Supply chain

The request was successful.

Dear Newport City Council,

Has your organisation ever suffered a cyber security incident through a third-party provider; that is, an attack which infiltrated your IT systems through an outside partner, provider or vendor?
- Yes
- No

If yes, did this occur within the last 12 months?
- Yes
- No

Do you have a list of all the third parties that your organisation shares sensitive data with?
- Yes
- No

In terms of cyber security governance processes, do you have clear criteria that third parties - suppliers or those in which there are dependencies within the supply chain - must comply with in order to do business with them?
- Yes
- No

If Yes, please indicate all that apply:
- Suppliers must assure their cyber security against the HMG Cyber Security Standard
- Suppliers must demonstrate that they hold a valid Cyber Essentials Certificate.
- Suppliers must demonstrate compliance with the Payment Card Industry (PCI) DSS standard
- Other: please indicate:

How often do you reassess third party or suppliers’ security measures to ensure they still meet the minimum criteria?
- At least every 12 months
- At least every 2 years
- More than every 2 years.
- We don’t reassess

Have you revisited these requirements to ensure compliance with the General Data Protection Regulation (GDPR)?
- Yes
- No

Do you have policies in place for privileged access management?
- Yes
- No

Thank you for your time.

Yours faithfully,

Gabby Dunne

City Contact Centre, Newport City Council

Noswaith dda/Good evening,

Thank you for your email.

Your request has been forwarded to the Information Management department to be actioned, and your reference number for this is

Should you have any further queries, please do not hesitate to contact us on the telephone number below. Our hours of opening are Monday to Friday from 8am to 6pm.

Kind regards,

Julie
Newport City Council Contact Centre
Tel: 01633 656 656
Minicom: 01633 656 657

Visit www.newport.gov.uk
Did you know we offer a range of council services online, easy to use and available 24/7.

Mae’r Cyngor yn croesawu gohebiaeth yn Gymraeg a Saesneg. Byddwn yn cyfathrebu â chi yn eich dewis iaith, boed yn Saesneg, yn Gymraeg neu’n ddwyieithog, cyhyd â’n bod yn ymwybodol o’ch dewis. Ni fydd gohebu yn Gymraeg yn arwain at oedi.

The Council welcomes correspondence in English or Welsh. We will communicate with you in the language of your choice, whether that’s English, Welsh or in Bilingual format as long as we know which you prefer. Corresponding in Welsh will not lead to delay.

show quoted sections

Newport City Council

Dear Sir/Madam

Thank you for your request for information about :

Supply Chain

Received on 21/11/2018

This request has been formally logged in our FOI management system and has been assigned the reference REQ06382.
You should receive a reply to your request within the statutory time limit of 20 working days.

Please remember to quote the reference number REQ06382 in any future communications.

Yours sincerely,
Information Management

Mae’r Cyngor yn croesawu gohebiaeth yn Gymraeg, Saesneg neu yn y ddwy iaith. Byddwn yn cyfathrebu â chi yn ôl eich dewis. Ni fydd gohebu yn Gymraeg yn arwain at oedi.

The Council welcomes correspondence in English or Welsh or both, and will respond to you according to your preference. Corresponding in Welsh will not lead to delay.

Disclaimer/Ymwadiad

This email contains information intended for the addressee only and may be confidential, the subject of legal or professional privilege, or be otherwise protected from disclosure. If you are not the intended recipient of this message, please notify the sender immediately and do not disclose, distribute or copy the email to any other party. This email and any attached file are the property of Newport City Council.

When you email Newport City Council, you consent to the Council monitoring and reading any such emails for the purposes of security and legislative compliance. For the full disclaimer please access http://www.newport.gov.uk/disclaimer.

Mae'r e-bost hwn yn cynnwys gwybodaeth y bwriedir ar gyfer y derbynnydd yn unig a gall fod yn gyfrinachol, yn destun ragorfraint gyfreithiol neu broffesiynol, neu fel arall wedi’i diogelu rhag cael ei rhyddhau. Os nad chi yw derbynnydd bwriadedig y neges hon, a fyddech cystal â rhoi gwybod i'r anfonwr ar unwaith a pheidio â datgelu, dosbarthu neu gopïo’r e-bost i unrhyw barti arall. Mae’r e-bost hon ac unrhyw ffeiliau atodedig yn eiddo i Gyngor Dinas Casnewydd.

