FOI release

Security of the SIA's Information Technology

Published 14 January 2022

1. Request

1.1 Do you have a formal IT security strategy? (Please provide a link to the strategy)

1. Yes
2. No

1.2 Does this strategy specifically address the monitoring of network attached device configurations to identify any malicious or non-malicious change to the device configuration?

1. Yes
2. No
3. Don’t know

1.3 If yes to Question 2, how do you manage this identification process - is it:

1. Totally automated - all configuration changes are identified and flagged without manual intervention.
2. Semi-automated - it’s a mixture of manual processes and tools that help track and identify configuration changes.
3. Mainly manual - most elements of the identification of configuration changes are manual.

1.4 Have you ever encountered a situation where user services have been disrupted due to an accidental/non malicious change that had been made to a device configuration?

1. Yes
2. No
3. Don’t know

1.5 If a piece of malware was maliciously uploaded to a device on your network, how quickly do you think it would be identified and isolated?

1. Immediately
2. Within days
3. Within weeks
4. Not sure

1.6 How many devices do you have attached to your network that require monitoring?

1. Physical Servers: record number
2. PC’s & Notebooks: record number

1.7 Have you ever discovered devices attached to the network that you weren’t previously aware of?

1. Yes
2. No

If yes, how do you manage this identification process - is it:

1. Totally automated - all device configuration changes are identified and flagged without manual intervention.
2. Semi-automated - it’s a mixture of manual processes and tools that help track and identify unplanned device configuration changes.
3. Mainly manual - most elements of the identification of unexpected device configuration changes are manual.

1.8 How many physical devices (IP’s) do you have attached to your network that require monitoring for configuration vulnerabilities?

Record Number:

1.9 Have you suffered any external security attacks that have used malware on a network attached device to help breach your security measures?

1. Never
2. Not in the last 1-12 months
3. Not in the last 12-36 months

1.10 Have you ever experienced service disruption to users due to an accidental, non-malicious change being made to device configurations?

1. Never
2. Not in the last 1-12 months
3. Not in the last 12-36 months

1.11 When a scheduled audit takes place for the likes of PSN or Cyber Essentials, how likely are you to get significant numbers of audit fails relating to the status of the IT infrastructure?

1. Never
2. Occasionally
3. Frequently
4. Always

2. Response

I can confirm that the SIA holds the information you have requested in respect of questions 1 and 2. The response is Yes to both questions.

In respect of questions 3 - 11, the information is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000. Section 31 of the FOIA relates to Law Enforcement, and Section 31(3) removes the public authority’s duty to confirm or deny whether information is held if to do so would or would be likely to prejudice law enforcement.

It is the SIA’s view that the confirmation or denial of the possession of information relating to the SIA’s cyber resilience, would be likely to compromise the SIA’s information security strategies by giving cyber criminals insight into vulnerabilities which may, or may not, exist.

Although the bona fides of the request may be genuine, FOI responses are public information and are made to the world. Section 31(3) is a qualified exemption, as such we have gone on to perform a public interest test in order to assess the public interest arguments for and against declaring whether or not the requested information is held.

In applying this exemption, we have had to balance the public interest in withholding the information against the interest in favour of disclosure.

Factors in favour of disclosure:

• confirmation of possession would demonstrate a commitment to transparency with regard to the SIA’s undertakings, and could provide assurance that the SIA have robust IT infrastructure in place.

Factors in favour of withholding:

• maintaining the integrity and security of the SIA’s systems

• preventing cyber-attacks and similar against the SIA’s systems

• revealing whether or not the information requested is held or applicable to the SIA would be likely to offer cyber criminals insight into not only the strengths of the SIA’s cyber security ,but also any potential weaknesses that may exist. This could ultimately result in a future cyber-attack. One of the reasons that cyber security measures are in place is to protect the integrity of personal and sensitive personal information

• it is clear to see how the occurrence of a future cyber-attack would prejudice the SIA’s legal duty to safeguard personal information from loss, theft, inappropriate access or destruction, which is why Section 31 has been employed in this case

• a cyber-attack could have catastrophic consequences for SIA services for licence holders and applicants exacerbated by the dependence on these services at a time of a national emergency from Covid-19

On balance the public interest in maintaining the exemption outweighs that in confirming or denying whether information is held and therefore the SIA neither confirms nor denies whether this information is held. In all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

[Reference: FOI 0306]