FOI reference: FOI-6506
Date: 20 January 2022
Request
You have requested the following information:
- Do you have a formal IT security strategy?
- Yes
- No
- Does this strategy specifically address the monitoring of network attached device configurations to identify any malicious or non-malicious change to the device configuration?
- Yes
- No
- Don’t know
- If yes to Question 2, how do you manage this identification process – is it:
- Totally automated – all configuration changes are identified and flagged without manual
intervention. - Semi-automated – it’s a mixture of manual processes and tools that help track and identify configuration changes.
- Mainly manual – most elements of the identification of configuration changes are manual.
- Have you ever encountered a situation where user services have been disrupted due to an accidental/non malicious change that had been made to a device configuration?
- Yes
- No
- Don’t know
- If a piece of malware was maliciously uploaded to a device on your network, how quickly do you think it would be identified and isolated?
- Immediately
- Within days
- Within weeks
- Not sure
- How many devices do you have attached to your network that require monitoring?
- Physical Servers: record number
- PCs & Notebooks: record number
- Have you ever discovered devices attached to the network that you weren’t previously aware of?
- Yes
- No
If yes, how do you manage this identification process – is it:
- Totally automated – all device configuration changes are identified and flagged without manual intervention.
- Semi-automated – it’s a mixture of manual processes and tools that help track and identify unplanned device configuration changes.
- Mainly manual – most elements of the identification of unexpected device configuration changes are manual.
- How many physical devices (IPs) do you have attached to your network that require monitoring for configuration vulnerabilities?
Record Number:
- Have you suffered any external security attacks that have used malware on a network attached device to help breach your security measures?
- Never
- Not in the last 1 to 12 months
- Not in the last 12 to 36 months
- Have you ever experienced service disruption to users due to an accidental, non-malicious change being made to device configurations?
- Never
- Not in the last 1 to 12 months
- Not in the last 12 to 36 months
- When a scheduled audit takes place for the likes of PSN or Cyber Essentials, how likely are you to get significant numbers of audit fails relating to the status of the IT infrastructure?
- Never
- Occasionally
- Frequently
- Always
Response
I can confirm that we hold information falling within scope of your request. However, we are unable to supply some of the information requested for the reason set out below.
Information we are able to supply
- Do you have a formal IT security strategy?
b. No
- Does this strategy specifically address the monitoring of network attached device configurations to
identify any malicious or non-malicious change to the device configuration?
b. N/A
- If yes to Question 2, how do you manage this identification process – is it:
N/A
- How many devices do you have attached to your network that require monitoring?
a. Physical Servers: Approximately 175
b. PCs & Notebooks: 1058
Information we are not able to supply
Questions 4, 7, 9, 10 and 11
We neither confirm nor deny that we hold the information requested in questions 4, 7, 9, 10 and 11 relying on the exemption in section 31(3) FOIA. This exemption enables us to neither confirm nor deny that we hold information if it would, or would be likely to, prejudice the functions of law enforcement – the prevention and detection of crime.
We consider that by confirming or denying if we hold the information requested in these questions, this would be likely to give malicious third parties an insight into vulnerabilities which may, or may not, exist, or access to other information that may be useful in attack planning. This would be likely to compromise our systems.
The section 31(3) exemption requires us to assess whether the public interest in confirming or denying that we hold the information is outweighed by the public interest in declining to confirm or deny that we hold the information. This public interest assessment is not about whether we should disclose any information that we might hold, but whether we should say if we hold the information or not. Although individual or corporate bodies requesting information under FOIA may find disclosure useful or convenient for personal or commercial reasons, the exemption requires us to only consider factors that are in the public interest.
Public interest factors in favour of confirming or denying whether we hold the information.
- There is a strong and legitimate public interest in public bodies being open and transparent, which facilitates accountability for the expenditure of public monies; enables the public to have a greater understanding of our activities and decision making and increases public trust and engagement.
- Confirmation or denial may reassure people to some extent about whether our systems are vulnerable or not.
