1. Which of the following data sources is the local authority responsible for protecting?
o Personal citizen data – Yes
o Personal staff / civil servant data – Yes
o Research data – Yes
o Intellectual property – Yes
o Other, please specify – Corporate data that is considered to have value to Devon County Council
2. What is the average length of time data is stored by the local authority?
o Less than one year
o More than one year
o More than three years
o More than five years
o More than 10 years
o Other, please specify
Whilst Devon County Council may be able to perform an analysis of the electronic data that is stored on our network drives and potentially within our Office365 tenancy, this would not capture all data that we hold. As we have not performed a full analysis of the “data” that we hold this information is not held.
3. Do you store data in the following locations?
o Private cloud – Yes
o Public cloud – Yes
o On-premise data centre – Yes
o Colocation data centre – if this question relates to back-ups then Yes
o File server – Yes
o Other, please specify – Paper, Computer Hard Drives, Physical Storage Devices.
4. A) Do you have a back-up of your organisation’s data?
o Yes
o No
o Other, please specify
Yes
B) If yes, what third party organisations (vendor and/or supplier) do you use to backup your organisation’s data?
We believe that information relating to any successful cyber-attacks which the Council may or may not have experienced is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000 – ‘Law Enforcement’. This is because disclosure places the organisation at risk of fraud and crime. The Council’s networks and systems hold information about individuals and, therefore, the possible chain of events resulting from releasing this information could put individuals, and authorities, at risk of criminal activity
5. Does your organisation have a disaster recovery plan in case of IT failure/outage?
o Yes
o No
o Other, please specify
Yes
6. A) Does your organisation have an official/formal policy detailing the disaster recovery process in the event of an IT failure/outage?
o Yes
o No
o Other, please specify
Yes
B) If yes, how often is this updated?
o At least once a month
o Once or more a year
o Less than once a year
o It has never been updated
o Other, please specify
Updated once or more a year
C) Can you share the official policy?
We believe that information relating to any successful cyber-attacks which the Council may or may not have experienced is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000 – ‘Law Enforcement’. This is because disclosure places the organisation at risk of fraud and crime. The Council’s networks and systems hold information about individuals and, therefore, the possible chain of events resulting from releasing this information could put individuals, and authorities, at risk of criminal activity.
7. A) Does your organisation conduct tests on its data backup and IT disaster recovery system?
o Yes
o No
o Other, please specify
Yes
B) If yes, how often does your organisation test its data backup and IT disaster recovery system?
o At least once a month
o Once or more a year
o Less than once a year
o It has never been updated
o Other, please specify
Elements are tested once or more a year,
8. A) Does your organisation use Microsoft Office 365?
o Yes
o No
o Other, please specify
Yes
B) If so, how many users do you currently have?
o 0-99
o 100-249
o 250-499
o Over 500
o Other, please specify
Over 500
9. A) How many unplanned IT outages has your organisation experienced in the last 12 months? (from the date of receiving this request)
Records logged on our new IT Service Management (ITSM) system (from Feb 20) indicate 1 priority incident affecting IT system provision
B) If more than zero, on average, how long did each of these unplanned IT outages last?
Duration 1.5 days
10. A) How many cyber-attacks against your organisation have you recorded in the last 12 months? (from the date of receiving the FOI request)
B) If more than zero, of these incidents, how many had an impact on the organisation’s operations?
11. When was the last time your organisation updated the following processes?
o The way data is backed up
* Insert date:
o The way data backup and IT disaster recovery systems are tested
* Insert date:
o Your organisations use of cloud computing technology
* Insert date:
Our response to questions 10 A); B) and 11 is that we believe that information relating to any successful cyber-attacks which the Council may or may not have experienced is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000 – ‘Law Enforcement’. This is because disclosure places the organisation at risk of fraud and crime. The Council’s networks and systems hold information about individuals and, therefore, the possible chain of events resulting from releasing this information could put individuals, and authorities, at risk of criminal activity.