Publication - FOI/EIR release

Disclosure Scotland IT system's annual technical penetration test: FOI release

Published: 16 Oct 2018
Part of:
Public sector

Information request and response under the Freedom of Information (Scotland) Act 2002.

Published:
16 Oct 2018
Disclosure Scotland IT system's annual technical penetration test: FOI release
FOI reference: FOI/18/02703
Date received: 26 September 2018  
Date responded: 15 October 2018
 
Information requested
 

The Disclosure IT system is subject to an annual technical penetration test.

  1.     Has that test been completed in each of the last three years?
  2.     What were the initial results of those tests?
  3.     Have all vulnerabilities been addressed?
  4.     Information should include any relevant documents.
Response

I enclose a copy of some of the information you requested.

The answer to your question is:

1. Has that test been completed in each of the last three years?

Yes, annual IT Health checks (ITHC) and penetration test (PEN Test) were conducted on the PVG system on the following dates:

  • 04/02/2016
  • 26/05/2016
  • 08/08/2016
  • 27/03/2017
  • 03/04/2017
  • 29/03/2018
  • 29/03/2018 

2. What were the initial results of those tests?

While our aim is to provide information whenever possible, in this instance we are unable to provide some of the information you have requested because an exemption under 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to that information. The reasons why that exemption applies are explained below.

3. Have all vulnerabilities been addressed?

I can confirm that Risk Mitigation plans were put in place to address and mitigate any vulnerabilities identified. While our aim is to provide information whenever possible, in this instance we are unable to provide some of the information you have requested because an exemption under 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to that information. The reasons why that exemption applies are explained below.

4. Information should include any relevant documents.

The following documents have been included: Security Assessment Reports.

 

Title

Date published

Status

Security Assessment Report (CTE Newcastle DR site)

04/02/2016

Redacted & pages 14 to 45 removed under section 30(c)

Security Assessment Report (Glasgow PQ Primary Site)

26/05/2016

Redacted & pages 17 to 194 removed under section 30(c)

Security Assessment Report (CTE Newcastle DR site)

08/08/2016

Redacted & pages 13 to 21 removed under section 30(c)

Security Assessment Report (Glasgow PQ Primary Site)

27/03/2017

Redacted & pages 15 to 97 removed under section 30(c)

Security Assessment Report (CTE Newcastle DR site)

03/04/2017

Redacted & pages 15 to 127 removed under section 30(c)

Security Assessment Report (Glasgow PQ Primary Site)

29/03/2018

Redacted & pages 16 to 102 removed under section 30(c)

Security Assessment Report (CTE Newcastle DR site)

29/03/2018

Redacted & pages 15 to 91 removed under section 30(c)

While our aim is to provide information whenever possible, in this instance we are unable to provide some of the information you have requested because an exemption under 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to that information. The reasons why that exemption applies are explained below.

Reasons for not providing information

An exemption applies.

An exemption(s) under section(s) Section 30(c) of FOISA applies to some of the information you have requested.

The public release of the initial test results as requested , would not only describe in details system vulnerabilities but also how to exploit it. The release of this information would provide significant exposure of the architecture/design and wider connectivity to other Government networks including sensitive Police Systems and Data. 

This exemption is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the Information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government. However, there is a greater public interest in protecting Disclosure Scotland systems and ensuring that Disclosure Scotland is able conduct its business effectively.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses
 

Contact


Please quote the FOI reference
Central Enquiry Unit 
Email: ceu@gov.scot
Phone: 0300 244 4000

 
The Scottish Government 
St Andrew's House 
Regent Road 
Edinburgh 
EH1 3DG