Information and cyber security risk assessments

1. Does your organisation have a formal policy regarding the production of information and or cyber security risk assessments?

Information and cyber security risk assessments are undertaken in accordance with the council’s Data Protection Policy and Data Protection Impact Assessment Procedure.

a. If yes, please can you provide a copy of the above policy?

Data Protection Policy
Data Protection Impact Assessment Procedure

2. Does your organisation hold a register of Information and/or cyber security risk (outside that of the corporate risk register), and if yes:

Yes

a. Please can you list the top ten Information and/or Cyber Security Risks?

We confirm that information is held which meets the scope of this request. However, it is considered that the disclosure of this information may have the potential to place the council at increased risk of targeted cyber-crime and as such, is exempt from disclosure under Section 31 (1) of the Freedom of Information Act.

b. How many risks are there in total on the register?

29

c. Please state how many risks would be categorised as the highest risk level (i.e. Critical)?

18

d. Please state how many risks would be categorised as the second highest risk level (i.e. Critical)?

9

e. Please state how many risks would be categorised as the third highest risk level (i.e. Critical)?

2

f. How many risk levels do you have in total (i.e. 5)?

Three

3. Do any of the identified information and or cyber security risks also exist on the corporate risk register?

Yes

a. If yes, what are those risks?

We confirm that information is held which meets the scope of this request. However, it is considered that the disclosure of this information may have the potential to place the council at increased risk of targeted cyber-crime and as such, is exempt from disclosure under Section 31 (1) of the Freedom of Information Act.

4. When undertaking an information / cyber security risk assessment, does the authority follow a structured risk assessment process?

Yes

a. If so, what is that process?

The process is outlined within the Data Protection Impact Assessment procedure.

5. Does your organisation follow ISO31000 when undertaking an information / cyber security risk assessment?

No

6. Does your organisation hold ISO27000 accreditation?

The council’s ICT delivery arm, Scomis is accredited to the ISO27001 standard.

7. Does your organisation have a policy of adhering to any information security standard or framework (i.e. ISO27000, NIST etc)?

No

a. If yes, please provide a copy of the above policy?

Please see the response to the previous question.

8. Does the authority have the following roles within the origination:
a. Chief Security Officer (CSO),

No

i. If yes, which role does the CSO report into?

Please see the response to the previous question.

b. Chief Information Security Officer (CISO)

No

i. If yes, which role does the CISO report into?

Please see the response to the previous question.

c. Head of Information Security (Hd InfoSec)

No

i. If yes, which role does the Hd InfoSec report into?

Please see the response to the previous question.

9. Who within your organisation who is accountable for undertaking information / cyber security risk assessments (i.e. Chief Information Security Officer, Head of Information Security, Head of Information Technology)?

The Head of Digital Transformation & Business Support.

10. Who within the authority is responsible for undertaking information / cyber security risk assessments (i.e. Chief Information Security Officer, Head of Information Security, Head of Information Technology)?

Information and cyber security risk assessments are undertaken by relevant services, with the support of the Data Protection and Cyber Security Team.

11. How many people within the organisation are responsible for undertaking information / cyber security risk assessments?

Information and cyber security risk assessments are undertaken by relevant services, with the support of the Data Protection and Cyber Security Team.

12. Does the person(s) responsible for undertaking information / cyber security risk assessment:

a. Have any formal training in this regard?

There is no single post responsible for undertaking information and cyber security risk assessments, therefore we do not hold this information.

i. If so, what was it?

Please see the response to the previous question.

b. Have any industry qualifications/certification in this regard?

There is no single post responsible for undertaking information and cyber security risk assessments, therefore we do not hold this information.

i. If so, what are they?

Please see the response to the previous question.

13. How many people (permanent and contractors) currently work for the authority?

This information is published on the council’s website and is available from the hyperlink below.

HR Dashboard

14. How many people (permanent and contractors) currently work for the authority in information technology roles?

Devon County Council does not categorise a role as a technology role and therefore this information is not held. In the interest of providing you with advice and assistance, if you were able to refine your request, we would be able to provide you with details of the number of people that work in the council’s ICT Commissioning and or ICT delivery team (Scomis).

15. How many people (permanent and contractors) currently work for the authority in information / cyber security roles?

We confirm that information is held which meets the scope of this request. However, it is considered that the disclosure of this information may have the potential to place the council at increased risk of targeted cyber-crime and as such, is exempt from disclosure under Section 31 (1) of the Freedom of Information Act.

Freedom of Information Act – Section 31(1)

The application of this exemption requires a prejudice test and as attacks on IT systems are criminal offences, disclosure might prejudice the prevention of crime by facilitating the possibility of an offence being carried out by encouraging malicious actors. Section 31 is a qualified exemption which means we are obliged to carry out a public interest test. There is a very strong public interest in the effectiveness of law enforcement and the prevention of crime and although we recognise the need for openness and transparency because this increases public trust and engagement, this has to be weighed against a very strong public interest in safeguarding the security of Council IT networks and systems. It is not in the interests of a public authority to provide information in relation to controls used to mitigate against cyber-crime as this may assist in the deduction of how successful the organisation is in defending/detecting these attacks and incurring this risk can be deemed not in the public interest. Section 31 of the Freedom of Information Act 2000 states that there is a very strong public interest in protecting the law enforcement capabilities of public authorities so on balance we consider the application of the exemption to be justified.