Publication - FOI/EIR release

Security and encryption of the Scottish Public Pensions Agency's website: FOI release

Published: 10 Dec 2018

Information request and response under the Freedom of Information (Scotland) Act 2002.

Published:
10 Dec 2018
Security and encryption of the Scottish Public Pensions Agency's website: FOI release
FOI reference: FOI/18/03362  
Date received: 14 November 2018
Date responded: 10 December 2018
 
Information requested

 

Information on the security and encryption of the Scottish Public Pensions Agency’s website.

 

  1. All communications with the NCSC or any other organisation, contractor or supplier regarding the security and encryption of your public facing websites including any infrastructure (servers, databases etc) and the use of HTTPS / SSL or any other encryption protocols on said systems.
  2. Any website (and associated system or infrastructure) audits that have been completed (or might be work in progress) and the conclusions and recommendations of such audits especially regarding the security of sites.
  3. Any action plans that have been created or put in place to address any known weaknesses in website security or encryption policies.
  4. Your website security and encryption policy.
 
Response

 

1. All communications with the NCSC or any other organisation, contractor or supplier regarding the security and encryption of your public facing websites including any infrastructure (servers, databases etc) and the use of HTTPS / SSL or any other encryption protocols on said systems. 

There has not been any direct communication with NCSC, however the table below contains data from NCSC for the web check tool that is used to monitor the status of SSL’s on the URL.

 

URL

Name

Title

Short Description

Category

Severity

First Detected

Last Detected

https://employerservices.sppa.gov.uk

X509.certificates.good

Certificates are well-configured

Your website's certificates are well-configured

Data in transit

Positive

13/02/2018

29/11/2018

https://employercontributions.sppa.gov.uk

X509.certificates.good

Certificates are well-configured

Your website's certificates are well-configured

Data in transit

Positive

13/02/2018

28/11/2018

https://mypension.sppa.gov.uk

X509.certificates.good

Certificates are well-configured

Your website's certificates are well-configured

Data in transit

Positive

13/02/2018

28/11/2018

 

2. Any website (and associated system or infrastructure) audits that have been completed (or might be work in progress) and the conclusions and recommendations of such audits especially regarding the security of sites. 

Audits for the SPPA website:

 

Site URL

Date of site audit carried out

https://employerservices.sppa.gov.uk

April 2016

https://employercontributions.sppa.gov.uk

August 2013

mypension.sppa.gov.uk

February 2012

 

An exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to most of the information requested (apart from the table above).  Disclosing this information would substantially prejudice our ability to conduct safe management of the SPPA Website because the audit reports contain sensitive technical information which could be used to compromise the security of the SPPA website.

This would constitute substantial prejudice to the effective conduct of public affairs in terms of the exemption.

This exemption is subject to the ‘public interest test’.  Therefore, taking account of all the circumstances of this case, we have considered whether the public interest in disclosing the information outweighs the public interest in applying the exemption.  We have found that, on balance, the public interest lies in favour of upholding the exemption.  We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government. However, there is a greater public interest in protecting the process of SPPA Website security and ensuring that the SPPA is able conduct this aspect of its business effectively. 

 

3. Any action plans that have been created or put in place to address any known weaknesses in website security or encryption policies. 

An exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to all the information requested.  Disclosing this information would substantially prejudice our ability to conduct safe management of the SPPA Website because the action plans contain potential vulnerabilities which could be used to compromise the security of the SPPA website.

This would constitute substantial prejudice to the effective conduct of public affairs in terms of the exemption.

This exemption is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government. However, there is a greater public interest in protecting the process of SPPA Website security and ensuring that the SPPA is able conduct this aspect of its business effectively. 

 

4. Your website security and encryption policy. 

SPPA adheres to the NCSC  policy regarding security and encryption. Please see link below:

https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles

 

About FOI
 
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses
 

Contact

Please quote the FOI reference
Central Enquiry Unit 
Email: ceu@gov.scot
Phone: 0300 244 4000 

The Scottish Government 
St Andrew's House 
Regent Road 
Edinburgh 
EH1 3DG