FOI Request
- Disclosure ID
- FOI/02992
- Request Date
- February 26, 2019
- Subject
- Cybersecurity
- Description
1. Are you aware of the Minimum Cyber Security Standard, published 25th June 2018?
a. Yes
b. No2. What is your annual dedicated budget for cybersecurity (including personnel and technology)?
a. £10,000 or less
b. £10,001 – £50,000
c. £50,001 – £100,000
d. £100,001 – £500,000
e. £500,001 – £1,000,000
f. £1,000,001 – £5,000,000
g. £5,000,001 – £10,000,000
h. £10,000,001 or more
3. Approximately how many cyber-attacks (of any kind) have you experienced in your organisation in these 12-month periods?None
1 – 50
50 – 100
100 – 200
200 – 500
500 -1000
1000+
1st January 2017 – 31st December 2017
1st January 2018 – 31st December 2018
4. Which of the following attack / cybersecurity threat types have been detected by your organisation? [Select all that apply]a. Hacking
b. Phishing
c. Malware
d. Ransomware
e. Accidental/careless insider threat
f. Malicious insider threat
g. Foreign governments
h. Crypto mining
i. Other, please specify: _______________
5. Which of the following form part of your cybersecurity defence technology strategy? [Select all that apply]
a. Firewall
b. Antivirus software
c. Network device monitoring
d. DNS filtering
e. Malware protection
f. Log management
g. Network configuration management
h. Patch management
i. Network traffic analysis
j. Multi-factor authentication
k. Network perimeter security solutions
l. Employee training (whole organisation)
m. Employee training (IT team)
n. Other, please specify: ___________
6. Which of these obstacles has your organisation experienced in maintaining or improving IT security? [Select all that apply]
a. Competing priorities and other initiatives
b. Budget constraints
c. Lack of manpower
d. Lack of technical solutions available at my agency
e. Complexity of internal environment
f. Lack of training for personnel
g. Inadequate collaboration with other internal teams or departments
h. Other, please specify: _______________
- Response
If disclosed, this information could be used to identify ways of breaching our Trust’s IT security measures, which would thereby put us at increased risk of cyber-attack. This would potentially put invaluable patient and staff data at risk, which the Trust has a legal duty to protect under the Data Protection Act, and other confidential data which is essential to the running of Trust services.
The disclosure of information which may undermine the integrity of our IT systems, and NHS IT systems on a national scale, is exempt under Section 24. The disclosure of information which would make our Trust more vulnerable to crime is exempt under Section 31, as releasing the requested information may prejudice our ability to prevent cyber-crime targeting our systems.
These are qualified exemptions; the public interest in withholding information must outweigh the public interest in disclosure. It is the opinion of the Trust that the public interest in protecting the integrity of our information and ensuring our ability to provide healthcare services justifies the application of these exemptions.
The information in this response is provided under the terms of the Open Government Licence. Please see here for more information:
http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/