04 October 2023
Your request
1. Storage
a. What is your annual spend on cloud storage and also on-prem storage (please split out the costs)?
b. Do you have a cloud strategy, if so when was it last assessed?
c. How do you back up your data and with who e.g. Backup as a Service through XXX
d. How much do you spend on data backup annually?
2. Security
a. How much do you spend on cyber security infrastructure?
b. How many attempted cyber-attacks have you suffered?
c. How many successful cyber breaches have you suffered?
d. If yes to 2c, did you pay the ransom and how long did it take for systems to come back online?
e. If yes to 2c, were any of these ransomware attacks?
If you do not record the data by any of the above, please share the most similar you do record by.
Please could provide data for the last 5 financial years. If you are unable to provide 5 years of data, please provide 3 years, otherwise please provide data for the last 2 years.
Our response
- Storage
a. What is your annual spend on cloud storage and also on-prem storage (please split out the costs)?
Azure storage = £378.69
AWS storage = £110,687
b. Do you have a cloud strategy, if so when was it last assessed?
Cloud strategy is currently being drafted
c. How do you back up your data and with who e.g. Backup as a Service through XXX
- We use AWS DR and Backup Service
d. How much do you spend on data backup annually? Approx £230K
2. Security
a-e:
I can confirm that we have reviewed your request but consider that disclosure may endanger the Council to hacking/cyberattacks.
We therefore engage Section 31: Law Enforcement to this request.
Section 31: Law Enforcement
The most likely sub-sections are in bold
31.—(1) Information which is not exempt information by virtue of section 30 is exempt information if its disclosure under this Act would, or would be likely to, prejudice –
(a) the prevention or detection of crime,
(b) the apprehension or prosecution of offenders,
(c) the administration of justice,
(d) the assessment or collection of any tax or duty or any imposition of a similar nature,
(e) the operation of immigration controls,
(f) the maintenance of security and good order in prisons or in other institutions where persons are lawfully detained,
(g) the exercise by any public authority of its functions for any of the purposes specified in subsection (2),
(h) any civil proceedings which are brought by or on behalf of a public authority and arise out of an investigation conducted, for any purposes specified in subsection (2), by or on behalf of the authority by virtue of Her Majesty’s prerogative or by virtue of powers conferred by or under an enactment, or (i) any inquiry held under the Fatal Accidents and Sudden Deaths Inquiries (Scotland) Act 1976 to the extent that the inquiry arises out of an investigation conducted, for any of the purposes specified in subsection (2), by or on behalf of the authority by virtue of Her Majesty’s prerogative or by virtue of powers conferred by or under an enactment.
(2) The purposes referred to in subsection (1)(g) to (i) are –
(a) the purpose of ascertaining whether any person has failed to comply with the law,
(b) the purpose of ascertaining whether any person is responsible for any conduct which is improper,
(c) the purpose of ascertaining whether circumstances which would justify regulatory action in pursuance of any enactment exist or may arise,
(d) the purpose of ascertaining a person’s fitness or competence in relation to the management of bodies corporate or in relation to any profession or other activity which he is, or seeks to become, authorised to carry on,
(e) the purpose of ascertaining the cause of an accident,
(f) the purpose of protecting charities against misconduct or mismanagement (whether by trustees or other persons) in their administration,
(g) the purpose of protecting the property of charities from loss or misapplication, (h) the purpose of recovering the property of charities,
(i) the purpose of securing the health, safety and welfare of persons at work, and
(j) the purpose of protecting persons other than persons at work against risk to health or safety arising out of or in connection with actions of persons at work.
(3) The duty to confirm or deny does not arise if, or to the extent that, compliance with section 1(1)(a) would, or would be likely to, prejudice any of the matters mentioned in subsection (1).
As this exemption is qualified and prejudice-based, we are obliged to outline the harm in disclosure and explain why we consider that the public interest in maintaining the exemption outweighs the public interest in disclosure.
Harm in Disclosure
There is harm in disclosure:
Vulnerability Exposure: Disclosing our specific cybersecurity measures and devices could expose vulnerabilities that malicious actors could exploit.
Target for Attacks: The Council could become a more attractive target for cybercriminals if they know what security measures are in place or, more importantly, what is not.
Public Interest in Disclosure
We appreciate the benefits in transparency and that disclosure would improve public knowledge & debate on this issue.
Public Interest in maintaining the exemption
It is not in the public interest to provide information if to do so means that the Council is vulnerable to hacking/cyber attacks.
In accordance with Section 17 FOIA this letter represents a Refusal Notice for this request.