0212FOI1920
FOI Ref: 0212FOI1920
26th March 2020
Freedom of Information Act 2000 – Request for Information
We are pleased to respond to your request for information and our response is set out below:
Request/ Response
In support of doctoral research with the [redacted] this is a request under the Freedom of Information Act 2000 and relates to how your organisation undertakes information and cyber security risk assessments.
Please could you tell me:
1.Does your organisation have a formal policy regarding the production of information and or cyber security risk assessments?
Yes, in that we follow NHSD guidelines and are working to achieve Data Security and Protection toolkit (DSPT) and Cyber essentials+ (CE+) accreditation this year
a. If yes, please can you provide a copy of the above policy?
Not formally written down as is part of DSPT
2.Does your organisation hold a register of Information and/or cyber security risk (outside that of the corporate risk register), and if yes?
a. Please can you list the top ten Information and/or Cyber Security Risks?
The CCGS tests for OWASP top 10. Other risks will arise and be dealt with on a day-by day basis. Our IT provider will also hold a risk register (but these may not be present in our contracted area).
b. How many risks are there in total on the register?
Corporate risks are published when a summary is sent to Board. March summary is at:
c. Please state how many risks would be categorised as the highest risk level (i.e. Critical)?
As per b
d. Please state how many risks would be categorised as the second highest risk level (i.e. Critical)
As per b
e. Please state how many risks would be categorised as the third highest risk level (i.e. Critical)?
As per b
f. How many risk levels do you have in total (i.e. 5)?
We use a risk score calculated by matrix likelihood (1-5) by consequence (1-5)
3. Do any of the identified information and or cyber security risks also exist on the corporate risk register?
a. If yes, what are those risks?
See latest published list :
4. When undertaking an information / cyber security risk assessment, does the authority follow a structured risk assessment process?
a. If so, what is that process?
We work to achieve CE+ accreditation as part of the NHSD requirements of all NHS organisations
5. Does your organisation follow ISO31000 when undertaking an information / cyber security risk assessment? Not formally
6. Does your organisation hold ISO27000 accreditation? No
7. Does your organisation have a policy of adhering to any information security standard or framework (i.e. ISO27000, NIST etc)? CE+
a. If yes, please provide a copy of the above policy?
8. Does the authority have the following roles within the origination: Yes SIRO
a. Chief Security Officer (CSO),
i. If yes, which role does the CSO report into?
b. Chief Information Security Officer (CISO)
i. If yes, which role does the CISO report into?
c. Head of Information Security (Hd InfoSec)
i. If yes, which role does the Hd InfoSec report into?
9. Who within your organisation who is accountable for undertaking information / cyber security risk assessments (i.e. Chief Information Security Officer, Head of Information Security, Head of Information Technology)?
Brian Hughes (SIRO) delegated to Deputy Director IT
10. Who within the authority is responsible for undertaking information / cyber security risk assessments (i.e. Chief Information Security Officer, Head of Information Security, Head of Information Technology)?
Brian Hughes (SIRO) delegated to Deputy Director IT
11. How many people within the organisation are responsible for undertaking information / cyber security risk assessments?
Deputy Director IT & Brian Hughes (SIRO) supported by contracted IT provider.
12. Does the person(s) responsible for undertaking information / cyber security risk assessment:
a. Have any formal training in this regard? Yes, provided by NHSD.
i. If so, what was it? SIRO training provided by GCHQ
b. Have any industry qualifications/certification in this regard?
i. If so, what are they?
13. How many people (permanent and contractors) currently work for the authority?
327
14. How many people (permanent and contractors) currently work for the authority in information technology roles?
In IT specifically 2 at this time –plus staff employed as part of the wider IT provision
15. How many people (permanent and contractors) currently work for the authority in information / cyber security roles?
Collaborative team responsibility none specific responsible for Cyber other than Deputy Director and SIRO