Disclosure Scotland Corporate Risk Review Information/IT Risk: FOI release

FOI reference: FOI/18/03137  
Date received: 29 October 2018 
Date responded: 26 November 2018

 

 

1.   In regards to the ‘Information/IT Risk 3’ mentioned in Document 3 within the response to FOI 18/02733, please provide any documents and information regarding this risk.

2.   Please detail what this risk involved, the nature of the risk, the consequences of the risk, severity, actions taken to nullify the risk, and any other relevant information.

3.   Please also detail what the increase to Amber, mentioned in that FOI response, means in practice – what services does this potentially compromise, what are the potential consequences.

4.   When the FOI response 18/02733 says ‘the new BT contract will no longer have SLA’s’, please detail what exactly this means, including the SLAs that were in the previous BT contract that no longer exist in the new contract. 
 

 

I enclose a copy of all of the information you requested.

    1.   In regards to the ‘Information/IT Risk 3’ mentioned in Document 3 within the response to FOI 18/02733, please provide any documents and information regarding this risk.

 

Please see attached documents and information regarding Information/IT Risk 3.

Document 1 - Extracts from the Corporate Risk Register Minutes showing only Information/IT Risk 3

An exemption applies

In the Corporate Risk Review Group Minutes extracts, some information has been redacted by the exemption at section 38(1)(b) of FoISA, the personal data of a third party, as disclosing the personal data would contravene the data protection principles in Article 5(1) of the General Data Protection Regulations.  This exemption is not subject to a public interest test.

Document 2 - Extract of Risk register showing only Information/IT Risk 3

Please Note: When this risk was added to the Corporate Risk Register it became Information/IT Risk 3.

In the Risk Register extracts, some information has been redacted by the exemption at section 38(1)(b) of FoISA, the personal data of a third party, as disclosing the personal data would contravene the data protection principles in Article 5(1) of the General Data Protection Regulations.  This exemption is not subject to a public interest test.

Document 3 - Extracts from ARC Highlight Report showing only Information/IT Risk 3

Document 4 - Extracts from Board Highlight Report showing only Information/IT Risk 3

An exemption applies

In the Board highlight report extracts, some information has been redacted by the exemption at section 38(1)(b) of FoISA, the personal data of a third party, as disclosing the personal data would contravene the data protection principles in Article 5(1) of the General Data Protection Regulations.  This exemption is not subject to a public interest test.

Document 5 - BT remedial action plan

 

   2.    Please detail what this risk involved, the nature of the risk, the consequences of the risk, severity, actions taken to nullify the risk, and any other relevant information.

 

This risk is a consequence of the existing PVG system supported by BT reaching its end of life expectancy.  As with any ageing IT system maintenance and support becomes more demanding – Disclosure Scotland took account of this and applied a risk based assessment.

The consequence of the risk is that the system is not performant and has slow performance or full outages that would potentially impact on our customer facing SLA’s.  It should be noted that to date there has been no issues that have significantly impacted our customer SLA’s.

Actions taken; a risk treatment plan was put in place to mitigate this risk, this was a list of housekeeping activities undertaking by BT to support the system – these are detailed in the attached document.

 

   3.   Please also detail what the increase to Amber, mentioned in that FOI response, means in practice – what services does this potentially compromise, what are the potential consequences.

 

On the 6th of September following the decision to retain BT services, it was agreed that the likelihood of the risk should be increased to ‘likely’ the overall scoring matrix resulted in the risk status increasing from yellow to amber.  The impact remained unchanged at ‘major’.

 

    4.   When the FOI response 18/02733 says ‘the new BT contract will no longer have SLA’s’, please detail what exactly this means, including the SLAs that were in the previous BT contract that no longer exist in the new contract. 

 

Apologies, due to a misunderstanding, this discussion was recorded incorrectly in the minutes which were included in document 3 of FOI/18/02733. This has since been amended and re-issued. The SLAs remain the same in the new contract, no changes were made.

 

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses