FOI reference: FOI/17/02900
Date received: 6 November 2017
Date responded: 4 December 2017
Information on IT systems activity within the Scottish Government subsequent to the Brexit vote of 2016.
Data on activity undertaken between Friday 24th June 2016 and Friday 3rd November 2017 (inclusive) and raised a number of questions which I will answer in turn.
The Scottish Government offer ICT Services, including hosting and infrastructure for the wider Scottish Public Sector under a shared service agenda called SCOTS Connect. The figures supplied in this response relate to the Scottish Government as well as Agencies and Non Departmental Public Bodies (NDPB) who take services from us and includes servers we host and/or manage in our Datacentre on behalf of these organisations. A list of Agencies and NDPB's who take such services are appended in Annex A.
Q1. You asked how many outside personnel (e.g. non-permanent employees such as contractors or freelancers) have been provided with access to internal department systems and applications.
A1. We do not hold records for the exact dates requested but can confirm the following numbers of non-permanent staff for the dates supplied below. At a minimum, all staff will have access to basic Scottish Government desktop services.
812 non-permanent employees in the Scottish Government
512 non-permanent employees in Agencies and NDPB's
785 non-permanent employees in the Scottish Government
712 non-permanent employees in Agencies and NDPB's
Q2. You asked whether outside personnel are provided with the same safety and security training as permanent personnel.
A2. All staff using SCOTS Connect services, including temporary and contractual staff, must complete mandatory eLearning packages on data protection and information security.
Q3. You asked how many employees (either permanent or temporary) that have worked in a system administrator role have left the department?
A3. The overall headcount figures of staff employed as ICT System Administrators has remained the same within the dates stipulated.
Q5. You requested the numbers of servers in operation within the Scottish Government between 24th June 2016 and Friday 3rd November 2017.
A5. It is not possible to give server numbers for all the dates requested. However, we can provide the number of servers on SCOTS Connect for dates we do have records for. These are as below.
1 February 2017 - 327 Physical Servers, 2496 Virtual Servers
3 November 2017 - 342 Physical Servers, 2593 Virtual Servers
Q6. Finally, you asked what policies do you have in place regarding the auditing and monitoring of privileged access to department systems.
A6. Whilst we endeavour to provide you with the information you have requested in the instance of protective monitoring and privileged access auditing we are exempt from providing this information under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies your request.
Disclosing this information would substantially prejudice our ability to protect government assets and digital information. Providing specific details about the auditing we have in place around privileged access and protective monitoring could subsequently be used by attackers or hackers circumvent these defences. This could therefore enable them to target other types of attack or specific components of our defences and would constitute substantial prejudice to the effective conduct of public affairs in terms of the exemption.
Reasons for not providing information
This exemption is subject to the 'public interest test'. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government. However, there is a greater public interest in protecting government information systems from attack or compromise and ensuring that the Scottish Government is able conduct its business effectively.
There is also greater public interest in ensuring that ensuring that any identified vulnerabilities could not be used to attack Scottish Government systems that hold information entrusted to us by the citizens for whom we provide online services, and for whom we also have responsibilities under the Data Protection Act to protect personal information.
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses
Please quote the FOI reference
Central Enquiry Unit
Phone: 0300 244 4000
The Scottish Government
St Andrew's House