- Confirmation or denial may provide a limited amount of information about the effectiveness of our security systems.
Public interest factors in favour of neither confirming nor denying that we hold the information.
- There is a strong public interest in preventing crime.
- Saying if we hold the information requested in questions 4, 7, 9, 10 and 11 would provide information about how effective our security systems are. This would be likely to give
malicious third parties insights in the strength of TPR’s cyber security and any potential weaknesses that may exist, which would be likely to increase the risk of cyber-attacks. - Cyber security measures protect the integrity of our data, including personal and commercially sensitive information, so increasing the chance of an attack would have
potentially serious repercussions. - If we confirm whether or not we hold the information, this could show malicious third parties whether or not are systems are vulnerable, encouraging attacks. Malicious third parties are known to conduct extensive research can draw on information gathered from a wide range of sources to derive information about an organisation’s cyber security arrangements, taking advantage of the mosaic effect by combining information from different sources.
- There is a strong public interest in complying with our legal obligations to keep personal data and other sensitive or confidential data secure and to take appropriate measures, which includes keeping areas confidential where necessary.
The right to know must be balanced against the need to enable effective delivery of public services. Although there is a strong public interest in transparency, openness and accountability, there is a compelling public interest in protecting our systems against attacks by malicious third parties, which could compromise the data we hold and interfere with our regulatory functions. The appropriate weight must be given to the public interest inherent in the exemption and there is a substantial public interest in avoiding that prejudice, which is a strong factor in favour of maintaining the exemption. We therefore consider that the balance of public interest lies in favour of not confirming or denying that we hold the information requested under questions 4, 7, 9, 10 and 11.
Questions 5 and 8
We confirm that we hold the information requested in questions 5 and 8, however we rely on the exemption in section 31(1)(a) FOIA to withhold this information.
Section 31(1)(a) says that we do not need to provide information that would be likely to prejudice the functions of law enforcement – the prevention and detection of crime.
We consider that by releasing the information requested in questions 5 and 8, this would be likely to give a malicious third party valuable information that would assist in an attack on TPR’s systems. It is important that TPR does not do anything that would allow the personal data and sensitive commercial information we hold to be accessed illegally.
The section 31(1)(a) exemption requires us to assess whether the public interest in disclosure is outweighed by the public interest in withholding the information. Although individual or corporate bodies requesting information under FOIA may find disclosure useful or convenient for personal or commercial reasons, the exemption requires us to only consider factors that are in the public interest.
Factors in favour of disclosure.
- There is a strong and legitimate public interest in public bodies being open and transparent, which facilitates accountability for the expenditure of public monies; enables the public to have a greater understanding of our activities and decision making and increases public trust and engagement.
- Transparency is likely to increase confidence in the IT security procedures and policies maintained by TPR.
- Disclosure may reassure people about whether our systems are vulnerable.
- There is a legitimate public interest in ensuring the public can have confidence that TPR has in place controls to deter, detect and defend against cyber-attack and disclosure would tend to provide information about how effective our security systems are.
Factors in favour of withholding.
- There is an inherent public interest in crime prevention.
- There is a strong public interest in avoiding the costs and detriment to individuals and organisations (financial, distress, inconvenience, publicity, regulatory) associated with any attacks.
- There is a public interest in preventing any threat to the integrity of TPR’s personal and other data.
- There is a public interest in ensuring that TPR can comply with its duties to take all necessary steps to safeguard data.
The right to know must be balanced against the need to enable effective delivery of public services. Although there is a strong public interest in transparency, openness and accountability, there is a compelling public interest in protecting our systems against attacks by malicious third parties, which could compromise the data we hold and interfere with our regulatory functions. The appropriate weight must be given to the public interest inherent in the exemption and there is a substantial public interest in avoiding that prejudice, which is a strong factor in favour of maintaining the exemption. We therefore consider that the balance of public interest lies in maintaining the exemption in section 31(1)(a) and not disclosing the information.