responsible for: Freedom of Information, Data Protection Act compliance
and Records Management

 

You have the right to complain to the University about this decision.  If
you wish to do this please write to:

 

Regulations and Complaints Manager

Corporate Services

0.13 Trinity House

Leicester

Telephone (0116) 257 7694

 

If you are subsequently not satisfied with the University’s response to
your complaint you have a right of appeal to the independent Information
Commissioner at:

 

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire SK9 5AF

Telephone: 01625 545 700

[2]www.informationcommissioner.gov.uk

 

Further information about the operation of the Act is available from the
University’s website [3]www.dmu.ac.uk and the information leaflet in
public reception areas in University buildings.

 

 

From: Freedom of Information
Sent: 05 November 2018 14:12
To: [FOI #529697 email]
Subject: RE: Freedom of Information request - Security and Compliance
Software (Ref: 824)

 

Dear Sir,

 

FREEDOM OF INFORMATION ACT 2000

 

Thank you for your email request below.  

 

Your request is being considered and if the information is held you will
receive the information requested within the statutory timescale of 20
working days as defined by the Freedom of Information Act 2000, subject to
the information not being exempt.

 

If the time taken to meet your request is likely to exceed 18 hours, we
will contact you and ask you amend your request to bring it below this
time limit. We will assist you with suggestions of how this might be
achieved.

 

I may also contact you if the request needs to be clarified; this is to
ensure that we provide you with the information you require.

 

Please note that some information you have requested may not be provided
to you; this will only be information that can be withheld by law.  In
most cases the reasons will be explained to you along with your copy of
any information that can be released to you.

In order to ensure a prompt response to any communication, please ensure
that any further emails are copied to [4][De Montfort University request email].

 

Yours sincerely,

 

Paul Starkey

Information Governance Manager, ITMS

DE MONTFORT UNIVERSITY

T: +44 (0)116 2577655

E: [5][email address]

W: dmu.ac.uk

 

Responsible for: Freedom of Information, Data Protection Act compliance
and Records Management

 

 

[6]TEF email signature footer

 

 

 

Dear Freedom of Information,

 

Hi, my full name is Derek Thomas.

 

Yours sincerely,

 

Thomas

 

show quoted sections