To ask the Secretary of State for Culture, Media and Sport pursuant to the answer of 5 March 2009, Official Report, column 1739W, on departmental data protection, what security systems are in place to separate visitor and test wireless networks from his Department's local area network infrastructure; what policies are in place for the protection of local area network infrastructure via (a) firewalls and (b) layer three switches; who is responsible for auditing and checking these security measures; how frequently security checks are performed; and what the average time is for remediation of vulnerabilities. (265565)

There is no connection between the visitor and test wireless networks and the test wireless network does not carry any work or protectively marked traffic. No wireless network is connected to the main office network.

All wireless connections are protected by hardware firewalls and are covered as part of the regular annual audit process. Security vulnerabilities are addressed immediately they are notified.

To ask the Secretary of State for Culture, Media and Sport pursuant to the answer of 5 March 2009, Official Report, columns 1739-40W, on departmental data protection, what systems are in place to ensure that his Department's IT security hierarchy is fit for purpose. (265566)

Our Security Operating Protocol is reviewed by external auditors on an annual basis.

To ask the Secretary of State for Culture, Media and Sport pursuant to the answer of 5 March 2009, Official Report, column 1739W, on departmental data protection, how frequently (a) internal and (b) independent external auditing of compliance takes place; what the criteria of such audits are; what elements are checked; whether his Department undertakes social engineering pen tests; what password policies his Department has in place; and what systems are in place to ensure that staff comply with those policies. (265567)

Internal auditing of compliance takes place at least annually. Independent external auditing is carried out on an annual basis. A number of criteria are used including the GSi Code of Connection, the Security Policy Framework, industry best practice and relevant Info Sec Memoranda.

We do not report on the scope of security testing nor the full list of test criteria for security reasons.

My Department does carry out social engineering vulnerability testing.

My Department's password policies conform to central standards.

A full range of guidance on security policies and best practice is available to staff via my Department's intranet.

We are currently deploying additional training and compliance testing for all staff.