Cyber Security - Freedom of information

1. Which standards does your council currently adhere to (ie. ISO 27001, Cyber Essentials etc.)

Devon County Council aligns with the PSN Code of Connection. Additionally, the Council has a range of technical and organisational controls that are consistent with various recognised security standards and best practices applicable to local government authorities.

2. Which team/department/individual is responsible for managing compliance?

The Digital and Technology Service is responsible for carrying out tasks that relate to obtaining certification of the PSN Code of Connection.

3. If compliance is managed by an internal staff member, what role(s) is this

N/A

4. Has cybersecurity been set as a priority for 2023?

Cyber security is recorded as a risk on the corporate risk register and is considered a priority outcome defined by the Council’s Digital and Technology Strategy for 2021-2024: Digital and Technology Strategy 2021-2024

5. What software / systems does your council currently use to manage your compliance, and any related documentation?

6. If software / a system is currently in place, when does the current contract with that supplier expire?

7. If software / a system is currently in place, when did it last go out for procurement?

In response to questions 5, 6 and 7 Devon County Council (DCC) confirms that we hold the information you have requested. However, we consider this is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000.

This is because the Council considers that this information constitutes valuable intelligence, that could be leveraged by a motivated cyber threat actor to inform a successful attack against our infrastructure. We feel that releasing this information would therefore increase the chances of DCC becoming the victim of a cyber-attack.

We have considered the public interest in releasing this information. While we recognise that there is an overriding public interest in openness and transparency, we feel that there is a stronger public interest in the Council maintaining the security and integrity of its IT systems.

We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of withholding this information from disclosure.

8. What is your current budget for compliance & compliance solutions?

We do not hold this information, as there is no specific budgetary allocation for this purpose. Any associated expenditure would be made from the Digital and Technology Service budget.