CCG FOI 700 – IT Security

Responded to: 8th November 2016

Please provide information on the manufacturer used, licence expiry and licence cost including duration for each of the following IT security areas within the organisation:

1. Desktop anti-virus

2. Protection of Microsoft Exchange environment (please state if this is not applicable due to the use of NHSmail/NHSmail2)

3. Email gateway (please state if this is not applicable due to the use of NHSmail/NHSmail2)

4. Web gateway

5. Mobile device management/enterprise mobility management

6. Hard disk encryption

7. Removable media encryption

7. Firewall

8. VPN

9. Two factor authentication provider

10. Wireless network provider

11. Virtual server software provider and number of virtual servers (e.g. VMWare, Hyper-V etc.)

12. VDI software provider and number of VDI instances

13. Network access control solution provider

14. Security information and event management (SIEM) solution provider

The Greater Manchester CCGs are issuing you with a refusal notice for questions 1 to 15, citing section 31(1)(a) of the Freedom of Information Act as the exemption because disclosing this information would prejudice the prevention of crime.

In coming to this decision, the CCG has considered the prejudice and the public interest factors in both disclosing the information and maintaining the exemption. Whilst there is always public interest in an organisation maintaining transparency with the public, there seems little public interest in releasing this particular information other than because of this issue of transparency. On the other hand, disclosing the information could make the twelve Greater Manchester CCGs and the supplier, which is Greater Manchester Shared Services, susceptible to cyber crime, which would prejudice the prevention of crime. This would place patients’ and staff’s personal information at risk of access or corruption and would also affect the ability of the 13 organisations to function effectively for a time. The likelihood is high due to the numerous CCGs’ publication schemes publishing their Freedom of Information responses, which in turn would lead to third party websites gaining access to the information and adding it to lists for hackers to potentially target.

It is for this reason that your request for answers to questions 1 to 15 have been refused. All other answers are present.

Please also provide:

1. The total number of computers (PC’s and laptops) within the organisation. 85

2. The total number of smartphones within the organisation. 35

3. The total number of tablet devices within the organisation. 10

4. Details of whether IT security is provided by an in-house team or by a third party – if by a third party please state who provides the service and when the contract expires.

IT security is supplied by a 3rd party, Greater Manchester Shared Services, covering all aspects of IT security. The contract is due for renewal April 2018.

The organisation is in the process of completing a full audit of IT equipment; it is anticipated that this will be available by the end of December 2016.  However, the figures above are reflective of an estimate from earlier in the year.

The information supplied to you continues to be protected by the Copyright, Designs and Patents Act 1988.  You are free to use it for your own purposes, including any non-commercial research you are doing and for the purposes of news reporting.  Any other reuse, for example commercial publication, would require the permission of the copyright holder.  Most documents supplied by NHS Stockport Clinical Commissioning Group will have been produced by Government officials and will be Crown Copyright.