Pan fyddwch yn anfon e-bost at Gyngor Dinas Casnewydd, rydych yn cydsynio i’r Cyngor fonitro a darllen unrhyw e-byst o’r fath at ddibenion cydymffurfio â diogelwch ac â deddfwriaeth. I weld yr ymwadiad llawn ewch i http://www.newport.gov.uk/ymwadiad

Information Management, Newport City Council

Dear Gabby,

 

Thank you for your recent request for information which I have enclosed
below for ease of reference. Your request has been treated in accordance
with the Freedom of Information Act 2000 and/or the Environmental
Information Regulations 2004.

 

Your Request :  REQ06382

 

I can confirm that we do hold information that falls within the scope of
your request. The answers to your questions have been provided in Red Text
below.

 

Has your organisation ever suffered a cyber security incident through a
third-party provider; that is, an attack which infiltrated your IT systems
through an outside partner, provider or vendor? No

 

If yes, did this occur within the last 12 months? n/a

 

Do you have a list of all the third parties that your organisation shares
sensitive data with?  We have an information asset register and the
procurement team holds a list of all third party contracts.

 

In terms of cyber security governance processes, do you have clear
criteria that third parties - suppliers or those in which there are
dependencies within the supply chain - must comply with in order to do
business with them?  Yes

 

If Yes, please indicate all that apply: 

 

Other: please indicate:  Suppliers must assure appropriate technical and
organisational measures which may include: pseudonymising and
encrypting Personal Data, ensuring confidentiality, integrity,
availability and resilience of systems and services.

 

How often do you reassess third party or suppliers’ security measures to
ensure they still meet the minimum criteria?  We re-assess at the point of
contract renewal.

 

Have you revisited these requirements to ensure compliance with the
General Data Protection Regulation (GDPR)?  Yes

 

Do you have policies in place for privileged access management? Controls
are in place to ensure that access to systems is granted only to
authorised staff.

 

I hope this provides the information you were looking for; if there is any
further information that we can provide, please submit a further request.
If you have any queries about this email or if you are unhappy with the
service you have received in relation to your request and wish to make a
complaint or request a review of our decision, please contact me.

 

If you are not content with the subsequent outcome of your complaint, you
may apply directly to the Information Commissioner for a decision.
Generally, the ICO cannot make a decision unless you have exhausted the
Councils complaints procedure. The Information Commissioner can be
contacted at: The Information Commissioners Office, Wycliffe House, Water
Lane, Wilmslow, Cheshire SK9 5AF.

 

For future reference, all Freedom of Information requests can now be
submitted via the link below.

 

[1]www.newport.gov.uk/foi

 

Regards,

 

Information Management

 

Mae’r Cyngor yn croesawu gohebiaeth yn Gymraeg, Saesneg neu yn y ddwy
iaith. Byddwn yn cyfathrebu â chi yn ôl eich dewis. Ni fydd gohebu yn
Gymraeg yn arwain at oedi.

The Council welcomes correspondence in English or Welsh or both, and will
respond to you according to your preference. Corresponding in Welsh will
not lead to delay.

Disclaimer/Ymwadiad

This email contains information intended for the addressee only and may be
confidential, the subject of legal or professional privilege, or be
otherwise protected from disclosure. If you are not the intended recipient
of this message, please notify the sender immediately and do not disclose,
distribute or copy the email to any other party. This email and any
attached file are the property of Newport City Council.

When you email Newport City Council, you consent to the Council monitoring
and reading any such emails for the purposes of security and legislative
compliance. For the full disclaimer please access
http://www.newport.gov.uk/disclaimer.

Mae'r e-bost hwn yn cynnwys gwybodaeth y bwriedir ar gyfer y derbynnydd yn
unig a gall fod yn gyfrinachol, yn destun ragorfraint gyfreithiol neu
broffesiynol, neu fel arall wedi’i diogelu rhag cael ei rhyddhau. Os nad
chi yw derbynnydd bwriadedig y neges hon, a fyddech cystal â rhoi gwybod
i'r anfonwr ar unwaith a pheidio â datgelu, dosbarthu neu gopïo’r e-bost i
unrhyw barti arall. Mae’r e-bost hon ac unrhyw ffeiliau atodedig yn eiddo
i Gyngor Dinas Casnewydd.

Pan fyddwch yn anfon e-bost at Gyngor Dinas Casnewydd, rydych yn cydsynio
i’r Cyngor fonitro a darllen unrhyw e-byst o’r fath at ddibenion
cydymffurfio â diogelwch ac â deddfwriaeth. I weld yr ymwadiad llawn ewch
i http://www.newport.gov.uk/ymwadiad

References

Visible links
1. http://www.newport.gov.uk/foi