Social Security Scotland cyber security: FOI Review

Information requested

Original request - 202300374618

Request for information 1: Has Social Security Scotland ever held a CE+ accreditation?

Request for information 2: Does Social Security Scotland hold a valid CE+ accreditation for the financial year 2022/2024?

Request for information 3: Has Social Security Scotland ever unsuccessfully attempted to attain a CE+ accreditation and if so, why was it unsuccessful?

Request for information 4: When was the last time that Social Security Scotland carried out a full disaster recovery test including a test of being able to restore fully, core systems from backups?

Response

Further to my letter of 21 November 2023, I have now completed my review of our response to your request under the Freedom of Information (Scotland) Act 2002 (FOISA) for:

Request for information 1 - Can you tell me please, in your engagement with a Cyber Essential Plus assessor, what was the scope of the accreditation engagement and were any parts of your IT infrastructure excluded from the outset from the engagement? If so can you detail which parts of your infrastructure were excluded?

Request for information 2 - You say in your response that Social Security Scotland does not hold a Cyber Essentials Plus accreditation due to investigating but deciding that the "complexity of mapping to our cloud based environment made it unsuitable". Could I please therefore ask to see the records discussing this "unsuitability" and the final record containing the details of the decision and the rationale behind it?

Request for information 3 - In lieu of not attaining Cyber Essentials Plus, can I please ask therefore which level of the Scottish Government's own Cyber Resilience Framework does Social Security Scotland fully comply with?

Request for information 4 - Can I please ask what other recognised cyber security standards, such as ISO27001 for example, is Social Security Scotland specifically currently accredited to?

Within your request for review you referenced FOI 202300374618. Within the body of your request you express dissatisfaction with our response to request for information 2 of FOI 202300379029. We have provided a response to FOI 202300379029 which you expressed dissatisfaction with rather than the referenced FOI of 202300374618.

Within Part 2 of FOI 202300379029 you asked – “You say in your response that Social Security Scotland does not hold a Cyber Essentials Plus accreditation due to investigating but deciding that the "complexity of mapping to our cloud based environment made it unsuitable". Could I please therefore ask to see the records discussing this "unsuitability" and the final record containing the details of the decision and the rationale behind it?”

You were dissatisfied with our response to this question, therefore this review is limited to considering the response to question 2 above, which stated we were unable to provide you with this information as it was not held, as you considered that the authority must hold information in relation to our decision not to pursue Cyber Essentials Plus accreditation.

I have reviewed our response and concluded that a different decision should be substituted.

Whilst there is no definitive document which records the decision, I consider that further information should be released to you which evidences the considerations and discussions to reach that decision. Please find these documents attached.

An exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to some of the information requested. We have concluded that disclosing this information would substantially prejudice the Government’s ability to effectively protect it’s security systems. This is because to reveal the information within this documentation would reveal intelligence on our security systems that would make these vulnerable to attack. One of the many consequences of this could result in a loss of data which would have a substantial impact on our clients for whom we make payments.

This exemption is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government, and to inform public debate. However we have found that on balance, the public interest lies in favour of upholding the exemption. This is because there is greater public interest in ensuring, the security of our cyber systems, maintaining the security of our data, that the Scottish Government is able to pay benefits effectively and that our clients receive our payments and services as planned without disruption.

An exemption under section 38(1)(b) of FOISA (personal information) applies to a small amount of the information requested because it is personal data of a third party, i.e. names/contact details of individuals, and disclosing it would contravene the data protection principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act 2018. This exemption is not subject to the ‘public interest test’, so we are not required to consider if the public interest in disclosing the information outweighs the public interest in applying the exemption.

In order to advise and assist you I am able to provide the following information –

Within Social Security Scotland there are three high-level technology estates to consider in relation to the Cyber Essentials Plus accreditation. The first of these is the SCOTS shared service we utilise from ITECS. This covers the network, infrastructure services including domain user accounts, email and internet, plus endpoint computing devices such as laptops and mobile devices. This estate is Cyber Essentials Plus accredited.

The second technology estate consists primarily of Amazon Web Services (AWS) cloud hosting and supporting cloud hosted applications and platforms. This is a complex cloud environment
which has expanded over time to accommodate the delivery of benefits.

The third technology estate consists of MacBook devices which are used to manage the AWS estate.

In 2022 the Cyber Essentials Plus scheme was revised. This resulted in the requirement for the AWS estate to be in scope for any future assessments. Given this, the suitability of Cyber Essentials Plus, as an appropriate security assurance approach was reviewed. This review took place over a number of months and different discussions rather than as a formalised process. In line with the revision of the Scottish Government’s Cyber Resilience Framework, options are now being assessed as to an alternative and more appropriate form of independent assurance for both the AWS and MacBook estates.

In relation to the question asked in regards to the records relating to the rationale, discussions and decision to explore an alternative form of independent assurance, no formal records exist. However, as the result of a robust investigation the following documents were found to document parts of this decision making process.

An email showing discussion held on the appropriate strategic direction for gaining independent assurance including Cyber Essentials Plus.	Document 1
This email highlights discussions ongoing to ensure that security assurance activities were in place for all target environments and capturing of risks.	Document 2
An assessment of the MacBook estate was conducted based on the CIS Basic Controls Framework in preparation for a potential renewal of the Cyber Essentials Plus accreditation.	Document 3
A self-assessment spreadsheet in relation to Cyber Essentials Plus accreditation.	Document 4
Compliance report documenting the remediation activity which would be required to achieve Cyber Essentials Plus accreditation.	Document 5
An email chain showing discussions held around security in the MacBook estate.	Document 6
An email discussing decision making around Cyber Essentials Plus and the MacBook estate.	Document 7
An email discussing the Cyber Essentials Plus Accreditation scan and scope.	Document 8
An assessment of the MacBook estate was conducted based on the CIS Basic Controls Framework in preparation for a potential renewal of the Cyber Essentials Plus accreditation.	Document 9

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.

FOI - 202300385503 - Information released - Annex 1-9

File type

PDF

File size

2.1 MB