Firewall, Anti-virus and Microsoft Enterprise

15505

12/08/2021

FOI

I am currently embarking on a research project around Cyber Security and was hoping you could provide me with some contract information relating to following information:1.       Standard Firewall (Network) - Firewall service protects your corporate Network from unauthorised access and other Internet security threats 2.       Anti-virus Software Application - Anti-virus software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more.

3.       Microsoft Enterprise Agreement - is a volume licensing package offered by Microsoft.

The information I require is around the procurement side and we do not require any specifics (serial numbers, models, location) that could bring threat/harm to the organisation.
For each of the different types of cyber security services can you please provide me with:

You may have received the same request in the past and this information sent has now expired and I require an update as soon as possible for the following information:

1.       Who is the existing supplier for this contract?
2.       What does the organisation annually spend for each of the contracts?
3.       What is the description of the services provided for each contract?
4.       Primary Brand (ONLY APPLIES TO CONTRACT 1 and 2)
5.       What is the expiry date of each contract?
6.       What is the start date of each contract?
7.       What is the contract duration of the contract?
8.       The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.
9.       Number of Licenses (ONLY APPLIES TO CONTRACT 3)

1.       Exempt under s.35(1)(a) see full explanatory notes below prevention or detection of crime – rationale is that by identifying a supplier, it is possible to identify their hardware/software which can subsequently be used during hacking reconnaissance activities to identify vulnerabilities that can be exploited
2.       Exempt under s.33(1)(b) see full explanatory notes – rationale is that the information is likely exempt under section 33(1)(b) as its disclosure would, or would be likely to, prejudice substantially the commercial interests of any person. “Person” includes a public authority, company and partnership.
3.       For all 3 contract types – the services are for 24x7x365 hardware and software maintenance
4.       Exempt under s.35(1)(a) see full explanatory notes below prevention or detection of crime – rationale is that by identifying the primary brand of hardware/software it can be used to identify vulnerabilities that can be exploited – see full explanatory notes below
5.       Exempt under s.35(1)(a) see full explanatory notes below prevention or detection of crime – rationale is that by identifying the expiry date of the contract it is possible to identify hardware/software that is no longer supported under contract and increases the opportunity to identify vulnerabilities that can be exploited – see explanatory notes below
6.       Contracted under Provision of Services from October 2016
7.       Contracted under Provision of Services for the Duration of contract until 2029
8.       Exempt under s.38(1)(b) see full explanatory notes below personal information about a ‘third party’
9.       Microsoft Agreement is 3050

Explanatory Notes
Some of the information that was requested is covered by the exemption at section s.35(1)(a); section 33(1)(b) and s.38(1)(b) of FOISA
Information regarding suppliers of security products, which can ultimately be used to identify their associated equipment and/or software models and specific start/end dates are exempt under section 35 (1)(a) of FOISA. This exempts information if its disclosure is likely to prejudice the prevention or detection of crime. Release of this information would make Scottish Borders Council more vulnerable to crime; namely, a malicious attack on Scottish Borders Council computer systems.
We are unable to disclose information under section 33(1)(b) as its disclosure would, or would be likely to, prejudice substantially the commercial interests of any person. “Person” includes a public authority, company and partnership. As a third party organisation our commercial interests relate to the commercial trading activity we undertake and the services we provide for the purpose of revenue generation. Disclosure of the contract spend, for us and of that relating to our sub-contractors, would prejudice our organisation substantially and our commercial interests within the competitive environment we operate.
We are unable to provide the full contact details of the person responsible for the maintenance support contracts because release of this information would identify a third party individual who is not an employee of Scottish Borders Council, as such this information is exempt from release under section 38 (1)(b) (Personal Data) of FOISA.
For further information about why these exemptions have been applied, please see the explanatory Annex below.
EXPLANATORY ANNEX – Exemptions applied:
Section 35: Law Enforcement
Section 35 (1) (a) exempts information if its disclosure is likely to prejudice the prevention or detection of crime.
Section 35 is a qualified exemption and we are required to conduct a public interest test when applying any qualified exemption. This means that after it has been decided that the exemption is engaged, the public interest in releasing the information must be considered. If the public interest in disclosing the information outweighs the public interest in withholding it then the exemption does not apply and the information must be released. In FOISA there is a presumption that information should be released unless there are compelling reasons to withhold it.
The public interest has now concluded and the balance of the public interest has found in favour of withholding information covered by the section 35(1) (a) exemption. Considerations in favour of the releasing the information included consideration of public interest in transparency and accountability and disclosure of information about Scottish Borders Council procedures and commercial outsourcing contracts.
However, release of this information would make Scottish Borders Council more vulnerable to crime; namely, a malicious attack on Scottish Borders Council computer systems. As such release of this information would be seen to prejudice the prevention or detection of crime, by making Scottish Borders Council computer systems more vulnerable to hacking, therefore facilitating the possibility of a criminal offence being carried out. There is an overwhelming public interest in keeping Scottish Borders Council computer systems secure which would be served by non-disclosure. This would outweigh any benefits of information release. It has therefore been decided that the balance of the public interest lies clearly in favour of withholding the information on this occasion. Please note that this decision does not imply that you intend to engage in any criminal or malicious activities. However as the Freedom of Information Scotland Act is an open access regime, this exemption has been applied to protect Scottish Borders Council systems.
Information is exempt under section 33(1)(b) as its disclosure would, or would be likely to, prejudice substantially the commercial interests of any person. “Person” includes a public authority, company and partnership. However, we appreciate that “Commercial interests” is not defined in FOISA and they are not the same as financial interests. As an organisation our commercial interests relate to the commercial trading activity we undertake and the services we provide for the purpose of revenue generation. Disclosure of the contract spend, for us and our sub-contractors would prejudice our organisation substantially and our commercial interests within the competitive environment we operate.
Section s.38(1)(b) of FOISA exempts personal information about a ‘third party’ (someone other than the requester), if revealing it would breach the principles of the Data Protection Act (DPA) 2018.
The DPA prevents personal information from release if it would be unfair or at odds with the reason why it was collected, or where the subject had officially served notice that releasing it would cause them damage or distress. As the personal information relates to a third party individual who is not an employee at Scottish Borders Council, they have no expectation that their personal information or information about their position would be made available in the public domain; to do so would be unfair and contravene DPA 2018 principles.
In this case the exemption applies because this information represents the personal information of a third party individual, who is not an employee of Scottish Borders Council. Publishing their name, contact details and position contravenes DPA 2018 principles and the data subject’s rights and is withheld under section s.38(1)(b) of FOISA.

Firewall, Anti-virus and Microsoft Enterprise - Freedom of information requests