IT Disaster Recovery Plan - Freedom of information requests
Title or Description
IT Disaster Recovery Plan
FOI Number
99
Date Received
27/01/2022
Type of Request
FOI
Request or Question
Can you also supply me a copy of the following policies : * IT Disaster Recovery Plan (e.g. DR plan, backup)* IT Incident Response Plan (e.g. Cyber Attack, DDOS, Ransomware)
* Clean desk policy
* Access control policy (Access to business applications or network resources)
Please details
* Current measures in place to protect confidential information
* How you monitor staff access to business applications in your Council and ensure staff have a right of access
* How you implement and carry out checks to ensure staff are adhering to your clean desk policy
* Please forward any communications to staff regarding your Clean Desk policy
Response
Point 1-5. Scottish Borders Council wishes to apply Exempt under s.35(1)(a) the rationale is that by providing details of the details that have been requested could be used during hacking reconnaissance activities to identify vulnerabilities that can be exploited. Information regarding suppliers/manufacturers of security products, which can ultimately be used to identify their associated equipment and/or software models are exempt under section 35 (1)(a) of the Freedom of Information (Scotland) Act. This exempts information if its disclosure is likely to prejudice the prevention or detection of crime. Release of this information could make Scottish Borders Council more vulnerable to crime; namely, a malicious attack on Scottish Borders Council computer systems and networks, therefore facilitating the possibility of a criminal offence being carried out. There is an overwhelming public interest in keeping Scottish Borders Council computer systems secure which would be served by non-disclosure. This would outweigh any benefits of information release. It has therefore been decided that the balance of the public interest lies clearly in favour of withholding the information on this occasion. Please note that this decision does not imply that you intend to engage in any criminal or malicious activities. However as the Freedom of Information Scotland Act is an open access regime, this exemption has been applied to protect Scottish Borders Council networks and systems.
Point 6. Information Asset Owners are responsible for ensuring access permissions are monitored. Staff can monitor access a number of ways including carrying out an audit and ensuring when staff leave or is seconded to another role that their permissions are removed appropriately and in a timely manner. We could go on to explain that CGI plays their part in this.
Point 7. On the Council's 'guide to booking Covid-safe desk' a section on what to expect at the desk and the office. This includes the following sentence which is applicable: 'Please remember to take away with you all your personal items'. The Council does not hold a clear desk policy as such but staff must ensure that personal data has appropriate technical and organisational measures in place to protect. This is in included on documentation including data protection impact assessment, data protection code of practice, etc.
Point 8. The Council has not issued any communication to staff regarding clean desk policy. Therefore no information is held and as such we give notice under section 17 of the Freedom of Information (Scotland) Act 2002.
