You asked
Behind every IT system, in the backend, there are plenty of “configuration items”, “environment metadata” or “business critical information”.
For example, you may have an ERP system which will have 30 configuration items:
Name of Administrator, password of Administrator, how does the ERP system connects to the database (user/pass), details of the database, encryption keys, URL of the console which manage the ERP system etc. If the ERP system is installed on 5 environments in current example you will have in total 30 * 5 = 150 configuration items.
Obviously that number can grow significantly with the size of the organization and the number of the computer systems which the organization has.
I would like to understand how does your organization keeps the configuration of IT environments.
I have outlined below typical methods in most organizations which I know. Please provide me information on each method, if possible.
| 1. | YES | NO | |
|---|---|---|---|
| 1.1 | Do you store the configuration of environments which I describe above or part of it in Excel spreadsheet? | ||
| 1.2 | If answer for 1.1 is yes, do you encrypt the file? | ||
| 3 | Do you store in notepads? | ||
| 4 | Do you store the information on Intranet? | ||
| 5 | Do you store the information in emails? | ||
| 6 | Do you store the information in physical Papers? | ||
| 7 | Does some of your employees memorize that information (i.e. it is not documented any where) ? | ||
| 8 | Do you store the information in share-point? | ||
| 9 | Do you store the information WIKI? | ||
| 10 | Is there are other methods, please provide: | ||
| 11 | Do you have full control of who access that critical information? | ||
| 12 | Do you have log of whoever is looked at that information? | ||
| 13 | Do you have log of whoever change the configurations? | ||
| 14 | If the information has been changed, do you have record of previous values (history)? | ||
| 15 | Do you use encryption keys (Private Public keys) | ||
| 16 | If the answer on 14 is Yes than, where do you manage the encryption keys or information from type of files? | ||
| 17 | Do you have environments on the public cloud? (Out of premise) | ||
| 18 | Do you have central, secured system to manage the configurators? | ||
| 19 | Do you have situation that only one employee holds that critical information? | ||
| 20 | Do you have a golden source for that information? i.e. one central location or the information resides in few copies? (excel, servers (for scripting))0 etc | ||
| 21 | Do you use the configuration for dev-ops processes? | ||
| 22 | If you use files to store the environment metadata information, where do you store those file? Is it on shared folder, laptops, desktops, etc? | ||
| 23 | When administrator change password or configuration in development environment, for example, of an item will he/she share that information with the developer via email? | ||
| 24 | If not, how would he notify the developers of the change? | ||
| 25 | Can you outline please, in a very high level what kind of information is stored in your systems in its level of confidentiality? |
We said
Thank you for your request.
We consider that disclosing the requested information would provide would be hackers a target to aim at and an unfair understanding of how we manage our IT estate. Release of the information would provide assistance to anyone wishing to launch a viral attack on departmental IT systems. As such we believe the information requested is exempt under s.31(1)(a) - the prevention or detection of crime. To use this exemption we are required to consider the public interest test, and whilst we note there are public interest arguments in favour of transparency and disclosure we have decided that these are outweighed by other public interest factors that are in favour of non-disclosure. Principally we consider that release of the information requested would prejudice our ability to maintain and run a secure and safe IT network. This is an essential function for all government departments and is particularly important for ONS which processes personal and economic information on its systems.