Can you also supply me a copy of the following policies:
1) IT Disaster Recovery Plan (e.g. DR plan, backup)
Devon County Council can confirm that we hold the information you have requested. However, we consider this information is exempt from disclosure on the grounds that Section 31(1)(a) of the Freedom of Information Act 2000 applies:
The council considers that disclosure of the information you have requested would be likely to reveal information that could be used by a cyber threat actor to improve the chances of them targeting a successful cyber-attack against Devon County Council.
Whilst we recognise that there is a public interest in openness and transparency around the management of the Council’s IT infrastructure, we consider that there is a stronger public interest in the council being able to maintain the confidentiality, integrity, and availability of its IT infrastructure. For this reason, we consider that the balance of public interest is best served by withholding this information from disclosure at this time.
2) IT Incident Response Plan (e.g. Cyber Attack, DDOS, Ransomeware)
Devon County Council can confirm that we hold the information you have requested. However, we consider this information is exempt from disclosure on the grounds that Section 31(1)(a) of the Freedom of Information Act 2000 applies:
The council considers that disclosure of the information you have requested would be likely to reveal information that could be used by a cyber threat actor to improve the chances of them targeting a successful cyber-attack against Devon County Council.
Whilst we recognise that there is a public interest in openness and transparency around the management of the Council’s IT infrastructure, we consider that there is a stronger public interest in the council being able to maintain the confidentiality, integrity, and availability of its IT infrastructure. For this reason, we consider that the balance of public interest is best served by withholding this information from disclosure at this time.
3) Clean desk policy
The requirement for staff to maintain a clear desk is outlined with the Devon County Council Personal Information Security Policy. Please see the relevant policy content below.
“All personal and sensitive business information held in any form such as on paper, mobile devices, or encrypted memory sticks must be locked away when unattended and not left on desks. This is to ensure that accidental or inappropriate viewing does not take place by those who are not authorised to have access to the information.”
4) Access control policy (Access to business applications or network resources)
Devon County Council can confirm that we hold the information you have requested. However, we consider this information is exempt from disclosure on the grounds that Section 31(1)(a) of the Freedom of Information Act 2000 applies:
The council considers that disclosure of the information you have requested would be likely to reveal information that could be used by a cyber threat actor to improve the chances of them targeting a successful cyber-attack against Devon County Council.
Whilst we recognise that there is a public interest in openness and transparency around the management of the Council’s IT infrastructure, we consider that there is a stronger public interest in the council being able to maintain the confidentiality, integrity, and availability of its IT infrastructure. For this reason, we consider that the balance of public interest is best served by withholding this information from disclosure at this time.
5) Current measures in place to protect confidential information
Devon County Council deploys a range of measures to protect confidential information which includes but is not limited to the following:
• Cyber Security Policy
• Data Protection Policy
• Mandatory Cyber Security Training
• Mandatory Data Protection Training
• Mandatory Information Security Guidance
• Personal Information Security Policy
• Technical security controls to protect the Council’s infrastructure
6) How you monitor staff access to business applications in your Council and ensure staff have a right of access
Devon County Council deploys the following controls:
• Auditing of line of business applications to review staff access to applications
• Deployment of role-based-access-controls and least privileged access to restrict access to data within certain applications
• Integration of applications to the Council’s identity management solution
• Approval processes for access to applications
7) How you implement and carry out checks to ensure staff are adhering to your clean desk policy
Devon County Council does not conduct auditing of compliance against our clear desk requirements. However, the Council does monitor information security incidents to ascertain if there are common causes. Where a common cause is identified, the Data Protection Officer targets communications to staff via the staff newsletter to remind staff of best practice.
8) Please forward any communications to staff regarding your Clean Desk policy
Please see the attached communication that was issued to all staff regarding the Personal Information Security Policy.