Re Information Security and Audit Details

Dear Mr Schneider,

Re – Information security and audit details.

Your request for information has now been considered and the information requested is listed below.

Provide, name, address and telephone number for the following people:

• Senior Information Risk Owner

We do not currently have a SIRO.

• Governance Manager

We do not currently have a Governance Manager.

• Information Security Officer/Manager

Data Protection and Information Security Officer.

Sefton MBC

4th Floor, Magdalen House,

Trinity Road,

Bootle.

L20 3NJ

0151 934 4416

• Information Technology Security Officer/Manager

As above.

• Caldecott Guardian

Ben Heal

Caldicott Guardian

Adult Care Services Emergency Planning Manager Corporate Core Crisis Team Manager

Floor 7, Merton House,

Stanley Rd,

Bootle,

L20 3FE.

0151 934 3774

PCI-DSS

Does your organisation process electronic payment cards?

Yes.

How much money is processed from electronic payment cards per annum?

£9875598

How many electronic payment card transactions are processed per annum?

96110

Are you PCI-DSS compliant?

No, we are not yet formally compliant but we are currently working towards this.

ISO 27001

Are you or have you considered becoming ISO 27001 compliant or certified?

Our current security policy is based upon ISO27001 and we aim for full compliance but we have no plans for certification because we do not believe there is a business case to justify it.

Government Connect

Are you connected and operationally utilising the Government Connect network?

Yes.

If not have you considered connecting to Government Connect and why was the decision made not to connect?

Not applicable.

Do you meet the Government Connect version three requirements?

Yes.

Please supply your latest CLAS consultant annual Government Connect assessment/audit report, blanking out any statements which could contravene a security concern from a third party reading it.

Regretfully we cannot release this document because it contains detailed assessment of our network and data security that could put at risk the privacy and safety of the general public and our staff. (the completed report is classified as RESTRICTED by Central Government). We also believe that redaction of this particular report would not be possible as every line details a potential weakness and virtually all content would have to be removed. We invoke the following exemptions as provided by the FOI Act:

• Section 41 (confidentiality). We have a contractual duty under section 12.1 of CoCo that we do not release any information that could be used to compromise the security of the GCSx network; and,
• Section 31 (Law enforcement). We believe that if compromised this information would be used to facilitate a crime; and,
• Section 38 (Health and Safety) as the resulting release of personal information held on this network would affect the Health and Safety of the public and staff; and,
• Section 44 (Disclosure prohibited by another legislation). Principle 7 of DPA requires that we take appropriate organisational and technical measures to protect personal data. (ICO recommends ISO27001, section 15.3.2 of which states that all access to information systems audit tools shall be protected to prevent any possible misuse or compromise).

We believe that there is an overwhelming public interest in not releasing this particular document.

Do you meet the Government Connect version four requirements?

Yes.

Please supply the latest internal report for the Government Connect version four Audit/Assessment, blanking out any statements which could contravene a security concern from a third party reading it.

We cannot release this document, for the reasons outlined above.

Criminal Justice Network

Are you connected to and operationally utilising the Criminal Justice Network?

No.

If not have you considered connecting to the Criminal Justice Network and why was the decision made not to connect?

Yes, hopefully via GCSx.

Please supply your latest annual assessment/audit report, blanking out any statements which could contravene a security concern from a third party reading it.

Not applicable.

NHS N3 Network

Are you connected to and operationally utilising the NHS N3 Network?

No.

If not have you considered connecting to the NHS N3 network and why was the decision made not to connect?

We have considered linking up and we are currently piloting a linkup using an interconnect between the GCSx and N3. This will reduce the cost of accessing N3 from our network.

Please supply your latest N3 Connection assessment/audit report, blanking out any statements which could contravene a security concern from a third party reading it.

Not applicable.

Do both schools and the Council share the same physical network responsible for voice and data communications?

Voice lines are separate. Data lines are shared but logically separated by firewalls to comply with CoCo4.1.

I hope that this helps. If you have any queries or concerns then please contact me. You can also refer to the Information Commissioner at:

Information Commissioner's Office, Wycliffe House, Water Lane,

Wilmslow, Cheshire. SK9 5AF

Telephone: 01625 545 700

Yours sincerely,

Richard Roscoe.