Information Systems: Ministry of Defence Lord Harris of Haringey asked Her Majesty's Government: In respect of the Ministry of Defence, (a) on how many occasions in the last year malicious programs have compromised departmental computer systems; and, for each occasion, how many machines were affected; how long it took to remove the programs from the system; and what was the impact on the department's activities; (b) what penetration tests of information systems have been carried out over the last year and what were the results, indicating in each instance whether the tests were carried out independently of the providers of the system concerned; and (c) on how many occasions in the last year the departmental management team has considered information risk. [HL2473] The Parliamentary Under-Secretary of State, Ministry of Defence (Lord Drayson) The Ministry of Defence has deployed a comprehensive suite of safeguards to protect its departmental computer systems. However, in the past year (to February 2007) there have been 35 incidents reported in which malicious programs have compromised these safeguards. The department categorises—there are five levels, from very low to very high—all incident impacts. The following table provides the requested details. --------------------------------------------------------------------------------------------- |No. of Incidents|Machines Involved|Impact Level|Recovery Time|Remarks | --------------------------------------------------------------------------------------------- |1 |1 |Very Low |Pending |Incident open | --------------------------------------------------------------------------------------------- |2 |1 |Very Low |Pending |Incident open | --------------------------------------------------------------------------------------------- |3 |1 |Low |Nil |Anti-Virus (AV) recovered | --------------------------------------------------------------------------------------------- |4 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |5 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |6 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |7 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |8 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |9 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |10 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |11 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |12 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |13 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |14 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |15 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |16 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |17 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |18 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |19 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |20 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |21 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |22 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |23 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |24 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |25 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |26 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |27 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |28 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |29 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |30 |1 |Low |Nil |AV recovered | --------------------------------------------------------------------------------------------- |31 |1 |Low |Pending |Virus quarantined | --------------------------------------------------------------------------------------------- |32 |1 |Low |1 Day |1 x box rebuilt | --------------------------------------------------------------------------------------------- |33 |1 |Med |Pending |Incident open | --------------------------------------------------------------------------------------------- |34 |1 |Med |Pending |Incident open | --------------------------------------------------------------------------------------------- |35 |10 |Med |2 Days |1 x Box rebuilt9 x AV Updated| --------------------------------------------------------------------------------------------- A total of 104 independent penetration tests were completed in the past year, in addition to those commissioned internally by system-operating authorities for which centralised records are not maintained. Invariably such testing identifies a range of issues that require subsequent rectification and/or risk acceptance. Specific details are classified; however, as a measure of the results, all systems tested last year retained their security-accredited status.