Information request and response under the Freedom of Information (Scotland) Act 2002
FOI Reference: FOI/202300379029
Date received: 2 October 2023
Date responded: 30 October 2023
REQUEST UNDER THE FREEDOM OF INFORMATION (SCOTLAND) ACT 2002 (FOISA)
Thank you for your request dated 2 October 2023 under the Freedom of Information (Scotland) Act 2002 (FOISA).
Your request
With reference to our response to Freedom of Information request 202300374618:
Request for information 1: Can you tell me please, in your engagement with a Cyber Essential Plus assessor, what was the scope of the accreditation engagement and were any parts of your IT infrastructure excluded from the outset from the engagement? If so can you detail which parts of your infrastructure were excluded?
Request for information 2: You say in your response that Social Security Scotland does not hold a Cyber Essentials Plus accreditation due to investigating but deciding that the "complexity of mapping to our cloud based environment made it unsuitable". Could I please therefore ask to see the records discussing this "unsuitability" and the final record containing the details of the decision and the rationale behind it?
Request for information 3: In lieu of not attaining Cyber Essentials Plus, can I please ask therefore which level of the Scottish Government's own Cyber Resilience Framework does Social Security Scotland fully comply with?
Request for information 4: Can I please ask what other recognised cyber security standards, such as ISO27001 for example, is Social Security Scotland specifically currently accredited to?
Response to your request
Social Security Scotland’s security assurance programme aligns with both the Scottish Government’s Cyber Resilience Framework and recognised international information and cyber security standards. It’s cyber security policies, controls, and technologies are independently tested on a regular basis throughout the year.
Request for information 1, 3 and 4:
An exemption under section 35(1)(a) of FOISA applies to the information you have requested. This exemption applies where disclosure of information under the Act would, or would be likely to, prejudice substantially the prevention or detection of crime. To disclose the information requested could leave our systems susceptible to cyber attack, including theft of personal data.
This exemption is subject to the 'public interest test'. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government, and to inform public debate. However, there is a greater public interest in ensuring that Social Security Scotland is able to securely and effectively administer the benefits system in Scotland.
Request for information 2:
While our aim is to provide information whenever possible, in this instance Social Security Scotland does not hold the information you have requested. This is because no records are currently held in relation to this decision.
About FOI
Social Security Scotland is committed to publishing responses to requests. The Scottish Government also publishes responses to requests. You can view the responses at http://www.gov.scot/foi-responses.