MHRA IT Security Strategy Freedom of Information Request (FOI 21/1270)
December 9, 2021
Thank you for your email.
We can only partially answer questions 1 and 2, the rest of the information is exempt under section 31 of the FOI Act for the following reasons:
The Agency, like any organization, is subject to cyberattacks and since it holds large amounts of sensitive, personal and confidential information, maintaining the security of this information is extremely important. Cyberattacks, which can be criminal offences, for example under the Computer Misuse Act 1990 or the Data Protection Act 1998, are classified as a Level 1 threat by the UK government.
In this context, providing the requested information would provide information about the Agency’s information security systems and its resistance to cyber attacks. There is a very strong public interest in ensuring that the Agency’s information systems are not subject to cyberattacks. Providing the type of information requested would likely provide attackers with information about the state of our cybersecurity defenses, which is not in the public interest.
1. Do you have a formal IT security policy? (Please provide a link to the strategy)
2. Does this policy specifically address monitoring the configurations of network-connected devices to identify any malicious or non-malicious changes to device configuration?
I hope you find this information useful.
If you have a question about this, please reply to this email.
If you are not satisfied with the handling of your request, you have the right to request an internal review. Requests for internal review should be submitted within two months of the date you receive this response and addressed to: [email protected] Due to the current Covid-19 situation, we are unable to accept delivery of documents or correspondence by post or courier to any of our offices. Remember to quote the above reference number in all future communication.
Should you remain unsatisfied with the outcome of the internal review, you would have the right to request a decision directly from the Information Commissioner. Please keep in mind that the Information Commissioner will not normally review our handling of your request unless you have first contacted us to conduct an internal review. The Information Commissioner can be contacted at:
Information Commissioner’s Office
MHRA Customer Service Center