Suppliers and Vendors (Cyber)

The request was partially successful.

Dear Bishop Grosseteste University College,

Under the freedom of information act 2000. I write to obtain the following details:

1) Name and role for IT Manager(s) / Officer(s) primarily responsible for cyber security

2) Names of all cyber security providers you work with and buy from

3) Names of all cyber security vendor(s) you use

3b) Renewal date for the above vendor(s)

3c) Cost and duration for the above contract(s)/license(s)

3d) For what purpose do you use the vendor
(E.g. Firewalls E.g.2 Anti-virus E.g.3 Vulnerability scanning)

4) Number of websites owned by the University

Many thanks,
Harry Jones

Guenever Moyes, Bishop Grosseteste University

1 Attachment

Harry Jones

[[1]mailto:[FOI #428774 email]]

 

 

Dear Mr Jones

 

FOI REQUEST - SUPPLIERS & VENDORS (CYBER)

Emailed: 04 September 2017 12:41

 

I acknowledge receipt of your Freedom of Information request (copy
attached below).

 

This will be handled under the terms of the Freedom of Information Act
2000, which means that you can expect to receive a response from us within
20 working days or by 2 October 2017.

 

Please contact us if you have any queries about this email or about the
progress of your request ([2][email address]).

 

If you are dissatisfied with the service you receive in relation to your
request and wish to make a complaint or ask for an internal review, then
please write to Stephen Deville, Chief Operating Officer, Bishop
Grosseteste University, Lincoln LN1 3DY
([3][email address]).

 

If you are not content with the outcome of a complaint or internal review,
you have the right to appeal to the Information Commissioner.  Generally,
however, she cannot make a decision unless you have exhausted the
complaints and review procedures provided by the University itself.  The
Information Commissioner can be contacted at The Information
Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire  SK9
5AF.

 

Yours sincerely

 

Guenever Moyes

Archivist & Records Manager

 

 

___________________________________

 

[4]Description: Description: Description: Description: Description:
Description: Description: Description: Description: Description:
Description: Description: Description: Description: Description:
Description: Description: Description: Description: Description:
Description: Description: Description: Description:
cid:image001.jpg@01CDD85F.66A255E0

 

Bishop Grosseteste University

Lincoln

LN1 3DY

show quoted sections

Guenever Moyes, Bishop Grosseteste University

1 Attachment

Harry Jones

[[1]mailto:[FOI #428774 email]]

 

 

Dear Mr Jones

 

FOI REQUEST - SUPPLIERS & VENDORS (CYBER)

Emailed: 04 September 2017
12:41                                                         

Acknowledged: 05 September 2017 11:13

 

I write in reply to your recent Freedom of Information request.  Our
responses to your questions are as follows:

 

1)        Name and role of IT Manager(s) / Officer(s) primarily
responsible for cyber security

 

Barry Clarkson, Director of IT and Systems Development

 

2)        Names of all cyber security providers you work with and buy from

 

Although I can confirm that we hold this information, we are withholding
it under Section 36(2)(c) of the Freedom of Information Act 2000 on the
grounds that disclosure would be likely to prejudice the effective conduct
of University business.

 

Section 36(2)(c) provides a broad exemption where complying with a request
would prejudice, or would be likely to prejudice, the effective conduct of
public affairs.

 

Section 36 is a prejudice-based exemption and is therefore subject to the
prejudice test.  However, it differs from other prejudice exemptions in
that the judgement about prejudice must be made by the legally authorised
qualified person for that public authority.  The qualified person for the
University is the Vice Chancellor and, after considering the case, he has
given it as his opinion that the exemption is engaged on the grounds that
there is more than a hypothetical or remote possibility of prejudice or
harm being caused to the conduct of the University’s business if the
requested information were to be released and a real possibility that
negative consequences could result.  You can find detailed guidance on use
of the section 36 exemption on the ICO website at the following link:
[2]https://ico.org.uk/media/for-organisatio....

 

Section 36 is also a qualified exemption which means that, even though the
qualified person has given his opinion that disclosure would cause
prejudice, or would be likely to cause prejudice to the effective conduct
of public affairs, we still have to consider whether there is nevertheless
an overriding public interest in providing the information (referred to as
the public interest test).  This involves weighing the harm resulting from
possible disclosure against the likely benefit to the wider public.

