Suppliers and Vendors (Cyber)

James Noland made this Freedom of Information request to Merthyr Tydfil Council

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was successful.

Dear Merthyr Tydfil Council,

Under the freedom of information act 2000. I write to obtain the following details:

1) Name and role for IT Manager(s) / Officer(s) primarily responsible for cyber security

2) Names of all cyber security providers you work with and buy from

3) Names of all cyber security vendor(s) you use

3b) Renewal date for the above vendor(s)

3c) Cost and duration for the above contract(s)/license(s)

3d) For what purpose do you use the vendor
(E.g. Firewalls E.g.2 Anti-virus E.g.3 Vulnerability scanning E.g.4 PCI)

4) Number of websites the council is responsible for securing

Many thanks,
James Noland

FOI (Freedom of Information), Merthyr Tydfil Council

Dear Sir/Madam

 

RE:     Freedom Of Information Act 2000 – INFORMATION Request

 

We acknowledge your request for information about suppliers and vendors
(cyber) received by the Data Disclosure and Records Officer on 5 September
2017.

 

We are considering your request and you will receive the Councils full
response within the [1]statutory time limit of 20 working days, which in
this instance is no later than 3 October 2017, unless the information is
exempt or we require additional time to consider whether disclosure is in
the public interest in accordance with [2]Section 2 of the Act.  

 

The [3]Act defines a number of exemptions which may prevent release of the
information you have requested. Before we provide the information we will
consider whether it is proper to release it and if any of the exemption
categories do apply then the information may not be released. We will tell
you if this is the case, and you will have a right of appeal. If the
information you request contains reference to a third party then they may
be consulted prior to a decision being taken on whether or not to release
the information to you. You may have to pay a fee for this information; we
will consider this and let you know. If a fee is applicable the Council
will issue you with a Fees Notice. The 20 working day time limit will not
start until we receive your payment. If you have any queries or concerns,
please contact the Data Disclosure and Records Officer on 01685 725000 or
[4][Merthyr Tydfil Council request email]. You can find out more about the Act from the
Information Commissioner at:

 

Information Commissioner’s Office (Wales)

2^nd Floor

Churchill House

Churchill Way

Cardiff

CF10 2HH

 

Tel: 029 2067 8400 

Fax: 029 2067 8399

Email: [5][email address]

Website: [6]www.ico.org.uk

 

Responses to completed requests for information are published online
within our disclosure log. Our disclosure log is located in the find it
section of our external website ([7]www.merthyr.gov.uk). Please click
[8]HERE to view our disclosure log.

 

Yours faithfully

 

Swyddog Datgelu Data a Chofnodion/Data Disclosure and Records Officer

Tîm Llywodraethu Gwybodaeth/Information Governance Team

Cyngor Bwrdeistref Sirol Merthyr Tudful/Merthyr Tydfil County Borough
Council

 

Canolfan Dinesig/Civic Centre

Stryd Y Castell/Castle Street

Merthyr Tudful/Merthyr Tydfil

CF47 8AN/CF47 8AN

Ffon/Tel: 01685 725000

E-bost/E-mail: [9][Merthyr Tydfil Council request email]

 

Croesawn ni ohebu yn y Gymraeg/We welcome correspondence in Welsh.

Croesawn ohebu yn Gymraeg a fydd hyn ddim yn arwain at oedi.

We welcome correspondence in Welsh and this will not lead to a delay.

Mae'r e-bost hwn ac unrhyw ffeiliau a drosglwyddir gydag ef yn gyfrinachol
ac wedi'u bwriadu ar gyfer pwy bynnag y cyfeirir ef ato neu atynt. Mae
cynnwys yr e-bost hwn cynrychioli barn y sawl a enwir uchod, felly nid
ydyw'n dilyn ei fod yn cynrychioli barn Cyngor Bwrdeistref Sirol Merthyr
Tudful.

Cyngor Bwrdeistref Sirol Merthyr Tudful
Canolfan Dinesig
Stryd Y Castell
Merthyr Tudful
CF47 8AN

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. The contents of this e-mail represent the views of the
individual(s) named above and do not necessarily represent the views of
Merthyr Tydfil County Borough Council.

