Skip to main content

211105 – Cloud based office suite system.

< Back

Ref: FOI/21105

RE: FREEDOM OF INFORMATION ACT 2000 REQUEST

West Midlands Fire Service has now completed its search for the information requested on 1st September 2021.

Please find below a summary of our findings.

Request.

  1. Does your organisation use a cloud based office suite system such as Google Workspace (Formerly G Suite) or Microsoft’s Office 365?
    1. If yes is this system’s data independently backed up, separately from that platform’s own tools?

Reply

This information is exempt under section 21 of the Freedom of Information Act 2000 as this information is reasonably accessible to the requestor. Information concerning our cloud-based office suite can be found on West Midlands Fire Service website at the following link:

https://www.wmfs.net/foi-entry/20031/

https://www.wmfs.net/foi-entry/21069-cloud-hosting/

Request.

  1. In the past three years has your organisation:
    1. Had any ransomware incidents? (An incident where an attacker attempted to, or successfully, encrypted a computing device within your organisation with the aim of extorting a payment or action in order to decrypt the device? )
      1. If yes, how many?
    2. Had any data rendered permanently inaccessible by a ransomware incident (i.e. some data was not able to be restored from back up.)
    3. Had any data rendered permanently inaccessible by a systems or equipment failure (i.e. some data was not able to be restored from back up.)
    4. Paid a ransom due to a ransomware incident / to obtain a decryption key or tool?
      1. If yes was the decryption successful, with all files recovered?
    5. Used a free decryption key or tool (e.g. from https://www.nomoreransom.org/)?
      1. If yes was the decryption successful, with all files recovered?
    6. Had a formal policy on ransomware payment?
      1. If yes please provide, or link, to all versions relevant to the 3 year period.
    7. Held meetings where policy on paying ransomware was discussed?
    8. Paid consultancy fees for malware, ransomware, or system intrusion investigation
      1. If yes at what cost in each year?
    9. Used existing support contracts for malware, ransomware, or system intrusion investigation?
    10. Requested central government support for malware, ransomware, or system intrusion investigation?
    11. Paid for data recovery services?
      1. If yes at what cost in each year?
    12. Used existing contracts for data recovery services?
    13. Replaced IT infrastructure such as servers that have been compromised by malware?
      1. If yes at what cost in each year?
    14. Replaced IT endpoints such as PCs, Laptops, Mobile devices that have been compromised by malware?
      1. If yes at what cost in each year?
    15. Lost data due to portable electronic devices being mislaid, lost or destroyed?
      1. If yes how many incidents in each year?

Reply

Q1 (a – o)

West Midlands Fire Service has not had any ransomware incidents in the last 3 years. Therefore, we do not hold any information that answers the above listed and is covered by Section 1 of the Freedom of Information Act 2000.

Request.

  1. Is an offsite data back-up a system in place for the following? (Offsite backup is the replication of the data to a server which is separated geographically from the system’s normal operating location site.)
    1. Mobile devices such as phones and tablet computers
    2. Desktop and laptop computers
    3. Virtual desktops
    4. Servers on premise
    5. Co-located or hosted servers
    6. Cloud hosted servers
    7. Virtual machines
    8. Data in SaaS applications
    9. ERP / finance system
    10. We do not use any offsite back-up systems
  1. Are the services in question 3 backed up by a single system or are multiple systems used?
  2. Do you have a cloud migration strategy? If so is there specific budget allocated to this?
  3. How many Software as a Services (SaaS) applications are in place within your organisation?
    1. How many have been adopted since January 2020?

Q2 -6

As a major emergency service provider, you will appreciate that we must ensure that our systems are appropriately protected. Releasing detailed information about our IT systems and infrastructure in response to your request and other similar requests under Freedom of Information has wider implications that we must consider.  By this we mean that disclosing this information may prejudice our ability to maintain our own and national security. We believe that maintaining security and ensuring public safety in a national and local context takes precedence over this request.

We accept that this type of information is of interest to commercial companies and to researchers but believe that it is not in the greater public good to release detailed information.

We do not imply that release of this information alone would necessarily be immediately detrimental but taken with other information we consider that it could have an adverse effect on our capability, effectiveness, and security. Given the current security climate in the UK we recognise the necessity to take a precautionary approach. In this situation, we have also taken account of whether the release of this information, could, if put together with other available information, cause damage. After consideration, we concluded that this type of information cannot be divorced from its context and looked at in isolation. In some circumstances, releasing this information could give rise to prejudice that would not otherwise have existed, because, taken together with other information requested, it could disclose a composite of information that is more sensitive than its individual parts taken separately.

We are therefore refusing your request under several Freedom of Information exemptions, s24 National Security, s36 Effective conduct of public affairs, s44 Prohibition on Disclosure.

In taking this decision we have taken note of the Centre for Protecting the National Infrastructure Guidance on disclosure of sensitive information, which states

“…. that national security is paramount and should be considered carefully in any government or commercial decision to release or disseminate information to the public”.

This guidance continues to state that careful consideration must be given before disclosing ‘precise information which exposes an organisation’s information or process control systems to the threat of electronic attack’.

Some of these exemptions are subject to the public interest test. This means that we must consider whether the public interest in releasing the information outweighs the public interest in refusing to disclose it. We have considered that it is in the interest of the majority of the public to protect our systems from potential harm, in order to support us to ensure public safety. We have also decided that the likelihood of damage to our systems need not be immediate as the impact would, in an emergency situation, be potentially serious.

We also considered whether the release of this information is in the public interest in terms of explaining our decisions, ensuring accountability, or providing transparency into our handling of public finances. We have concluded that the detail of this information is not necessary to meet the public interest or reassure public concerns. As a result, we have decided that the public interest is better served by not disclosing this detailed information.”

If you have any queries about this freedom of information request, please contact us.  Please remember to quote the reference number above in any future communications.

For service complaints, issues, or comments regarding this request please contact The Public Relations Department, West Midlands Fire Service, 99 Vauxhall Road, Birmingham, B7 4HW

Further information concerning Freedom of Information requests can be found on the Information Commissioner website at either the following link: https://ico.org.uk/ or at Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

 

Accessibility