Show mobile menu
Show search control
Show search control
Search Site

F15/592

Council cyber security

Request Description

If you please, I would initially like you to establish contextualising information about the corporate network(s) that you use.

1a. May you confirm who deployed these networks and their names (i.e. in the instance of Sunderland City Council's corporate network, it has been reported that the network was deployed by BT
1b. May you provide me with copies of the tender award documents (these may be 1b.1 - the invitation to tender, and 1b.2 - the final contract, and 1b.3 etcetera, wherein they display an evaluation of the tender process) relating to the deployment of your corporate network.
1c. I would like to be able to contextualise the successful bid by understanding how many bids you received and how they were evaluated. If you may, I would like you to provide this as a table in a spreadsheet format, the rows of which would list those tendering and the columns of which would list the evaluation criteria. If such a document does not exist, please provide me with a facsimile which might only include the financial range of the bids, in a spreadsheet format.

This information is of obvious value in understanding the deployment of your corporate network which is necessary information to complement the following questions regarding your security practices.

2a. I would like to know what anti-virus and anti-malware solutions you use, this information would be the names of the solutions, the locations at which they are installed, and the names of the companies who have provided them.
2b. May you provide me with copies of the tender award documents for these solutions, as per 1b. Here I would like to understand the procurement process for these solutions and the degrees to which they are expected to provide security. I ask for these as I am aware the solutions may be purchased alone, while also an AV solution is often provided as part of a Microsoft Enterprise Agreement, for instance.
2c. May you confirm the date these solutions have been running for.
2d. May you confirm the number and type of machines across which these solutions are installed.
2e. May you inform of of whether there is an employee responsible for maintaining these solutions, and whether this employee does so exclusively. If you may also explain to me their title and pay range in pounds sterling.

I am also interested in the threats that you are facing.

3a. May you inform me of the number of malware alerts that your AV solutions detected in the past twelve months.
3b. Most solutions will provide alerts when it comes to malware detections, may you inform me of the number of alerts your solutions have provided, by solution.
These alerts should be held on a database which provides a high degree of granularity in recording the causes of the alerts.
3b.2 May you provide me with a copy of this granular information - preferably in spreadsheet format - for the period covering the last twelve months, or shorter if not applicable.
number of infections
3c. I also wish to receive information about the number of infections that have occurred in the last twelve months, and in what areas, and on what machines these occurred.
3d. I would like to know at what account level these infections occurred.
3e. I would like to know how many instances were there in which these infections were not contained, but spread to another part of the network.
3f. I would like to know what the entry-point of these infections was, in each case.
3g. I would like a list of the number and type of unauthorised accesses within your networks.
3h. I would like to know how many of these were classified as personal data incidents, and how many were reported to the Information Commissioner's Office.

Finally, I would like to ask about your security maintenance policies.

4a. If one exists, may you explain your password policy and its enforcement.
4b. If one exists, may you explain your log-on policy and its enforcement.
4c. If one exists, may you explain your email policy and its enforcement.
4d. If one exists, may you explain your device policy (i.e. nothing from home) and its enforcement.
4e. May you clarify whether you store and or process bank card data?
4f. May you clarify whether you are PCI compliant?

Request Date27 August 2015
Requested byBusiness
Released Date  

23 November 2015        

Response

1a. East Herts Council's networks were designed and installed are are currently maintained by an internal network specialist and other internal systems engineers

1b. Not applicable as internally deployed

1c. Not applicable as internally designed, installed and maintained

2a. We do not divulge the vendor of our specific security products for security reasons. Our current supplier of Antirvirus solutions is Caretower Ltd.

2b. Installed products are not part of a Microsoft enterprise agreement. They are best of breed anti-virus solutions.  No tender documents can be provided for security reasons. However, normal East Herts Council procurement processes were followed.

2c. The products have been in place for 5 years.

2d. The products are installed over approximately 1300 machines with operating systems that include Windows XP, 7, 2000, 2003, 2008 and 2012

2e. The products are maintained by the internal infrastructure engineering team, not a named individual.

I am also interested in the threats that you are facing.

3a - h. Our current antivirus and web filtering solutions autodetect malware or the download of malware on a regular basis. It is unusual for our virtual desktop infrastructure to be infected with any type of malware due to the AV product and the security standards in place. Moreover, as machines are provisioned desktops, rebooting cleans the image of the desktop back to the clean standard build. Machines at greater risk of malware are pool laptops that are utilised outside the Council network. These are encrypted and protected by our AV suite and are regularly checked and cleaned.

We have had no formal data incidents or malware intrusions that have been reported to the ICO.

4. We have a comprehensive security policy that covers passwords, long-ons, e-mail and device usage. All staff have to adhere to the policy which is reviewed regularly.

East Herts Council only process and hold bank card data in a specific encrypted PCI compliant payments system.

Refused

                                                                

Refusal