asked Her Majesty's Government:

In respect of the Department for International Development, (a) on how many occasions in the last year malicious programs have compromised departmental computer systems; and, for each occasion, how many machines were affected; how long it took to remove the programs from the system; and what was the impact on the department's activities; (b) what penetration tests have been carried out of information systems over the last year and what were the results, indicating in each instance whether the tests were carried out independently of the providers of the system concerned; and (c) on how many occasions in the last year the departmental management team has considered information risk. [HL2408]

Malicious code has been identified on DfID computers on 10 different occasions in the last year, affecting one computer in each case. It took between 10 and 90 minutes to remove the programs concerned. In all cases, the users could sign on to another machine and continue working, so the impact on DfID's activities was low.

DfID does not publish information about penetration tests, on grounds of security.

DfID's management board has considered the corporate risk register on three occasions in the past year and has been satisfied that there are currently no information risks among DfID's top risks. Information risks are monitored at regular meetings of the appropriate board sub-committee.