Audits- Payment Operations & Assurance team, Technology & Data
Request ID: FOI-0431-2122 Date published: 28 June 2021
You asked
Dear TfL team,
Can you please confirm:
1.Types and/or names of audits managed by Payment Operations & Assurance team (part of Technology & Data department) and their frequency (e.g. annual/ monthly etc.);
2.Since 1 January 2020, how many of those audit results included failures and/ or highlighted gaps in maintaining sufficient controls of processes regarding access to systems and/ or data protection (including, but not limited to, leavers/movers from/to this team)?
Clarification: I am not requesting details that would be considered personal data, but aggregate numbers of failures/ incidents/ confirmed breaches and your categorisation of those.
3. Assuming there were failures/ incidents/confirmed breaches, can you confirm how many of those involved investigations by your Cybersecurity team linked to the audit failures in question? (period remains the same, i.e. since 1 January 2020)
Clarification as above: aggregate data/numbers and not personal data is requested.
4. How many of those failures/ incidents/confirmed breaches have been reported to the police and/or the Information Commissioner's Office?
Clarification as above: aggregate data/numbers and not personal data is requested.
Sincerely
We answered
Our Ref: FOI-0431-2122
Thank you for your request received on 1 June 2021 asking for information about audits managed by the Payment Operations & Assurance Team.
Your request has been considered in accordance with the requirements of the Freedom of Information Act and our information access policy. I can confirm we do hold the information you require. You asked for:
1. Types and/or names of audits managed by Payment Operations & Assurance team (part of Technology & Data department) and their frequency (e.g. annual/ monthly etc.);
The Payment Operations & Assurance team conduct annual reviews of user access listings for external TfL supplier hosted systems containing TfL payment card financial data. We also have other access controls in place around the joiners/movers/leavers process for these systems. The team also manages two annual ISAE3402 engagements provided by a third party supplier, on behalf of the Train Operating Companies under various agreements, on the Contactless and Oyster PAYG systems.
2. Since 1 January 2020, how many of those audit results included failures and/ or highlighted gaps in maintaining sufficient controls of processes regarding access to systems and/ or data protection (including, but not limited to, leavers/movers from/to this team)? Clarification: I am not requesting details that would be considered personal data, but aggregate numbers of failures/ incidents/ confirmed breaches and your categorisation of those.
In accordance with the FOI Act we are not obliged to supply this information as it is subject to a statutory exemption to the right of access to information under section 24 (National security) and section 31(1) (Prevention and detection of crime). We believe releasing the results of these reviews and the details of these controls and any gaps identified from these reviews would open TfL to security risks and the potential for attacks by criminals and organised crime.
The London transport network is a critical piece of national infrastructure and as such we employ rigorous safeguards to protect it from cyber-attack. Like other organisations we are subject to regular attempted cyber-attacks. These attacks are unlawful under the Computer Misuse Act, and whilst the motive is not always apparent, we are aware of the risk to critical national infrastructure that may result from a successful attack.
Whilst we make no suggestion that you would use this information for anything other than you own personal interest, disclosure of this information to you has to be regarded as a disclosure to ‘the public at large’. This information could potentially be obtained and utilised by individuals who may wish to use this information to cause disruption or harm to the network.
We consider that releasing the requested information would be likely to prejudice our efforts to prevent and detect future attacks and undermine our ability to safeguard the network.
The use of these exemptions is subject to an assessment of the public interest in relation to the disclosure of the information concerned. We recognise the need for openness and transparency by public authorities, but in this instance we consider that there is greater public interest in safeguarding our information systems and protecting the integrity of the network.
3. Assuming there were failures/ incidents/confirmed breaches, can you confirm how many of those involved investigations by your Cybersecurity team linked to the audit failures in question? (period remains the same, i.e. since 1 January 2020)
Clarification as above: aggregate data/numbers and not personal data is requested.
As per 2 above, however any confirmed breaches would be reported to the TfL cybersecurity team if deemed appropriate or required.
4. How many of those failures/ incidents/confirmed breaches have been reported to the police and/or the Information Commissioner's Office?
As per 2 above, however any confirmed breaches would be reported to the police and to the ICO if deemed appropriate or required by law.
If this is not the information you are looking for please feel free to contact me.
If you are considering submitting a further FOI request please think carefully about whether the request is essential at this current time, as answering FOI requests will require the use of limited resources and the attention of staff who could be supporting other essential activity. Where requests are made, please note that our response time may be impacted by the current situation.
Please see the attached information sheet for details of your right to appeal.
Yours sincerely
Gemma Jacob Senior FOI Case Officer FOI Case Management Team General Counsel Transport for London
