Cyber Security at TfL
Request ID: FOI-1935-1920
Date published: 25 October 2019
You asked
Good morning
I read with interest on the BBC website, the recent security incident where some 1,200 customers had their online Oyster card accounts hacked. Cyber security risks are certainly becoming more prevalent and both the information and operational infrastructure is critical to the safe running of London.
I am sure TfL is employing the most talented, experienced and qualified cyber security professionals to lead its cyber security teams. However, this incident concerns me and I would like to know some more about how well protected TfL is.
Please answer the following questions.
1. How many people do TfL employ in their cyber security function?
2. How many people has TfL employed within its cyber security function, within the last 12 months?
3. How many people have left their role in TfL’s cyber security function, within the last 12 months?
4. Do Transport for London have a person undertaking the position of Chief Information Security Officer (CISO) or the equivalent role, in either a permanent, contracted, fixed-term or secondment capacity?
5. Does TfL’s CISO (or equivalent), hold professional industry recognised security qualifications and certifications? (i.e, CISSP, CISM, OSCP)
6. What is the salary range of the person undertaking or acting in the role of CISO at TfL, as this information was strangely absent from last data transparency report that TfL published?
7. Who at Transport for London is currently undertaking the role of Security Operations Centre (SOC) Manager (or equivalent), in either a permanent, contracted, fixed-term or secondment capacity?
8. Does TfL’s Security Operations Centre (SOC) Manager (or equivalent) hold the relevant professional cyber security qualifications and certifications for such a role? (i.e, CISSP, CISM, OSCP)
I hope you can put my mind at rest and provide full answers to all my questions.
Kindest of regards
We answered
TfL Ref: FOI-1935-1920
Thank you for your request received by Transport for London (TfL) on 29th September 2019 asking for information about our cyber security.
Your request has been considered in accordance with the requirements of the Freedom of Information Act and our information access policy.
I can confirm that we hold the information you require. Your questions are answered in turn below.
Question 1. How many people do TfL employ in their cyber security function?
Answer: 19 people are employed as of today’s date.
Question 2. How many people has TfL employed within its cyber security function, within the last 12 months?
Answer: 25 people have been employed within the last 12 months.
Question 3. How many people have left their role in TfL’s cyber security function, within the last 12 months?
Answer: 6.
Question 4. Do Transport for London have a person undertaking the position of Chief Information Security Officer (CISO) or the equivalent role, in either a permanent, contracted, fixed-term or secondment capacity?
Answer: Yes.
Question 5. Does TfL’s CISO (or equivalent), hold professional industry recognised security qualifications and certifications? (i.e, CISSP, CISM, OSCP)
Answer: The CISO does not hold any security qualifications or certificates. Note that the Job Description for the role does not specifically require the post-holder to have such qualifications. Note also that a range of certificates are held across the wider cyber-security function, including but not limited to:
- Global Information Assurance Certification (GIAC) Global Industrial Cyber Security Professional;
- Certified Ethical Security Manager – CEH;
- Global Information Assurance Certification (GIAC) - Defending Advanced Threats;
- Global Information Assurance Certification (GIAC) - Penetration Tester;
- Cisco Certified Network Associate Routing and Switching (CCNA);
- Global Information Assurance Certification (GIAC) Security Essentials Certification;
- Global Information Assurance Certification (GIAC) Critical Controls Certification, and;
- Global Information Assurance Certification (GIAC) Response and Industrial Defence
A range of SANS Institute (Escal Institute of Advanced Technologies) certifications are also held across the team.
Question 6. What is the salary range of the person undertaking or acting in the role of CISO at TfL, as this information was strangely absent from last data transparency report that TfL published?
Answer: The salary range is £80-85k.
Question 7. Who at Transport for London is currently undertaking the role of Security Operations Centre (SOC) Manager (or equivalent), in either a permanent, contracted, fixed-term or secondment capacity?
Answer: TfL does not have a “Security Operations Centre Manager” post. The closest equivalent is the Cyber Security Enterprise Vulnerability & Response Manager. In accordance with our obligations under Data Protection legislation, the name of the post-holder is being withheld, as required by section 40(2) of the FOI Act. This is because disclosure of this personal data would be a breach of the legislation, specifically the first principle of Article 5 of the General Data Protection Regulation which requires all processing of personal data to be fair and lawful. It would not be fair to disclose this personal information when the individuals have no expectation it would be disclosed and TfL has not satisfied one of the conditions which would make the processing ‘fair’.
Question 8. Does TfL’s Security Operations Centre (SOC) Manager (or equivalent) hold the relevant professional cyber security qualifications and certifications for such a role? (i.e, CISSP, CISM, OSCP)
Answer: The interim Cyber Security Enterprise Vulnerability & Response Manager does not hold security certification. As noted above, a range of certificates are held across the wider cyber-security function.
If this is not the information you are looking for, or if you are unable to access it for any reason, please do not hesitate to contact me.
Please see the attached information sheet for details of your right to appeal as well as information on copyright and what to do if you would like to re-use any of the information we have disclosed.
Yours sincerely,
David Wells
FOI Case Officer
FOI Case Management Team
General Counsel
Transport for London
Back to top
