(2) what auditing his Department undertakes to ensure that IT security policies are being followed; and on how many occasions (a) IT security policies have been breached by employees and (b) a member of staff has been sanctioned for a breach of such policies in the last 12 months;
(3) if he will place in the Library a copy of his Department's IT security hierarchy;
(4) what scanning for vulnerabilities his Department conducts of each of its IT devices; what method is used for IT device scans; and how many vulnerabilities have been detected as a result of such scans in the last 12 months;
(5) what IT security policy his Department has; what procedures are in place to ensure the policy is being followed; what his Department's policy is on encryption of data when it leaves departmental premises; and what sanctions are in place for failure to comply with this policy.
Information is a key asset to Government and its correct handling is vital to the delivery of public services and to the integrity of HMG. The Security Policy Framework, the Data Handling Report and the National Information Assurance Strategy produced by the Cabinet Office provide a strategic framework for protecting information that Government handle and put in place a set of mandatory measures which Departments must adhere to.
Because of the potential security threat, it would not be appropriate to comment on the specific technical measures deployed to protect the Departments IT networks.
Compliance arrangements comprise a system of self assessment, accreditation, assurance reporting, audit and review.
There have been no reported breaches of the Department's IT systems in the last 12 months. Central records show that, for this period, 41 staff have been subject to disciplinary action for breaches of IT security policy. The types of incidents involved would have included, but not exclusively, mis-use of email, internet browsing, incorrect use of passwords and login details. None of the incidents compromised the integrity of the Department's systems.
The Department's security governance arrangements are consistent with the mandatory requirements set out in the HM Government Security Policy Framework (SPF). The Permanent Secretary, as Accounting Officer has overall responsibility for all aspects of security. The Departmental Security Officer (DSO) supports the Permanent Secretary by providing advice on policy and procedure. The IT Security Officer (ITSO) supports the DSO by developing, implementing, reviewing and advising upon IT security policy. There are currently separate ITSOs working in the major business units brought together as the Ministry of Justice.
It is not in the interest of the security of the Department, or that of the public, to disclose detailed information pertaining to electronic breaches of security of Department's IT systems. Disclosing such information would enable criminals and those who would attempt to cause disruptive threats to the Department to deduce how to conduct attacks and therefore potentially enhance their capability to carry out such attacks.
Depending upon the circumstances, a range of sanctions are available for failure to comply with the policies, including disciplinary or administrative action, and in extreme or persistent cases, termination of employment/services and, if appropriate, criminal proceedings.