asked Her Majesty's Government:

In respect of the Department for Environment, Food and Rural Affairs, (a) on how many occasions in the last year malicious programs have compromised departmental computer systems; and, for each occasion, how many machines were affected; how long it took to remove the programs from the system; and what was the impact on the department's activities; (b) what penetration tests have been carried out of information systems over the last year and what were the results, indicating in each instance, whether the tests were carried out independently of the providers of the system concerned; and (c) on how many occasions in the last year the departmental management team has considered information risk. [HL2407]

(a) In the past year no malicious programs have compromised departmental computer systems, as all potential infections were trapped by the AV software and there were no reported outbreaks.

(b) The only penetration test performed in the past year was on the BlackBerry pilot and was performed by QinetiQ at Defra’s request. Eight issues were found, and these were either mitigated or taken into account in the subsequent solution for production. Release of the results might highlight vulnerabilities and compromise security.

(c) The departmental management board considered information assurance and risk in December 2006 but the management team has also considered information risk in other ways: as part of its consideration of overall departmental performance and delivery and through its oversight of major IT-enabled change programmes and local programmes, all of which have risk management processes that include information risk.