Merthyr Tydfil County Borough Council
Civic Centre
Castle Street
Merthyr Tydfil
CF47 8AN

Teleffon\Telephone: 01685 725000

[10]http://www.merthyr.gov.uk

References

Visible links
1. http://www.legislation.gov.uk/ukpga/2000...
2. http://www.legislation.gov.uk/ukpga/2000...
3. http://www.legislation.gov.uk/ukpga/2000...
4. mailto:[Merthyr Tydfil Council request email]
5. mailto:[email address]
6. http://www.ico.org.uk/
7. http://www.merthyr.gov.uk/
8. http://www.merthyr.gov.uk/English/Servic...
9. mailto:[Merthyr Tydfil Council request email]
10. http://www.merthyr.gov.uk/

FOI (Freedom of Information), Merthyr Tydfil Council

Dear Sir/Madam

 

RE:     Freedom Of Information Act 2000 – INFORMATION Request

 

1) Name and role for IT Manager(s) / Officer(s) primarily responsible for
cyber security

[1][email address]

 

2) Names of all cyber security providers you work with and buy from

Please see exemption below

 

3) Names of all cyber security vendor(s) you use

Please see exemption below

 

3b) Renewal date for the above vendor(s)

Please see exemption below

 

3c) Cost and duration for the above contract(s)/license(s)

Please see exemption below

 

3d) For what purpose do you use the vendor (E.g. Firewalls E.g.2
Anti-virus E.g.3 Vulnerability scanning E.g.4 PCI)

Please see exemption below

 

4) Number of websites the council is responsible for securing  

45.

 

We have considered your request for information and on this occasion we
cannot supply the information you have requested. In accordance with
Section 17 of the Freedom of Information Act 2000 this letter acts as a
Refusal Notice.

 

The exemption applied is a qualified exemption pursuant to Section
31(1)(a) of the FOIA. This exemption applies because disclosure of the
information would be likely to prejudice the prevention of crime by
enabling or encouraging the commission of offences. In reaching the
decision we identified factors why disclosure might be in the public
interest but considered that they were outweighed by the reasons set out
below against disclosure. 

 

Disclosure of this information would put the Councils systems at risk of
attack from hackers. The Council firmly believes that the level of detail
being requested would enable individuals to hack the Councils systems
which could have a catastrophic effect on the Councils ability to deliver
services, its reputation and possibly cause substantial financial harm.

 

The Councils systems store a wide range of data; this data includes
personal data, personal sensitive data, financial data, assets such as
copyrighted data and various other types of information. If the Council
disclosed the information requested the data we currently hold would
become a prime target for cybercrime.

 

The information that a hacker could obtain if they were to breach our
security systems would cause significant harm to those which the
information relates. For example if information relating to those that
access the Councils Occupational Therapy Service or Social Services
department was hacked, stolen or misused, this would cause serious
physical or psychological injury to the service user and their friends and
family whether it is directly or indirectly a result of the hacker.

 

In addition to harm caused to individuals, the property of the Council,
such as valuable intellectual property protected by copyright or a trade
secret of one of our contractors could be misused and devalued if it were
to be stolen or manipulated. The Financial systems would also be put at
risk or misused as a hacker could fraudulently access our accounts and use
public funds for an unauthorised purpose.

 

All our hardware and software is subject to constant hardening and
patching to minimise risk to our network, if we were to divulge details of
specific products then we are increasing the risk if there are known
vulnerabilities and patches have not been released by the vendor for us to
apply. In addition to this Cyber Security has become a major issue for the
Council as we have recently had a number of ransomware attacks on our
network disclosure of this information will expose our ICT infrastructure
to additional vulnerabilities.  The links provided below are some examples
of security incidents due to flaws/weakness found in products (sometimes
years later) placing the makes/models of our ICT products in the public
domain would increase the risks of us being subject to security incidents.

 

[2]http://www.theregister.co.uk/2016/08/17/...

