You asked

Please provide responses to the following questions:

  1. Are you aware of the Minimum Cyber Security Standard, published 25th June 2018?

    a. Yes
    b. No

  2. What is your annual dedicated budget for cybersecurity (including personnel and technology)?

    a. £10,000 or less
    b. £10,001 - £50,000
    c. £50,001 - £100,000
    d. £100,001 - £500,000
    e. £500,001 - £1,000,000
    f. £1,000,001 - £5,000,000
    g. £5,000,001 - £10,000,000
    h. £10,000,001 or more

  3. Approximately how many cyber-attacks (of any kind) have you experienced in your organisation in these 12-month periods?

    None 1 – 50 50 – 100 100 – 200 200 – 500 500 -1000 1000+
    1st January 2017 – 31st December 2017
    1st January 2018 – 31st December 2018
  4. Which of the following attack / cybersecurity threat types have been detected by your organisation? [Select all that apply]

    a. Hacking
    b. Phishing
    c. Malware
    d. Ransomware
    e. Accidental/careless insider threat
    f. Malicious insider threat
    g. Foreign governments
    h. Crypto mining
    i. Other, please specify: _______________

  5. Which of the following form part of your cybersecurity defence technology strategy? [Select all that apply]

    a. Firewall
    b. Antivirus software
    c. Network device monitoring
    d. DNS filtering
    e. Malware protection
    f. Log management
    g. Network configuration management
    h. Patch management
    i. Network traffic analysis
    j. Multi-factor authentication
    k. Network perimeter security solutions
    l. Employee training (whole organisation)
    m. Employee training (IT team)
    n. Other, please specify: ___________

  6. Which of these obstacles has your organisation experienced in maintaining or improving IT security? [Select all that apply]

    a. Competing priorities and other initiatives
    b. Budget constraints
    c. Lack of manpower
    d. Lack of technical solutions available at my agency
    e. Complexity of internal environment
    f. Lack of training for personnel
    g. Inadequate collaboration with other internal teams or departments
    h. Other, please specify: _______________

We said

Thank you for your request.

Here are the responses to your questions:

  1. Yes

  2. f. £1,000,001 - £5,000,000

  5. Which of the following form part of your cyber security defence technology strategy?

All items listed form part of our strategy.

  3/4/6. We do not disclose this information.

We consider that disclosing the requested information would provide hackers with a target to aim at and an unfair understanding of how we manage our IT estate. Release of the information would provide assistance to anyone wishing to launch a viral attack on departmental IT systems. As such we believe the information requested is exempt under s.31(1)(a) - the prevention or detection of crime. To use this exemption we are required to consider the public interest test, and whilst we note there are arguments in favour of transparency and disclosure we have decided that these are outweighed by other public interest factors that are in favour of non-disclosure. Principally we consider that release of the information requested would prejudice our ability to maintain and run a secure and safe IT network. This is an essential function for all government departments and is particularly important for ONS which processes personal and economic information on its systems.