Suppliers and Vendors (Cyber)

Harry Jones made this Freedom of Information request to University of East London

This request has been closed to new correspondence. Contact us if you think it should be reopened.

The request was partially successful.

Dear University of East London,

Under the freedom of information act 2000. I write to obtain the following details:

1) Name and role for IT Manager(s) / Officer(s) primarily responsible for cyber security

2) Names of all cyber security providers you work with and buy from

3) Names of all cyber security vendor(s) you use

3b) Renewal date for the above vendor(s)

3c) Cost and duration for the above contract(s)/license(s)

3d) For what purpose do you use the vendor
(E.g. Firewalls E.g.2 Anti-virus E.g.3 Vulnerability scanning E.g.4 PCI)

4) Number of websites the University is responsible for securing

Many thanks,
Harry Jones

Freedom Info, University of East London

Dear Mr Jones,

 

We acknowledge receipt of your inquiry sent on 5 September, which is
receiving attention.

 

Yours sincerely,

[1][University of East London request email]

University of East London

4-6 University Way

London

E16 2RD

Please use this email address for all replies to this request:
[FOI #429476 email]

Is [University of East London request email] the wrong address for Freedom of Information requests to
University of East London? If so, please contact us using this form:
[2]https://www.whatdotheyknow.com/change_re...

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:
[3]https://www.whatdotheyknow.com/help/offi...

For more detailed guidance on safely disclosing information, read the
latest advice from the ICO:
[4]https://www.whatdotheyknow.com/help/ico-...

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

-------------------------------------------------------------------

--------------------------------------------------------------------------

This email has been scanned for email related threats and delivered safely
by Mimecast.
For more information please visit [5]http://www.mimecast.com

--------------------------------------------------------------------------

References

Visible links
1. mailto:[University of East London request email]
2. https://www.whatdotheyknow.com/change_re...
3. https://www.whatdotheyknow.com/help/offi...
4. https://www.whatdotheyknow.com/help/ico-...
5. http://www.mimecast.com/

Freedom Info, University of East London

Dear Mr Jones,

 

We refer to your inquiry dated 5^th September and set out below our
response to your inquiry.

 

Yours sincerely,

[1][University of East London request email]

University of East London

4-6 University Way

London

E16 2RD

 

Q1) Name and role for IT Manager(s) / Officer(s) primarily responsible for
cyber security

 

A1) There is no single individual who has a primary role relating
specifically to Cyber Security.

Q2) Names of all cyber security providers you work with and buy from

Q3) Names of all cyber security vendor(s) you use.

Q3b) Renewal date for the above vendor(s)

Q3c) Cost and duration for the above contract(s)/license(s)

Q3d) For what purpose do you use the vendor (E.g. Firewalls E.g.2
Anti-virus E.g.3 Vulnerability scanning E.g.4 PCI)

 

A2-3) We believe that the requested information is commercially sensitive
and we thus claim an exemption under section 43 (2) of the Freedom of
Information Act 2000:

 

Commercial interests

 

1. Information is exempt information if it constitutes a trade secret.

2. Information is exempt information if its disclosure under this Act
would, or would be likely to, prejudice the commercial interests of any
person (including the public authority holding it).

3. The duty to confirm or deny does not arise if, or to the extent that,
compliance with section 1(1) (a) would, or would be likely to, prejudice
the interests mentioned in subsection (2).

 

Our reasons for claiming this exemption are twofold:

 

a) Disclosure of this information could be prejudicial to our commercial
interests in relation to the maintenance of security. Our IT systems are
at risk of cyber-attacks and we have in place appropriate risk mitigation
strategies to ensure that our systems are robust and that we are in a
position to safeguard the integrity of the data contained therein. We are
responsible under the Data Protection Act 1998 for the safeguarding of the
sensitive personal data of approximately 25,000 individuals. We believe
that should information about our cyber security systems and services, no
matter how general, be placed in the public domain, it could be of use to
third parties in terms of gaining unauthorised entry to the data stored on
our IT databases. Furthermore, the disclosure of information relating to
the expiry dates of security systems and services could present a
significant risk to the information security of organisations. Such
information could be used by attackers to determine specific periods where
an organisation may have higher vulnerability relating to specific systems
due to the potential change to or expiry of those systems or services.
Disclosure of the information would therefore be a serious threat to our
being able to ensure robust network security.

 

b) The information you have requested would be likely to prejudice our
commercial interests. There is the possibility that our ability to secure
new contracts at the best possible terms, and thus ensure value for money
in relation to the expenditure of public funds, could be compromised by
the publication of data relating to the names of suppliers and the annual
spend for our current commercial contracts. Potential tenderers might
consider themselves to be disadvantaged should we disclose commercially
sensitive information to a party, who, at some future date, might wish to
submit a tender in competition with others to whom such data has not been
disclosed.
 

Q4) Number of websites the University is responsible for securing

 

A4) Two.

If you are dissatisfied with the way the University of East London has
handled your request for information, you can request a review of this
decision by writing to:

Deputy University Secretary

University of East London

4-6 University Way

London

E16 2RD

E-mail [2][University of East London request email]

 

If the review does not address your concerns, you can exercise a right of
appeal to the Information Commissioner at:

The Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire, SK9 5AF

Telephone: 08456 30 60 60 or 01625 54 57 45

Website: [3]www.ico.gov.uk

--------------------------------------------------------------------------

This email has been scanned for email related threats and delivered safely
by Mimecast.
For more information please visit [4]http://www.mimecast.com

--------------------------------------------------------------------------

References

Visible links
1. mailto:[University of East London request email]
2. mailto:[University of East London request email]
3. http://www.ico.gov.uk/
4. http://www.mimecast.com/