Security Audit of coi.gov.uk

Response to this request is long overdue. By law, under all circumstances, Central Office of Information should have responded by now (details). You can complain by requesting an internal review.

Richard Jackson

Dear Sir or Madam,

In the .gov.uk Naming and Approvals Committee Minutes of 26th September 2007 reference is made to a security audit of coi.gov.uk

Can you please provide a copy of that audit (and, should it not be obvious from the audit report, details of who conducted it), and details of any decisions made by COI in response to it.

If there have been any further audits commissioned or conducted since then, please also provide similar information in relation to them.

Yours faithfully,

Richard

FOI Officer, Central Office of Information

1 Attachment

Good afternoon Richard

Please see the attached.

Regards
Glynn

Glynn Morgan
FOI Officer
Central Office of Information
Hercules House
Hercules Road
London
SE1 7DU
Tel 020 7928-2345
Fax 020 7928 5037

"This communication is confidential and copyright. Anyone coming into
unauthorised possession of it should disregard its content and erase it
from their records."
This communication is confidential and copyright.
Anyone coming into unauthorised possession of it should disregard its
content and erase it from their records.

The original of this email was scanned for viruses by Government Secure
Intranet (GSi) virus scanning service supplied exclusively by Cable &
Wireless in partnership with MessageLabs.
On leaving the GSI this email was certified virus free.
The MessageLabs Anti Virus Service is the first managed service to achieve
the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK
Government quality mark initiative for information security products and
services. For more information about this please visit www.cctmark.gov.uk

Public Sector Forums left an annotation ()

Could they not provide at least a redacted version?

Dear Glynn,

Please take this as a request for an internal review of this decision. You say in your response that I should contact Emma Lochhead in that regard, but you have provided no details on how to do that, so I would be grateful if you could forward this on.

I would note that the security audit in question is almost a year old now, and that there would be a reasonable expectation that any problems identified by it should be fixed by now. If, for some reason, a decision was made to ignore some potential problems and rely on security through obscurity, then it would be slightly more understandable for those portions to be withheld or redacted, but I do not believe it is appropriate to refuse to release _all_ information requested (including details of by whom the audit was carried out).

Yours sincerely,

Richard

Dear Sir or Madam,

My request for internal review made on 21nd September in relation to my FOI request 'Security Audit of coi.gov.uk' has still received no response. I would note that ICO guidance states that such requests should normally be handled in 20 working days, and should never take more than 40.

Please advise on the expected date when I should receive a response.

A full history of my original request and all correspondence is available on the Internet at this address:
http://www.whatdotheyknow.com/request/se...

Yours sincerely,

Richard Jackson

Dear Sir or Madam,

It is now well over two months since I requested an internal review of my request relating to the Security Audit of coi.gov.uk and I have still heard nothing. Unless I receive an update in the next week I will have little option but to direct this matter to the ICO.

A full history of my FOI request and all correspondence is available on the Internet at this address:
http://www.whatdotheyknow.com/request/se...

Yours sincerely,

Richard Jackson

FOI Officer, Central Office of Information

1 Attachment

Good morning Richard

Thank you for your email. Please see the attached sent in response to your
email of 8th November.

If you have any queries please do not hesitate to contact me.

Kind regards
Glynn

Glynn Morgan
FOI Officer
Central Office of Information
Hercules House
Hercules Road
London
SE1 7DU
Tel 020 7928-2345
Fax 020 7928 5037

"This communication is confidential and copyright. Anyone coming into
unauthorised possession of it should disregard its content and erase it
from their records."
This communication is confidential and copyright.
Anyone coming into unauthorised possession of it should disregard its
content and erase it from their records.

The original of this email was scanned for viruses by Government Secure
Intranet (GSi) virus scanning service supplied exclusively by Cable &
Wireless in partnership with MessageLabs.
On leaving the GSI this email was certified virus free.
The MessageLabs Anti Virus Service is the first managed service to achieve
the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK
Government quality mark initiative for information security products and
services. For more information about this please visit www.cctmark.gov.uk

Dear Emma,

RE: 10485428

Thank you for this response.

I am slightly confused as to your point re: providing a redacted copy of the audit. Are you saying that your internal review has decided that COI were correct in withholding some material, but mistaken in not proving a redacted copy?

I am also a little surprised that you did not just attach the redacted copy to your response, but I would be grateful if you would send that.

Yours sincerely,

Richard Jackson

FOI Officer, Central Office of Information

Richard

I will arrange for a copy to sent.

Kind regards
Glynn

Glynn Morgan
FOI Officer
Central Office of Information
Hercules House
Hercules Road
London
SE1 7DU
Tel 020 7928-2345
Fax 020 7928 5037

"This communication is confidential and copyright. Anyone coming into
unauthorised possession of it should disregard its content and erase it
from their records."
This communication is confidential and copyright.
Anyone coming into unauthorised possession of it should disregard its
content and erase it from their records.

The original of this email was scanned for viruses by Government Secure
Intranet (GSi) virus scanning service supplied exclusively by Cable &
Wireless in partnership with MessageLabs.
On leaving the GSI this email was certified virus free.
The MessageLabs Anti Virus Service is the first managed service to achieve
the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK
Government quality mark initiative for information security products and
services. For more information about this please visit www.cctmark.gov.uk

Public Sector Forums left an annotation ()

I think you would have a case to take this to the ICO.

Apart from breaching the statutory timescales for review, to say that for the exemption in section 33 of the FOI Act to apply, the Department needs to demonstrate that:

(a) disclosure is likely to prejudice the authority's auditing functions; and
(b) the public interest in avoiding that prejudice is greater than the public interest in disclosing the information concerned.

I don't think simply saying 'for the reasons as previously stated and I do not believe its release would be in the public interest' satisifies that requirement. Even more strange that they didn't provide the redacted version with the response.