 

In this case, we considered:

 

                i.              the public interest in ensuring that the
University is able to protect its systems from cyber-attacks which could
damage security

              ii.              the public interest in ensuring that the
University can proactively manage the risks around cyber security, for the
wellbeing and safety of all its stakeholders

            iii.              the public interest in ensuring that no
detrimental impact is caused to any investigations and that law
enforcement tactics are not compromised by disclosures which could hinder
the prevention and detection of crime

            iv.              the public interest in issues of
accountability and transparency and in scrutinizing how the University’s
affairs are conducted (including such preventative measures as the
University may take in protecting its network against cyber-attacks)

              v.               the public interest in ensuring that there
is competition for public sector contracts and that commercial companies
are able to compete fairly in the provision of goods and services.

 

In addition, we took into account the fact that information that is
released under the Freedom of Information Act is considered to be released
to the world at large and not just to the individual applicant.  Whilst we
acknowledge that there is no malicious intent on your part, we take the
view that releasing the names of our providers into the public domain
would be likely to cause prejudice or harm to the University’s systems and
interests.  This is because disclosing details of specific cyber security
vendors and providers into the public domain could disclose details of the
systems we use, potentially identifying vulnerable areas where a threat
to our network is greatest.  This could then enable potential
cyber-attackers to target our network and jeopardise the University’s
ability to manage the risks associated with the launch of attacks, which
we do not consider would be in the public interest.

 

After taking all these issues into account, we are of the view that the
balance of the public interest lies in favour of withholding this
information.

 

3a)    Names of all cyber security vendor(s) you use

 

Although I can confirm that we hold this information, it has been withheld
under Section 36(2)(c) on the grounds that disclosure would be likely to
prejudice the effective conduct of University business.  For a detailed
explanation of this exemption, see our response to Q.2 above.

 

As with Q.2, the Vice Chancellor has given his judgement that Section
36(2)(c) is engaged before we have gone on to consider the public interest
arguments.

 

After considering the various issues and arguments for and against
releasing the information (as listed under Q.2 above), we take the view
that the balance of the public interest lies in favour of withholding this
information because disclosure would be likely to weaken the security of
the University’s systems, which would not be in the public interest.

 

3b)   Renewal date for the above vendor(s)

 

September 2019

 

3c)   Cost and duration for the above contract(s)/license(s)

 

The duration of the contract is 3 years.

 

Whilst I can confirm that we hold information relating to the cost of the
contract, we are withholding it under Section 43.2 of the Freedom of
Information Act 2000 (Commercial Interests) because disclosure would be
likely to damage the commercial interests of the University.

 

Section 43 is a prejudice-based and qualified exemption.  This means that
we must first be satisfied that releasing the requested information would,
or would be likely, to prejudice or damage someone’s commercial interest,
including the University’s own commercial interests (the prejudice test). 
In this case, we considered:

               i.               the public interest in ensuring that the
University is able to participate competitively and fairly in a commercial
activity such as the purchase of goods and services

              ii.              the public interest in ensuring that we as
a public authority get value for money when purchasing goods or services

            iii.               the public interest in scrutinizing how
public money is spent (including issues of accountability and
transparency)

            iv.               the public interest in ensuring that there
is competition for public sector contracts

              v.              the public interest in ensuring that
commercial companies are able to compete fairly in the provision and sale
of goods and services, and finally

            vi.               we took into account that information
released under the Freedom of Information Act is released to the world at
large and not just to the individual applicant.

Having considered where the balance of the public interest lies, we are of
the view that disclosure of the information would be likely to prejudice
the University’s commercial position as a purchaser of goods and services,
and we are satisfied that the public interest in withholding information
relating to the value of contracts outweighs the public interest in
disclosure. This is because we believe that disclosing details of the
value of our current or recent contracts would be likely to weaken the
University’s bargaining position in the market-place when next procuring
or purchasing similar services in the future. This would prejudice the
commercial interests of the University as a purchaser which we do not
consider would be in the public interest.  In addition, there is a public
interest in ensuring that there is competition for public sector contracts
and that commercial companies are able to compete fairly and without
disadvantage.  The following detailed guidance on this exemption has been
published by the Information Commissioner’s Office:
[3]http://ico.org.uk/for_organisations/guid....