[3]http://www.scmagazine.com/cisco-warns-of...

[4]http://www.ibtimes.co.uk/juniper-network...

 

For example, if we state the make and model of our Firewall, and then
sometime the future the manufacturers of that product announce a security
flaw has been found and they are working on a fix, a hacker could easily
exploit this vulnerability using the information disclosed within request
for information. The consequences of such incidents could be business
critical such as that what happened to Lincolnshire Council.

 

In considering your request the Council considers the greater public
interest rests with non-disclosure. As such this information will not be
disclosed to you. Under section 1(1)(a) of the Act, you are entitled to be
informed as to whether the Council holds information of the description
specified in the request. In this instance the Council can confirm that
further information is held but is bound by the above exemption.

 

We are sorry that we cannot help further on this occasion but if you are
in any way dissatisfied with the handling of your request, or have any
further information needs in the future then please contact  the Data
Disclosure and Records Officer on 01685 725000 or [5][Merthyr Tydfil Council request email].
You have the right to appeal against our decision. If you wish to appeal
please set out in writing your grounds of appeal and send to:

 

Data Protection Officer

Merthyr Tydfil County Borough Council

Civic Centre

Castle Street

Merthyr Tydfil

CF47 8AN

 

Tel: 01685 725000

Fax: 01685 725060

Email: [6][email address]

 

You can find out more about the Act from the Information Commissioner at:

 

Information Commissioner’s Office (Wales)

2^nd Floor

Churchill House

Churchill Way

Cardiff

CF10 2HH

 

Tel: 029 2067 8400 

Fax: 029 2067 8399

Email: [7][email address]

Website: [8]www.ico.org.uk

 

If you have any queries or concerns, or if I can be of any further
assistance, please feel free to contact me.

 

Yours faithfully

 

Swyddog Datgelu Data a Chofnodion/Data Disclosure and Records Officer

Tîm Llywodraethu Gwybodaeth/Information Governance Team

Cyngor Bwrdeistref Sirol Merthyr Tudful/Merthyr Tydfil County Borough
Council

 

Canolfan Dinesig/Civic Centre

Stryd Y Castell/Castle Street

Merthyr Tudful/Merthyr Tydfil

CF47 8AN/CF47 8AN

Ffon/Tel: 01685 725000

E-bost/E-mail: [9][Merthyr Tydfil Council request email]

 

Croesawn ni ohebu yn y Gymraeg/We welcome correspondence in Welsh.

Croesawn ohebu yn Gymraeg a fydd hyn ddim yn arwain at oedi.

We welcome correspondence in Welsh and this will not lead to a delay.

Mae'r e-bost hwn ac unrhyw ffeiliau a drosglwyddir gydag ef yn gyfrinachol
ac wedi'u bwriadu ar gyfer pwy bynnag y cyfeirir ef ato neu atynt. Mae
cynnwys yr e-bost hwn cynrychioli barn y sawl a enwir uchod, felly nid
ydyw'n dilyn ei fod yn cynrychioli barn Cyngor Bwrdeistref Sirol Merthyr
Tudful.

Cyngor Bwrdeistref Sirol Merthyr Tudful
Canolfan Dinesig
Stryd Y Castell
Merthyr Tudful
CF47 8AN

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. The contents of this e-mail represent the views of the
individual(s) named above and do not necessarily represent the views of
Merthyr Tydfil County Borough Council.

Merthyr Tydfil County Borough Council
Civic Centre
Castle Street
Merthyr Tydfil
CF47 8AN

Teleffon\Telephone: 01685 725000

[10]http://www.merthyr.gov.uk

References

Visible links
1. mailto:[email address]
2. http://www.theregister.co.uk/2016/08/17/...
3. http://www.scmagazine.com/cisco-warns-of...
4. http://www.ibtimes.co.uk/juniper-network...
5. mailto:[Merthyr Tydfil Council request email]
6. mailto:[email address]
7. mailto:[email address]
8. http://www.ico.org.uk/
9. mailto:[Merthyr Tydfil Council request email]
10. http://www.merthyr.gov.uk/