RFI - 097: IT devices
Updated 23 October 2024
RE: FOI request relating to IT devices
Thank you for your freedom of information request, received on 29 August 2024, and allocated reference number RFI 097.
We have considered your request under the Freedom of Information Act 2000 (the FOIA).
In relation to the number of security infrastructure devices deployed by the SSRO (under Q1), and the 2024/25 and 2025/26 spend/budget for procuring cyber security services/software (under Q4), I confirm that this information is held. However, this information is exempt from disclosure under section 31(1)(a) of the FOIA on the basis that disclosing this information would, or would be likely to, prejudice the prevention or detection of crime. This is because disclosing this information would give cyber criminals insight into vulnerabilities which may or may not exist and this would likely encourage attempts to illegally access the SSRO’s IT systems.
The exemption relied upon is a qualified exemption and is subject to a public interest test. We have balanced the public interest in disclosing the information against the public interest in maintaining the exemption. Factors in favour of disclosing the information are that it would support transparency of the organisation’s activities and expenditure, it would provide information about how effective our security systems are and could reassure people about whether our systems are vulnerable or not. Weighed against this, disclosing the information would increase the likelihood of cyberattacks because it would provide cyber criminals with information necessary to build an understanding of the strengths and weaknesses of the SSRO’s IT security. If, for example, the SSRO disclosed that it had a no or very few security infrastructure devices, or it’s spend/budget for procuring cyber security services/software was low, this could demonstrate to cyber criminals that the organisation’s systems are particularly vulnerable, encouraging attacks.
Having weighed these public interests, our conclusion is that the public interests in maintaining the exemption in relation to “Q1 - Security Infrastructure” and “Q4 - Cyber Security”, should preponderate.
In respect to the remaining information requested, I confirm that the information is held and is disclosed below:
Q1. Can you please list the number of devices deployed by your organisation for the following?
Device Type | Number of Devices |
---|---|
Desktop PCs | 1 |
Laptops | 35 |
Mobile Phones | 20 |
Printers | 4 |
Multi Functional Devices (MFDs) | 1 |
Tablets | 5 |
Physical Servers | 0 |
Storage Devices (for example: NAS, SAN) | 0 |
Networking Infrastructure (for example: Switches, Routers, Interfaces, Wireless Access Points) | 0 |
Security Infrastructure (for example: Firewalls, Intrusion Detection Systems (IDS), Virus Monitoring Tools) | Exempt |
Q2. Does your organisation plan to procure any of the below enterprise applications or software?
2024/25 Spend/Budget (£000) | 2025/26 Estimated Budget (£000) | |
---|---|---|
Content Management System | £0 | £0 |
Supply Chain Management (SCM) | £0 | £0 |
Inventory Management Software | £0 | £0 |
Enterprise Asset Management (EAM) Software | £0 | £0 |
Business Intelligence Systems | £0 | £0 |
Other software/apps (mention the name of the software) | £0 | £0 |
Q3. Do you have any plans to procure End user devices (desktop/laptop/tablet/mobile phones etc)?
2024/25 Spend/Budget (£000) | 2025/26 Estimated Budget (£000) | |
---|---|---|
Desktops | £0 | £0 |
Laptops | £15,000 | £15,000 |
Mobile Phones | £1,500 | £1,500 |
Tablets and Others (if Others, please specify) | £2,000 | £2,000 |
Q4. Do you have any plans to procure below services/softwares?
2024/25 Spend/Budget (£000) | 2025/26 Estimated Budget (£000) | |
---|---|---|
Artificial Intelligence (AI) | £0 | £0 |
Cyber Security | Exempt | Exempt |
If you are dissatisfied with the handling of your request, you have the right to ask for an internal review. Internal review requests should be submitted within two months of the date of receipt of our response to your request and should be addressed to: [email protected].
If you are not content with the outcome of the internal review, you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.