1. The total amount spent by the Council on data security and cyber security training in the 12 months to the 1st of November 2019; and the breakdown of these costs in terms of the training undertaken.
We do not hold information about the costs of creating/preparing/delivering training or associated travel costs as the information is not recorded.
2. The total amount spent by the Council on private cyber security contractors and/or consultants/consultancies in the last 12 months.
We believe that information relating to the amount spent on private cyber security contractors and/or consultants/consultancies which the Council may or may not hold is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000 – ‘Law Enforcement’. This is because disclosure places the organisation at risk of fraud and crime. Our systems hold information about individuals and, therefore, the possible chain of events resulting from releasing this information could put individuals, and authorities, at risk of criminal activity.
3. The total number of qualified cyber security and data security professionals employed by the Council.
We hold this information but consider that disclosure may place the council at increased risk of targeted cyber-crime and as such, is exempt from disclosure under Section 31 (1) of the Freedom of Information Act. Confirming or denying whether information is held on cyber-attacks and what remedial measures may or may not have been taken could aid malicious parties by encouraging further attacks. Attacks on IT systems are criminal offences, so to provide information or confirmation of information being held might prejudice the prevention of crime by facilitating the possibility of an offence being carried out.
Section 31 is a qualified exemption which means we are obliged to carry out a public interest test. There is a very strong public interest in the effectiveness of law enforcement and the prevention of crime and although we recognise the need for openness and transparency because this increases public trust and engagement, this has to be weighed against a very strong public interest in safeguarding the security of Council specific systems. Indeed, it can be held as not in the interests of an individual council to provide information about the number of attacks that may or may not have been made against its IT systems as this could enable individuals to deduce how successful the council is in detecting these attacks and incurring this risk can be deemed not in the public interest. Section 31 of the Freedom of Information Act 2000 states that there is a very strong public interest in protecting the law enforcement capabilities of public authorities so on balance we consider the application of the exemption to be justified.