Information around devices supplied to Ministers: FOI release

Information requested

Q1. What types of Government supplied devices are used by Government Ministers (including the First Minister) and Cabinet Secretaries?

Q2. What applications are allowed to be installed on these devices? For example, Microsoft Word, Scotrail Timetable, Microsoft Outlook & Teams, iMessage or WhatsApp?

Q3. What systems are used to manager and secure them? For example, Microsoft Intune and Microsoft 365 Defender for Endpoint?

Q4. What access do these devices have to Government intranet and file systems and are enhanced functions such as copying and pasting between applications permitted?

Q5. If personal devices are allowed access to Government systems, and if so, are policies such as minimum OS Level (such as iOS 16 or Android 13) and remote wiping implemented?

Q6. Are personal accessories to their devices, either Government supplied or Personal, allowed to be connected (thinking specifically of a Apple or Samsung Galaxy Watch) and allow notifications and/or display of Government related emails?

Q7. How many Government issued mobile devices have been lost/stolen since 2018

Q8. How many Security breaches have been reported, since 2014, that related to compromised Government or Personal mobile devices?

Q9. Would you be able to provide a copy of the various policies regarding the use of both Government supplied and Personal mobile devices?

Q10. What training and/or education do MSP receive with regards Data Security and Q11.How is Data Security managed within Constituency Offices?

Response

My response to your request is provided below.

Q1. What types of Government supplied devices are used by Government Ministers (including the First Minister) and Cabinet Secretaries?

Scottish Government Ministers are provided with a Government supplied corporate laptop, tablet or mobile phone.

Q2. What applications are allowed to be installed on these devices? For example, Microsoft Word, Scotrail Timetable, Microsoft Outlook & Teams, iMessage or WhatsApp?

All laptops are issued with a corporate suite of applications. Any addition software can be requested through our software catalogue.

There is no defined list of applications are allowed to be installed on corporate mobile phones and tablets. These devices allow users to install ‘personal business applications’. Installation of any personal business applications is covered by the SG’s IT Code of Conduct and Mobile Services Employee Agreement. A personal business application is one that directly or indirectly supports the business of Scottish Government.

Q3. What systems are used to manager and secure them? For example, Microsoft Intune and Microsoft 365 Defender for Endpoint?

While our aim is to provide information whenever possible, in this instance an exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to your request. Disclosing this information would substantially prejudice our ability to carry out the effective conduct of public affairs. Providing details about the information you have requested into the public domain could subsequently be used by threat actors, building a picture of our security capability, to evade any controls we might or might not have in place. This could therefore enable them to target specific types of attack or data exfiltration methods and would constitute substantial prejudice to the effective conduct of public affairs.

Q4. What access do these devices have to Government intranet and file systems and are enhanced functions such as copying and pasting between applications permitted?

Any mobile phone or tablet managed by our Mobile Device Management system is able to access the Government Email and Intranet systems.

Q5. If personal devices are allowed access to Government systems, and if so, are policies such as minimum OS Level (such as iOS 16 or Android 13) and remote wiping implemented?

Scottish Government mandates that officials requiring access to selected corporate systems or corporate information are required to do so by means of a Corporately Owned Privately Enabled device provided by Scottish Government.

Q6. Are personal accessories to their devices, either Government supplied or Personal, allowed to be connected (thinking specifically of a Apple or Samsung Galaxy Watch) and allow notifications and/or display of Government related emails?

Our Mobile Device Management policies prevents the connection of personal accessories to the corporate mobiles phones and tablets. Personal accessories are not supplied.

Q7. How many Government issued mobile devices have been lost/stolen since 2018.

In calendar years 2018, 2019, 2021 and 2022 (to date) a total of 123 mobile phones have been recorded as lost.

In calendar years In calendar years 2018, 2019, 2021 and 2022 (to date) a total of 7 mobile phones have been recorded as stolen.

Q8. How many Security breaches have been reported, since 2014, that related to compromised Government or Personal mobile devices?

Scottish Government will not comment on any specific cyber security incidents or attempts made to compromise Scottish Government mobile or other electronic devices.

While our aim is to provide information whenever possible, in this instance an exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to your request. Disclosing this information would substantially prejudice our ability to carry out the effective conduct of public affairs. Providing details about the information you have requested into the public domain could subsequently be used by threat actors, building a picture of our security capability, to evade any controls we might or might not have in place. This could therefore enable them to target specific types of attack or data exfiltration methods and would constitute substantial prejudice to the effective conduct of public affairs.

Q9. Would you be able to provide a copy of the various policies regarding the use of both Government supplied and Personal mobile devices?

The Scottish Government IT Code of Conduct is provided in Annex A. The Scottish Government Mobiles Services Employee Agreement is provided in Annex B.

Q10. What training and/or education do MSP receive with regards Data Security and Q11.How is Data Security managed within Constituency Offices?

These questions should be directed to the Scottish Parliament whose staff support MSPs and their constituency staff. You can email the Parliament via info@parliament.scot. In relation to questions 10 and 11 This is a formal notice under section 17(1) of FOISA that the Scottish Government does not have the information you have requested.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.

FOI - 202200329558 - Annex A-B

File type

6 page PDF

File size

147.5 kB