FOI Request - Cybersecurity Practices
I am writing to you to request information about the cybersecurity practices across your corporate network, and other networks that you may use. All information should all be locatable within a small area.
I would initially like you to establish contextualising information about the corporate network(s) that you use.
1a. May you confirm who deployed these networks and their names (i.e. in the instance of Sunderland City Council's corporate network, it has been reported that the network was deployed by BT: http://www.telecompaper.com/news/bt-delivers-corporate-network-for-sunderland-city-council--819112)
1b. May you provide me with copies of the tender award documents (these may be 1b.1 – the invitation to tender, and 1b.2 – the final contract, and 1b.3 etcetera, wherein they display an evaluation of the tender process) relating to the deployment of your corporate network.
1c. I would like to be able to contextualise the successful bid by understanding how many bids you received and how they were evaluated. If you may, I would like you to provide this as a table in a spreadsheet format, the rows of which would list those tendering and the columns of which would list the evaluation criteria. If such a document does not exist, please provide me with a facsimile which might only include the financial range of the bids, in a spreadsheet format.
2a. I would like to know what anti-virus and anti-malware solutions you use, this information would be the names of the solutions, the locations at which they are installed, and the names of the companies who have provided them.
2b. May you provide me with copies of the tender award documents for these solutions, as per 1b. Here I would like to understand the procurement process for these solutions and the degrees to which they are expected to provide security. I ask for these as I am aware the solutions may be purchased alone, while also an AV solution is often provided as part of a Microsoft Enterprise Agreement, for instance.
2c. May you confirm the date these solutions have been running for.
2d. May you confirm the number and type of machines across which these solutions are installed.
2e. May you inform of of whether there is an employee responsible for maintaining these solutions, and whether this employee does so exclusively. If you may also explain to me their title and pay range in pounds sterling.
3a. May you inform me of the number of malware alerts that your AV solutions detected in the past twelve months.
3b. Most solutions will provide alerts when it comes to malware detections, may you inform me of the number of alerts your solutions have provided, by solution. These alerts should be held on a database which provides a high degree of granularity in recording the causes of the alerts.
3c. May you provide me with a copy of this granular information – preferably in spreadsheet format – for the period covering the last twelve months, or shorter if not applicable.
3d. I also wish to receive information about the number of infections that have occurred in the last twelve months, and in what areas, and on what machines these occurred.
3e. I would like to know at what account level these infections occurred.
3f. I would like to know how many instances were there in which these infections were not contained, but spread to another part of the network.
3g. I would like to know what the entry-point of these infections was, in each case.
3h. I would like a list of the number and type of unauthorised accesses within your networks.
3i. I would like to know how many of these were classified as personal data incidents, and how many were reported to the Information Commissioner's Office.
Finally, I would like to ask about your security maintenance policies.
4a. If one exists, may you explain your password policy and its enforcement.
4b. If one exists, may you explain your log-on policy and its enforcement.
4c. If one exists, may you explain your email policy and its enforcement.
4d. If one exists, may you explain your device policy (i.e. nothing from home) and its enforcement.
4e. May you clarify whether you store and or process bank card data?
4f. May you clarify whether you are PCI compliant?
1(a) The Council’s network is managed by Vodafone.
1(b) The network was procured collaboratively via a partnership with a number of other local authorities. The Council was not the lead authority so does not hold the tender documents.
1(c) See 1(b) above
2(a) The Council uses products from McAfee and Kaspersky products at all corporate sites and Sophos products at all of the schools. The current resellers are Caretower and Phoenix Software.
2(b) The corporate solution has been in place for quite some time and the tender documents are not available. The solution for the schools was assigned to the Council when the ICT support service for the schools was brought back in-house; tender documents are therefore not held.
2(c) The corporate solution has been upgraded within the last few months. The school’s solution has been in place since 2008. Both environments will be subject to review within the next 12 months.
2(d) The solutions are installed on approximately 7100 PCs, laptops and netbooks within the Council.
2(e) There is no employee with sole responsibility for maintaining these solutions. This task is undertaken by a number of employees.
3(b) The Council has recently upgraded the version of the corporate AV system so there is only data going back 28 days for this; during this period there have been 107 alerts. The corporate mail filtering solution has quarantined 2958 emails in the last 12 months. On the schools’ network, there have been 3584 alerts for the past 12 months.
4(a) Complex passwords and password ageing are applied and enforced by Group Policy.
4(b) All network users have a unique login id; this is enforced by ICT.
4(c) Email is restricted to business use only and this is enforced by service managers.
4(d) Only Council provided and managed devices are allowed on the network; this is enforced by ICT.
4(e) Yes the Council processes bank card data.
4(f) Yes the Council is PCI compliant.