FOI release

Freedom of Information request on the MHRA IT security strategy (FOI 21/1270)

Published 31 May 2022

FOI 21/1270

9th December 2021

Dear

Thank you for your email.

We can only part answer questions 1 and 2, the rest of the information is exempt under Section 31 of the FOI Act for the following reasons:

The Agency like any organisation may be subject to cyber-attacks and, since it holds large amounts of sensitive, personal and confidential information, maintaining the security of this information is extremely important. Cyber-attacks, which may amount to criminal offences for example under the Computer Misuse Act 1990 or the Data Protection Act 1998, are rated as a Tier 1 threat by the UK Government.

In this context, providing requested information would provide information about the Agency’s information security systems and its resilience to cyber-attacks. There is a very strong public interest in preventing the Agency’s information systems from being subject to cyber-attacks. Providing the type of information requested would be likely to provide attackers with information relating to the state of our cyber security defences, and this is not in the public interest.

1.      Do you have a formal IT security strategy? (Please provide a link to the strategy)

Yes

2.      Does this strategy specifically address the monitoring of network attached device configurations to identify any malicious or non-malicious change to the device configuration?

Yes

I hope you find this information useful.

If you have a query about this, please reply to this email.

If you are dissatisfied with the handling of your request, you have the right to ask for an internal review. Internal review requests should be submitted within two months of the date you receive this response and addressed to: [email protected].  Due to the ongoing Covid-19 situation, we are not able to accept delivery of any documents or correspondence by post or courier to any of our offices.  Please remember to quote the reference number above in any future communications.

If you were to remain dissatisfied with the outcome of the internal review, you would have the right to apply directly to the Information Commissioner for a decision. Please bear in mind that the Information Commissioner will not normally review our handling of your request unless you have first contacted us to conduct an internal review. The Information Commissioner can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Yours sincerely,

MHRA Customer Service Centre