Security and encryption of the Scottish Public Pensions Agency's website: FOI release

Information on the security and encryption of the Scottish Public Pensions Agency’s website.

1. All communications with the NCSC or any other organisation, contractor or supplier regarding the security and encryption of your public facing websites including any infrastructure (servers, databases etc) and the use of HTTPS / SSL or any other encryption protocols on said systems.
2. Any website (and associated system or infrastructure) audits that have been completed (or might be work in progress) and the conclusions and recommendations of such audits especially regarding the security of sites.
3. Any action plans that have been created or put in place to address any known weaknesses in website security or encryption policies.
4. Your website security and encryption policy.

1. All communications with the NCSC or any other organisation, contractor or supplier regarding the security and encryption of your public facing websites including any infrastructure (servers, databases etc) and the use of HTTPS / SSL or any other encryption protocols on said systems. 

There has not been any direct communication with NCSC, however the table below contains data from NCSC for the web check tool that is used to monitor the status of SSL’s on the URL.

2. Any website (and associated system or infrastructure) audits that have been completed (or might be work in progress) and the conclusions and recommendations of such audits especially regarding the security of sites. 

Audits for the SPPA website:

An exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to most of the information requested (apart from the table above).  Disclosing this information would substantially prejudice our ability to conduct safe management of the SPPA Website because the audit reports contain sensitive technical information which could be used to compromise the security of the SPPA website.

This would constitute substantial prejudice to the effective conduct of public affairs in terms of the exemption.

This exemption is subject to the ‘public interest test’.  Therefore, taking account of all the circumstances of this case, we have considered whether the public interest in disclosing the information outweighs the public interest in applying the exemption.  We have found that, on balance, the public interest lies in favour of upholding the exemption.  We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government. However, there is a greater public interest in protecting the process of SPPA Website security and ensuring that the SPPA is able conduct this aspect of its business effectively. 

3. Any action plans that have been created or put in place to address any known weaknesses in website security or encryption policies. 

An exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to all the information requested.  Disclosing this information would substantially prejudice our ability to conduct safe management of the SPPA Website because the action plans contain potential vulnerabilities which could be used to compromise the security of the SPPA website.

This would constitute substantial prejudice to the effective conduct of public affairs in terms of the exemption.

This exemption is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government. However, there is a greater public interest in protecting the process of SPPA Website security and ensuring that the SPPA is able conduct this aspect of its business effectively. 

4. Your website security and encryption policy. 

SPPA adheres to the NCSC  policy regarding security and encryption. Please see link below:

https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles