asked Her Majesty’s Government:
In respect of the Home Office, (a) on how many occasions in the last year malicious programs have compromised departmental computer systems; and, for each occasion, how many machines were affected; how long it took to remove the programs from the system; and what was the impact on the department’s activities; (b) what penetration tests of information systems have been carried out over the last year and what were the results, indicating in each instance whether the tests were carried out independently of the providers of the system concerned; and (c) on how many occasions in the last year the departmental management team has considered information risk. [HL2476]
In the last year there have been two recorded instances of malicious programs compromising Home Office computer systems. On both occasions, only a single machine was affected. The record does not state how long it took to remove in either case. As only individual machines were affected, the impact on the department’s activities was minimal.
As part of the continuing development and maintenance of our systems, a number of penetration tests and health checks are carried out by our IT service providers and by independent third parties. This testing is focused both on areas where changes are being implemented and on existing systems that are in maintenance.
Information risk is constantly being considered by Home Office management. The department has a senior information risk owner, who sits on the Home Office board, a team of IT accreditors and an information and records management team, all of whom monitor and manage information risks.