Firewall, anti-virus and Microsoft Enterprise questions: FOI review

Information requested

1. Standard Firewall (Network) - Firewall service protects your corporate Network from unauthorised access and other Internet security threats

2. Anti-virus Software Application - Anti-virus software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more.

3. Microsoft Enterprise Agreement - is a volume licensing package offered by Microsoft. 

For each of the different types of cyber security services can you please provide me with:

1. Who is the existing supplier for this contract?

2. What does the organisation annual spend for each of contract?

3. What is the description of the services provided for each contract? Please do not just state firewall.

4. Primary Brand (ONLY APPLIES TO CONTRACT 1&2)

5. What is the expiry date of each contract?

6. What is the start date of each contract?

7. What is the contract duration of contract?

8. The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.

9. Number of Licenses (ONLY APPLIES TO CONTRACT 3)

Response

I have concluded that a different decision should be substituted, please find below additional information being released in relation to your request. I apologise that this information was not provided to you at request stage. Unfortunately there was confusion in another part of the organisation and we were not furnished with the fullest amount of information in order to satisfy your request. By way of background, SPPA is an Agency and we are operationally independent of the Scottish Government. However, our infrastructure falls within the overall responsibilities of the Scottish Ministers in terms of FOISA. To avoid confusion in the future we will direct questions of this nature to the Scottish Government’s IT business unit, iTECS, to answer these timeously. In the meantime below is information provided by way of input from iTECS and they are content to handle any new requests for similar information. They can be contacted by e-mailing our Central Enquiries Unit.

I should say that while our aim is to provide information whenever possible, there are instances below that an exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) still applies. There is also instances of section 33(1)(b) applying to a small amount of information. In conjunction with iTECS we have determined that disclosing these aspects that fall within the scope of your request would prejudice substantially our interests and the interest of others. Further information on this is provided in the Annex.

1 - Firewall

1. Who is the existing supplier for this contract?

• We have been advised by iTECS that this information should not be supplied in the response, as it would be detrimental to the security of our IT infrastructure.  It would not be prudent to identify what solution is used since this may provide individuals with sufficient information to exploit any potential vulnerabilities. Section 30(c) applies.

2. What does the organisation annual spend for each of contract?

• The following link provides information of the Scottish Government’s End Point Security and Protection solution. The overall value of the contract is £174,879.28 (exc. VAT). The contact for this contract is Maria McGrorry
• https://www.publiccontractsscotland.gov.uk/search/show/search_view.aspx?ID=NOV338512

3. What is the description of the services provided for each contract?

•  Section 30(c) applies.

4. Primary Brand (ONLY APPLIES TO CONTRACT 1&2)

• Section 30(c) applies.

5. What is the expiry date of each contract? 

• Support contracts are co-termed to expire in October 2022.

6. What is the start date of each contract?

• Start date of the contract is November 2018. Please note the exact date may vary locally depending on when the equipment was deployed.

7. What is the contract duration of contract?

• It depends on the start date, but the contracts should expire October 2022. 

8. The responsible contract officer for each of the contracts above? 

• In addition to Maria McGrorry, our Chief Operating Officer Dave Watson can be contacted.

9. Number of Licenses (ONLY APPLIES TO CONTRACT 3) 

• n/a

 2 - Anti-Virus Software Application

1. Who is the existing supplier for this contract?

• SOFTCAT Plc, Universal Square, Devonshire Street, Manchester. M12 6JH

2. What does the organisation annual spend for each of contract?

• Details above in the End Point Security and Protection contract. This contract forms part of the spend contained within the End Point Security and Protection contract.

3. What is the description of the services provided for each contract?

• Section 30(c) applies. 

4. Primary Brand (ONLY APPLIES TO CONTRACT 1&2) 

• Section 30(c) applies. 

5. What is the expiry date of each contract?  

• Pre-cloud solution - 30 December 2019
• Cloud solution - 11 March 2022

6. What is the start date of each contract?

• Pre-cloud solution - 30 March 2019
• Cloud solution - 12 March 2019

7. What is the contract duration of contract 

• Pre-cloud solution - 6 months
• Cloud solution - 36 months

8. The responsible contract officer for each of the contracts above? 

• Chief Operating Officer (Dave Watson) can be contacted. E-mail provided above 

9. Number of Licenses (ONLY APPLIES TO CONTRACT 3)

• n/a

3 - Microsoft ESA

1. Who is the existing supplier for this contract? 

• There is no contract as such for the Enterprise Software Agreement (ESA), it’s an agreement provided by a reseller – in this case Trustmarque.

2. What does the organisation annual spend for each of contract? 

• Section 33(1)(b) applies. 

3. What is the description of the services provided for each contract?  
The reseller currently provides the following agreements:

• An ESA (used only by Central IT for core licences)
• An MPSA (used by Central IT, Core business areas to buy ad hoc Microsoft licences)
• MPSA Sub Agreements (use by SCOTS Connect customer to purchase ad hoc licences) 

4. Primary Brand (ONLY APPLIES TO CONTRACT 1&2)

• n/a

 5. What is the expiry date of each contract? 

• The expiry date of the ESA is March 2022

6. What is the start date of each contract? 

•  April 2019

7. What is the contract duration of contract? 

• 3 years 

8. The responsible contract officer for each of the contracts above?  

• Chief Operating Officer (Dave Watson) can be contacted. E-mail provided above

9. Number of Licenses (ONLY APPLIES TO CONTRACT 3) 

• Section 33(1)(b) applies.

Reasons for not providing information - Annex
An exemption applies, subject to the public interest test

Section 30(c) – substantial prejudice to the effective conduct of public affairs

An exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to some of the information requested.  Releasing some of these details that fall within the scope of your request into the public domain could subsequently be used by attackers. Taking into consideration both the external and insider threat, to evade any protective monitoring, this could therefore enable malicious individuals to target specific types of attack or data exfiltration methods which would constitute substantial prejudice to the effective conduct of our public affairs.

This exemption is subject to the ‘public interest test’.  Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption.  We have found that, on balance, the public interest lies in favour of upholding the exemption.  We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government. However, there is a greater public interest in protecting the integrity of the Scottish Government’s IT security software and therefore ensuring that the Scottish Government is not vulnerable to an attack and the harm that will cause.

Section 33(1)(b) – Commercial Interests

An exemption under section 33(1)(b) of FOISA (commercial interests) applies to a small part of the information requested.  This exemption applies because disclosure of this particular information would, or would be likely to, prejudice substantially the commercial interests of Microsoft. Releasing the underlying details of the Microsoft ESA contract including certain spend and the number of licenses would likely give their competitors an advantage in future similar tendering exercises, which would substantially prejudice their ability to submit competitive tenders and so could significantly harm their commercial business.

This exemption is subject to the ‘public interest test’.  Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption.  We have found that, on balance, the public interest lies in favour of upholding the exemption.  We recognise that there is a public interest in disclosing information as part of open and transparent government, and to help account for the expenditure of public money.  However, there is a greater public interest in protecting the commercial interests of companies which enter into, Scottish Government contracts, to ensure that we are always able to obtain the best value for public money.

About FOI
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.