Disclosure Scotland IT system's annual technical penetration test: FOI release

The Disclosure IT system is subject to an annual technical penetration test.

1.     Has that test been completed in each of the last three years?
2.     What were the initial results of those tests?
3.     Have all vulnerabilities been addressed?
4.     Information should include any relevant documents.

I enclose a copy of some of the information you requested.

The answer to your question is:

1. Has that test been completed in each of the last three years?

Yes, annual IT Health checks (ITHC) and penetration test (PEN Test) were conducted on the PVG system on the following dates:

• 04/02/2016
• 26/05/2016
• 08/08/2016
• 27/03/2017
• 03/04/2017
• 29/03/2018
• 29/03/2018 

2. What were the initial results of those tests?

While our aim is to provide information whenever possible, in this instance we are unable to provide some of the information you have requested because an exemption under 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to that information. The reasons why that exemption applies are explained below.

3. Have all vulnerabilities been addressed?

I can confirm that Risk Mitigation plans were put in place to address and mitigate any vulnerabilities identified. While our aim is to provide information whenever possible, in this instance we are unable to provide some of the information you have requested because an exemption under 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to that information. The reasons why that exemption applies are explained below.

4. Information should include any relevant documents.

The following documents have been included: Security Assessment Reports.

While our aim is to provide information whenever possible, in this instance we are unable to provide some of the information you have requested because an exemption under 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to that information. The reasons why that exemption applies are explained below.

Reasons for not providing information

An exemption applies.

An exemption(s) under section(s) Section 30(c) of FOISA applies to some of the information you have requested.

The public release of the initial test results as requested , would not only describe in details system vulnerabilities but also how to exploit it. The release of this information would provide significant exposure of the architecture/design and wider connectivity to other Government networks including sensitive Police Systems and Data. 

This exemption is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the Information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government. However, there is a greater public interest in protecting Disclosure Scotland systems and ensuring that Disclosure Scotland is able conduct its business effectively.