Suppliers and Vendors (Cyber)

James Noland made this Freedom of Information request to University of Warwick

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was partially successful.

Dear University of Warwick,

Under the freedom of information act 2000. I write to obtain the following details:

1) Name and role for IT Manager(s) / Officer(s) primarily responsible for cyber security

2) Names of all cyber security providers you work with and buy from

3) Names of all cyber security vendor(s) you use

3b) Renewal date for the above vendor(s)

3c) Cost and duration for the above contract(s)/license(s)

3d) For what purpose do you use the vendor
(E.g. Firewalls E.g.2 Anti-virus E.g.3 Vulnerability scanning)

4) Number of websites owned by the University

Many thanks,
James Noland

infocompliance, Resource, University of Warwick

Dear Mr Noland,

Thank you for your email dated 4^th of September 2017 requesting
information about the University of Warwick. Your request is being
considered under the Freedom of Information Act 2000. Please find below
your original request and our response.

Under the freedom of information act 2000. I write to obtain the following
details:

1)      Name and role for IT Manager(s) / Officer(s) primarily responsible
for cyber security

The University declines to provide any contact details for individuals
responsible for the above mentioned departments on the grounds that the
requested information amounts to the disclosure of personal data and could
potentially lead to the identification of individuals, which may place the
University in breach of the Data Protection Act 1998. We are relying on
the exemption under section 40(2) of the Freedom of Information Act 2000
in this regard.

However, you may contact the team responsible for Information Security
utilising the following resource account email address:

[1][email address]

2)      Names of all cyber security providers you work with and buy from

3)      Names of all cyber security vendor(s) you use

a.      Renewal date for the above vendor(s)

b.      Cost and duration for the above contract(s)/license(s)

c.       For what purpose do you use the vendor (E.g. Firewalls E.g.2
Anti-virus E.g.3 Vulnerability scanning)

The University confirms that it holds the information requested in
questions 2) and 3) but declines to provide the information as it believes
it is exempt from disclosure under section 31(1)(a) of the Freedom of
Information Act.

We are not obliged to provide information if its release would prejudice
the prevention or detection of crime. In this case, the University
believes that releasing detailed information regarding the providers and
vendors of our Cyber Security creates a security risk and is likely to
prejudice the prevention or detection of crime under section 31(1)(a).
Disclosure would make the University more vulnerable to crime, including a
cyber-attack from an external hacker. By divulging the requested
information the University would be likely to unnecessarily expose itself
to the risk of harm and potentially huge financial cost.

The exemption at section 31(1)(a) is a qualified exemption which means
that the University must consider whether the public interest in
maintaining the exemption outweighs the public interest in disclosure. The
University recognises that there is legitimate public interest in proving
information as this encourages openness, accountability and informed
public debate. However, the University also believe that there is a strong
public interest in maintaining the exemption if disclosure would be likely
to prejudice the University’s ability to perform its functions effectively
in that the University would be diverted from its day to day work in order
to deal with the consequences of a cyber-attack. In addition to the delay
and disruption to the University, the consequences of such an attack would
incur a huge financial cost in repairing infected devices and/or
purchasing and installing new equipment.

Therefore, the University is of the opinion that the public interest lies
in favour of withholding the requested information.

4)      Number of websites owned by the University 

The number of registered domains owned by the University of Warwick which
IT Services are able to centrally determine is 548.

Please note

•                    A registered domain may or may not have a website(s)
associated with it.

•                    IT Services may not capture all registered domains.

•                    This is not the number of websites but is the number
of registered domains.

If you are unhappy with the way in which your request has been handled by
the University of Warwick, you can request an internal review and in the
first instance you are advised to follow the procedure outlined here:
[2]http://www2.warwick.ac.uk/services/legal...

If you remain dissatisfied with the handling of your request or complaint,
you have a right to appeal to the Information Commissioner at:

The Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Phone: 0303 123 1113

Website: [3]https://ico.org.uk/

There is no charge for making an appeal.

Yours sincerely,

Ian Rowley

Ian Rowley | Director of Development, Comms & External Affairs| External
Affairs
University House | University of Warwick | Coventry | CV4 8UW

 

References

Visible links
1. mailto:[email address]
2. http://www2.warwick.ac.uk/services/legal...
3. https://ico.org.uk/