 

3d)   For what purpose do you use the vendor (E.g. Firewalls E.g.2
Anti-virus E.g.3 Vulnerability scanning)

 

Although I can confirm that we hold this information, it has been withheld
under Section 36(2)(c) on the grounds that disclosure would be likely to
prejudice the effective conduct of University business.  For a detailed
explanation of this exemption, see our response to Q.2 above.

 

As with Q.2, the Vice Chancellor has given his judgement that Section
36(2)(c) is engaged before we have gone on to consider the public interest
arguments.

 

After considering the various issues and arguments for and against
releasing the information (as listed under Q.2 above), we take the view
that the balance of the public interest lies in favour of withholding this
information because disclosure would be likely to weaken the security of
the University’s systems, which would not be in the public interest.

 

4)      Number of websites owned by the University

 

          One

 

Please contact me if you have any queries about this email or about the
information provided ([4][email address]).

 

If you are dissatisfied with the service you have received in relation to
your request and wish to make a complaint or ask for an internal review,
then please write to Stephen Deville, Chief Operating Officer, Bishop
Grosseteste University, Lincoln LN1 3DY
([5][email address]).

 

If you are not content with the outcome of a complaint or internal review,
you have the right to appeal to the Information Commissioner.  Generally,
however, she cannot make a decision unless you have exhausted the
complaints and review procedures provided by the University itself.  The
Information Commissioner can be contacted at The Information
Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire  SK9
5AF.

 

Yours sincerely

 

Guenever Moyes

Archivist & Records Manager

 

 

___________________________________

 

[6]Description: Description: Description: Description: Description:
Description: Description: Description: Description: Description:
Description: Description: Description: Description: Description:
Description: Description: Description: Description: Description:
Description: Description: Description: Description:
cid:image001.jpg@01CDD85F.66A255E0

 

Bishop Grosseteste University

Lincoln

LN1 3DY

_____________________________________________________

 

Telephone   (01522) 583792   |   Email   [7][email address]

Twitter   [8]www.twitter.com/bishopglibrary   |   Facebook 
 [9]www.facebook.com/bishopglibrary   |   Website   [10]www.bishopg.ac.uk

 

 

 

From: Guenever Moyes
Sent: 05 September 2017 11:13
To: Harry Jones <[FOI #428774 email]>
Cc: Stephen Deville <[email address]>; Emma J. Sansby
<[email address]>
Subject: FOI REQUEST - SUPPLIERS & VENDORS (CYBER)

 

Harry Jones

[[11]mailto:[FOI #428774 email]]

 

 

Dear Mr Jones

 

FOI REQUEST - SUPPLIERS & VENDORS (CYBER)

Emailed: 04 September 2017 12:41

 

I acknowledge receipt of your Freedom of Information request (copy
attached below).

 

This will be handled under the terms of the Freedom of Information Act
2000, which means that you can expect to receive a response from us within
20 working days or by 2 October 2017.

 

Please contact us if you have any queries about this email or about the
progress of your request ([12][email address]).

 

If you are dissatisfied with the service you receive in relation to your
request and wish to make a complaint or ask for an internal review, then
please write to Stephen Deville, Chief Operating Officer, Bishop
Grosseteste University, Lincoln LN1 3DY
([13][email address]).

 

If you are not content with the outcome of a complaint or internal review,
you have the right to appeal to the Information Commissioner.  Generally,
however, she cannot make a decision unless you have exhausted the
complaints and review procedures provided by the University itself.  The
Information Commissioner can be contacted at The Information
Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire  SK9
5AF.

 

Yours sincerely

 

Guenever Moyes

Archivist & Records Manager

 

 

___________________________________

 

[14]Description: Description: Description: Description: Description:
Description: Description: Description: Description: Description:
Description: Description: Description: Description: Description:
Description: Description: Description: Description: Description:
Description: Description: Description: Description:
cid:image001.jpg@01CDD85F.66A255E0

 

Bishop Grosseteste University

Lincoln

LN1 3DY

show quoted sections