Provision of information held by Northumbria Police made under the Freedom of Information Act 2000 (the 'Act')
As you may be aware the purpose of the Act is to allow a general right of access to information held at the time of a request, by a Public Authority (including the Police), subject to certain limitations and exemptions.
I was hoping you could provide me with some contract information relating to following information:
1. Standard Firewall (Network) - Firewall service protects your corporate Network from unauthorised access and other Internet security threats
2. Anti-virus Software Application - Anti-virus software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like worms, trojans, adware, and more.
3. Microsoft Enterprise Agreement - is a volume licensing package offered by Microsoft.
The information I require is around the procurement side and we do not require any specifics (serial numbers, models, location) that could bring threat/harm to the organisation. For each of the different types of cyber security services can you please provide me with:
1. Who is the existing supplier for this contract?
2. What does the organisation annually spend for each of the contracts?
3. What is the description of the services provided for each contract?
4. Primary Brand (ONLY APPLIES TO CONTRACT 1&2)
5. What is the expiry date of each contract?
6. What is the start date of each contract?
7. What is the contract duration of contract?
8. The responsible contract officer for each of the contracts above? Full name, job title, contact number and direct email address.
9. Number of Licenses (ONLY APPLIES TO CONTRACT 3)
Following receipt of your request, searches were conducted with the ICT Department of Northumbria Police. I can confirm that the information you have requested is held, in part, by Northumbria Police.
I am able to disclose the located information to you as follows.
1. Various suppliers
2. Not an annual spend they are part of 5 year refresh programme
3. Security, IDS,IPS, Remote Access and VPN
4. See below for exemptions applied to this point
7. 5 Year
8. Smith, Infrastructure Services Manager, firstname.lastname@example.org
3. Endpoint Protection
4. See below for exemptions applied to this point
7. 1 Year
8. Paul Smith, Infrastructure Services Manager, email@example.com
Microsoft Enterprise Agreement
3. Mix of cloud and standard Microsoft products
7. 3 years
8. Roy Hails 9014, Application Services Manager, 0191 4373188, firstname.lastname@example.org.
S24 (1) National Security
S31 (1) Law Enforcement
Sections 24, and 31 are prejudice based qualified exemptions and there is a requirement to articulate the harm that would be caused in its disclosure as well as carrying out a public interest test.
To disclose information to the public at large as to what we have in place to protect police systems would show criminals what the capacity, tactical abilities and capabilities of the force are, allowing them to target specific areas of the UK to conduct their criminal/terrorist activities. Any information identifying firewalls utilised could be used to the advantage of terrorists or criminal organisations. Information that undermines the operational integrity of these activities will adversely affect public safety and have a negative impact on both national security and law enforcement.
Factors favouring disclosure - Section 24
The public are entitled to know what public funds are spent on and what security measures are in place, and by confirming what is in place would lead to a better-informed public.
Factors against disclosure - Section 24
By disclosing this information would make those security measures less effective. This would lead to the compromise of ongoing or future operations to protect the security or infra-structure of the UK and increase the risk of harm to the public, ie a cyber-criminal could use such information to attack a particular police force. The information is sensitive in nature if it would highlight vulnerabilities. For instance, if it is known that a particular piece of software has weaknesses and a force was to disclose they use this then those weaknesses could be exploited. A cyber-attack could negatively affect the infrastructure of policing. By affecting the infrastructure of policing the nation’s security will be more vulnerable to terrorism.
Factors favouring disclosure - Section 31
This would enable the public to have a better understanding of the effectiveness of the police and about how the police protect systems used. It would greatly assist in the quality and accuracy of public debate, which could otherwise be steeped in rumour and speculation. Where public funds are being spent, there is a public interest in accountability and justifying the use of public money.
Factors against disclosure- Section 31
The release of this type of information would better inform a criminal on how to cyber-attack the police. If a force was hacked and this lead to their IT systems not working efficiently then a negative impact would occur on the prevention or detection of crime. Cyber-crime can lead to forces being unable to carry out their objectives. Northumbria Police would not want to provide information that could lead to criminals being better informed on the vulnerabilities, or perceived vulnerabilities a force has.
The security of the country is of paramount importance and the Police service will not divulge any information if to do so would place the safety of an individual at risk, undermine National Security or compromise law enforcement.
Whilst there is a public interest in the transparency of policing operations and providing assurance that the police service is appropriately and effectively engaging with the threat posed by various groups or individuals, there is a very strong public interest in safeguarding the integrity of police systems, investigations and operations in the highly sensitive areas such as extremism, crime prevention, public disorder and terrorism prevention.
As much as there is public interest in knowing that policing activity is appropriate and balanced this will only be overridden in exceptional circumstances. The areas of police interest discussed above are sensitive issues that reveal security systems and therefore it is our opinion that for these issues the balancing test for disclosure is not made out.